sudo nmap 192.168.142.44 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
80/tcp open http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp open ssl/http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp open mysql MySQL (unauthorized)
6660/tcp open irc InspIRCd
-
-
7000/tcp open irc InspIRCd
6673/tcp open vision_elmd?
7001/tcp open tcpwrapped
7005/tcp open tcpwrapped
7007/tcp open irc InspIRCd
Service Info: Hosts: localhost, www.example.com, irc.madcowz.localdomain;
OS: Windows; CPE: cpe:/o:microsoft:window
Whilst FTP open I was unable to connect successfully without valid credentials as shown below:
Trying the web server we see we are taken to the MadCowz website.
Running whatweb against the web server shows it is running Apache 2.4.16 on a 32-bit Windows host.
From here nothing else too interesting was found on the web sever by means of exploitation. MySQL login was also denied to my attacking machine.
However, we do have IRC open on a large range of ports 6660-7000,7007. Connecting to these ports with command line options was proving unreliable due to frequent disconnections. Installing HexChat proved much more successful.
sudo apt-get install hexchat
With HexChat open add a network and use the settings as per shown below. Ensuring the correct IP is set.
After doing so close the window and then connect to the new network. You should see a similar screen as below:
From here go to Server --> Channel List --> Perform a wildcard * search on the defaultsettings to find the channel #ut99.
This channel identifies the server is intended for Unreal Tournament 99 which we know is also running on Windows due to previous enumeration. Joining the channel also reveals the user Daisy.
Searching for Unreal Tournament 99 exploits for Windows on exploit-db shows the following:
After downloading the exploit code and looking through it we see the following usage example:
We know from the HexChat and Nmap enumeration that the server for UT99 is running on port 7778. I set up a netcat listener on my attacking machine to port 80. I then used the following command to connect to the target server.
From here with standard enumeration we find the directory C:\ftp containing the following contents.
Directory of c:\ftp
10/07/2015 06:21 AM <DIR> .
10/07/2015 06:21 AM <DIR> ..
10/07/2015 01:44 PM 35,984,520 FoxitReader706.1126_enu_Setup.exe
10/07/2015 04:46 AM 35,922,892 KB968930.msu
10/07/2015 01:45 PM 114,238,280 xampp-win32-5.6.12-0-VC11-installer.exe
The version of Foxit Reader shown 7.0.6.1126 appears to be vulnerable to an unquoted service path privilege escalation.
Checking installed software on the target system we can see Foxit Reader is installed.
Directory of c:\Program Files (x86)
10/07/2015 04:04 AM <DIR> .
10/07/2015 04:04 AM <DIR> ..
11/02/2006 06:33 AM <DIR> Common Files
10/07/2015 04:04 AM <DIR> Foxit Software
10/03/2015 02:34 AM <DIR> InspIRCd
04/11/2009 09:30 AM <DIR> Internet Explorer
11/02/2006 08:05 AM <DIR> MSBuild
09/30/2015 11:12 PM <DIR> Mumble
11/02/2006 08:05 AM <DIR> Reference Assemblies
04/11/2009 09:30 AM <DIR> Windows Calendar
01/20/2008 08:09 PM <DIR> Windows Collaboration
01/20/2008 08:08 PM <DIR> Windows Defender
04/11/2009 09:30 AM <DIR> Windows Mail
04/11/2009 09:30 AM <DIR> Windows Media Player
11/02/2006 08:05 AM <DIR> Windows NT
04/11/2009 09:30 AM <DIR> Windows Photo Gallery
04/11/2009 09:30 AM <DIR> Windows Sidebar
0 File(s) 0 bytes
17 Dir(s) 13,051,826,176 bytes free
Querying the service on the target systems shows the service is running in the context of SYSTEM and the binary path indeed contains spaces and is not wrapped in quotes.
I then tested for write privileges in the binary path by creating a text file in the C:\Program Files (x86)\Foxit Software\Foxit Reader\ path.
echo Hello > test.txt
Checking the contents of the directory after doing so we see the test.txt file.
Directory of c:\Program Files (x86)\Foxit Software\Foxit Reader
08/25/2021 12:35 PM <DIR> .
08/25/2021 12:35 PM <DIR> ..
11/26/2014 06:03 PM 385,248 64BitMailAgent.exe
10/07/2015 04:04 AM <DIR> Advertisement
10/07/2015 04:04 AM <DIR> docusign
10/07/2015 04:05 AM <DIR> Foxit Cloud
08/25/2021 12:32 PM 7,168 Foxit.exe
11/27/2014 10:24 AM 42,164,448 FoxitReader.exe
11/27/2014 03:49 PM 74,588 FoxitReader.exe.man
11/26/2014 06:03 PM 4,856,544 FoxitUpdater.exe
11/26/2014 07:15 PM 1,621,728 FXCUSTOM.dll
10/07/2015 04:04 AM <DIR> lex
08/28/2014 10:25 AM 27,076 notice.txt
10/07/2015 04:04 AM <DIR> plugins
10/07/2015 04:04 AM <DIR> Release Note
11/26/2014 06:03 PM 2,093,280 SendCrashReport.exe
10/07/2015 04:04 AM <DIR> Shell Extensions
10/07/2015 04:04 AM <DIR> Skins
10/07/2015 04:04 AM <DIR> stamps
10/07/2015 04:04 AM <DIR> Start
08/25/2021 12:35 PM 8 test.txt '# Test file created'
11/26/2014 07:07 PM 2,302,176 TrackReview.exe
10/07/2015 04:05 AM 278,490 unins000.dat
10/07/2015 04:02 AM 1,479,392 unins000.exe
10/07/2015 04:05 AM 22,701 unins000.msg
11/18/2014 04:38 PM 2,004,704 UninstallPrint.exe
10/07/2015 04:05 AM 1,270 UpdaterInfo.xml
15 File(s) 57,318,821 bytes
12 Dir(s) 13,053,591,552 bytes free
I then performed a test reboot of the machine and confirmed that as the user Daisy I was able to reboot the machine. Currently this looks like we have a path to privilege escalation.
Firstly using msfvenom I created a stageless reverse shell.
