UT99

nmap

mkdir nmap
sudo rustscan -a 192.168.225.44 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Enumeration

IRC is running on many ports, one of those is port 6667. Let's connect to the IRC server and see what we got.

Open hexcat IRC client, and click edit.

Set the IP address of the server.

Once you're done, then connect to the server.

Let's see if there's any IRC channel, we can do that by typing /list in the left bottom corner.

And there will be a pop-up, something like this. Let's join to UT99 channel.

Upon joining, you will see a message that there's a hidden port open on 7778 and it is running Unreal Tournament.

Exploitation

It turns out Unreal Tournament has a Remote Buffer Overflow vulnerability

Let's mirror the exploit to our local machine

Set a reverse shell listener

And run the exploit

Privilege Escalation

Let's transfer winpeas.bat via SMB, but first, let's set a temporary SMB server

Get the IP address of your local machine

Transfer that batch file and run.

After some time of running, you will notice there's a service with an unquoted service path vulnerability

Check if FoxitCloudUpdateService is running as NT\SYSTEM If the output says LocalSystem, it means it does.

Check if we have start/stop permission on the service, but looks like we don't so alternatively we can restart the server.

Let's transfer accesschk.exe to the remote machine. You can get a copy here

Check if we have write-permission.

And looks like we have a write-permission

So we have confirmed everything that this service might be vulnerable to, let's try it by creating a reverse shell first.

And transfer the shell

Setup a reverse shell listener

Restart the server

After 2 to 5 mins, you should receive a shell with SYSTEM privilege.

Thanks and enjoy the rest of your day!

PreviousJackoNextSirol

Last updated

Was this helpful?