PG: UT99
| ターゲット // UT99 | |
|---|---|
| Platform | OffSec Proving Grounds |
| OS | Windows |
| Difficulty | Medium |
| IP | 192.168.206.44 |
Enumeration#
Nmap#
A full port sweep is deliberately noisy here — the box parks an InspIRCd instance on dozens of ports across the 6660-7007 range, enough to make autorecon choke. Trimmed to the services that actually matter:
▶ Nmap output
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
80/tcp open http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
443/tcp open ssl/http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
3306/tcp open mysql MySQL (unauthorized)
6660-7007 open irc InspIRCd
64738/tcp open murmur Murmur 1.2.10
FTP wants credentials, MySQL refuses external connections, and the web app on 80/443 is a stock CMS with nothing exploitable after directory fuzzing. Everything obvious is a dead end. The name of the box — UT99 — plus the wall of IRC ports is the actual hint: this is about Unreal Tournament, and the IRC server is where the map lives.
IRC — reading the channel topic#
Point HexChat at the target, connect to the IRC server, and /LIST the channels (wildcard *). One channel stands out: #ut99. Its topic is the whole game:

Fragging since UT99! Unreal Tournament 99 Game Server UP! IP: *THIS* Port: 7778
The IRC chatter hands us the one port the scan never flagged as interesting: a live Unreal Tournament game server on 7778. That’s the way in.
Foothold#
Unreal Tournament — Remote SEH Buffer Overflow#
searchsploit unreal tournament turns up a classic: Unreal Tournament - Remote Buffer Overflow (SEH) (EDB 16145, a Perl PoC). It targets the game server’s query handler and overwrites the SEH chain to redirect execution.
Fire a listener, then point the exploit at the game port (7778) with our callback host/port:
| |
The overflow lands and we catch a shell as daisy — an unprivileged local user. Welcome to OffSec.
Privilege Escalation#
This is the half the box actually cares about. systeminfo confirms an ancient Windows Vista Business (6.0.6002 SP2) host, FLUFFY-PC. Nothing in the low-hanging fruit, so upload WinPEAS via certutil and read it carefully:
| |
Unquoted Service Path — FoxitCloudUpdateService#
WinPEAS flags an unquoted service path. FoxitCloudUpdateService runs from a path full of spaces, with no quotes:

C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
Because the path isn’t quoted, Windows tries each space-delimited candidate in turn: C:\Program.exe, then C:\Program Files.exe, then C:\Program Files (x86)\Foxit.exe, then C:\Program Files (x86)\Foxit Software\Foxit.exe… The exploit only works if we can write one of those earlier candidates. Check the ACL on the service directory with icacls:

fluffy-pc\daisy holds (W) on C:\Program Files (x86)\Foxit Software — the first candidate in that search order daisy can actually write to (the earlier ones sit in protected roots). Plant a payload there.
Build a reverse shell, drop it into the hijack path, and set a fresh listener:
| |
| |
The service runs as SYSTEM, so we just need it to restart. net stop / net start fails — daisy can’t control the service — so force it the blunt way:
| |
On reboot the service starts, resolves the unquoted path to our planted Foxit.exe, and calls back as SYSTEM.
Proof#
Shell as nt authority\system on FLUFFY-PC, both flags in hand:


Key Takeaways#
- When a scan buries the surface under noise (hundreds of IRC ports), stop scanning and start reading — the box name and a channel topic pointed straight at the real service (the UT game server on 7778).
- Don’t let unfamiliar services scare you off.
searchsploita niche game server the same way you would a web app — an old SEH overflow was the whole foothold. - Unquoted service paths are only exploitable if you can write to an earlier path candidate. Always pair the WinPEAS finding with an
icaclscheck on the directory before planting a binary. - A SYSTEM service you can’t restart is still yours — if
net stop/startis denied, a forced reboot fires the hijacked binary on boot.