Today, we’re going to solve another CTF machine “Chatterbox“. It is now retired box and can be accessible to VIP member.


• Target OS: Windows
• Services: 9255, 9256
• IP Address:
• Difficulty: Medium


• Getting user
• Getting root


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumerating Port 9255

Nmap reveals there’s Achat service running on http protocol.

We got nothing here let’s move ahead.

Enumerating Port 9256

We know there’s an achat application installed. To find the version of it we can do banner grabbing but in this case it didn’t worked.

Let’s searchsploit achat

Exploit: Achat 0.150 beta7 – Remote Buffer Overflow

Let’s edit our exploit.



Method #1

Let’s create our payload first and insert into exploit.

We executed our exploit and starting listening our reverse shell.

Reverse shell was consistently being closed so we migrated upon executing.

System Information

Method #2

However, metasploit shell is much convenient.

User flag can be found here C:\Users\Alfred\Desktop\user.txt

Privilege Escalation

Let’s start by doing basic priv esc enumeration.

By running through some basic priv esc enumeration and running powerup.ps1 script we got credentials in the registry for autologon.

There’s a possibility that the password can be reuse for administrator. But since we already have read access into administrator directory as user alfred, we see in below screenshot.

We can change permissions on root.txt using icacls.