Chatterbox
Reconnaissance:
NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.74
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/20%OT=135%CT=1%CU=37275%PV=Y%DS=2%DC=I%G=Y%TM=65
OS:8391E5%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%TI=I%CI=I%II=I%TS=
OS:7)SEQ(SP=103%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O
OS:2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)
OS:WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=
OS:2000%O=M53CNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%
OS:O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h39m59s, deviation: 2h53m14s, median: 4h59m58s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-12-21T01:16:08-05:00
| smb2-time:
| date: 2023-12-21T06:16:10
|_ start_date: 2023-12-21T06:11:26
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not requiredEnumeration:
Doing a quick google search on the service tells us that AChat is a software that enables you to chat on your local network. It can also be used to share and send files/images to other users.
AChat In general, TCP/9255 is Monitor on Network, and TCP/9256 is unassigned. That’s not terribly helpful. However, there are multiple references to AChat, and there’s a SEH-based stack buffer overflow for it Now that we know what it is, let’s run searchsploit on it.
It’s vulnerable to a remote buffer overflow and there is both apython and metasploit exploit for it. We will of course work with the non-metasploit solution.
Copy the python script to your current directory.
Looking at the exploit code we make note of the following things:
It looks like your classic stack buffer overflow that allows you to overflow the buffer and include malicious shell code that will get executed on the box.
The exploit author was nice enough to give us the msfvenom command that generates the malicious payload (‘buf’ variable) including the bad characters to avoid. This makes our life so much easier! The command simply spawns the calc.exe program on the target machine. So we’ll have to change the command to send a reverse shell back to our attack machine.
We also need to change the server_address to that of the IP address of Chatterbox.
There seems to be a length limit of 1152 bytes on the payload. Anything that exceeds that will probably not work. We’ll keep that in mind when using msfvenom to generate our reverse shell.
Foothold:
Use msfvenom to generate the reverse shell payload.
We get back the following result.
The payload size is 774 bytes, so within the limit. Copy the payload and add it in place of the payload included in the exploit. Also change the IP address to Chatterbox’s IP address.
Then setup a listener on the attack machine to receive the reverse shell.
Run the exploit.
Privilege Escalation:
Display the user account information.
Next, view all the users on the system.
We have three users. The user we want to compromise is the Administrator account. Next, let’s check the system privileges that are enabled for the Alfred user.
SetImpersonatePrivilege is not enabled so we can’t use the Juicy Potato exploit to escalate privileges. Run the systeminfo command.
The box has 208 hotfixes installed so it’s unlikely that we can escalate privileges using a kernel exploit (although it might be possible, I haven’t checked).
Let’s see if we have access to the Administrator directory.
We don’t have permission. View the permissions on the root.txt file.
Only Administrator has full access (F) on this file. Let’s view the permissions on the Desktop directory. We must have some kind of permission on it because we’re able to enter it.
We have full access (F) on the Desktop directory. The Alfred user is also configured to own the root.txt file.
So we can simply grant ourselves access to it using the following command.
View the permissions again to confirm that the change was made.
Last updated