ChatterBox WriteUP

Hi everyone, I’m come back for the hackthebox writing moment ;) I was waiting for the retired machine ;)

Today we are talking about the machine calls chatterbox. It’s a machine to chat with people. There is a chat software on the machine of the challenge.

My panel of the own machine

Without any delay, let’s go to the goal ;)

Enumeration

We are going to get more information about our target ;) I’ve changed my way for the beginning : use metasploit instead of nmap ;) Why ? ’cause I didn’t found open doors with it !

I used this module : “ portscan/tcp” then I configured it as below :

MSF scanner configured

Let’s run it to see the results after a long time !

The result of the scan

Ok, we also have only 2 ports ( doors open) in TCP. With these information we are gonna dig more ;)

1. Port 9255

Let’s investigate on port 9255 to see what is it behind

The info of the remote port 9255

2. Port 9256

Let’s investigate on port 9256 to see what is it behind

The info of the remote port 9256

Nope’s interesting except that a software is communicate with these port ! That’s the weakness hahah ;)

More enumeration

Ok, with hackthebox there is often an hidden sens ;) I dug more and found that there is AChat system behind the system.

Here is the public exploit that you can read to understand in deep. It’s written in Python.

Exploit

Exploitation

After reading in deep we can see that the shellcode is customise by the hacker and what he wanna do.

So, we are going to change the shellcode with a reverse shell and feel the IP target with the remote port. So, let’s do it.

The exploit BOF

The exploit BOF next

My ShellCode

I’ve used the shellcode above to get a reverse shell.

Ok, let’s configure our handler on Metasploit. It’s also possible with Netcat.

Enter the payload that I put on the exploit.py “ windows/shell_reverse_tcp” then the LPORT 4444 and the ip of the target.

With this in place, let’s run all them in this sequence.

1. Run the exploit.py
2. Run the handler on Metasploit

Exploit OK

BTW, we are in, that’s cool.

Post exploitation

This is the last step in this challenge. At first let’s catch the user flag.

The remote target

Some tricky command on Windows to see the OS with patch ;)

The user’s desktop

Investigation on the Alfred user

User flag

Ok, we’ve got now the user flag. Let’s dig to find the ultime flag, the administrator flag.

Root flag location

Let’s try catch it !

Try

At this step we can’t catch it ! OMG ;) Let’s bypass

Root catched

To bypass the rights, I used cacls command and changed the right to get the flag.

For more info, I invite you to read the documentation of the command to understand the bypass.

Cacls - Modify Access Control List - Windows CMD - SS64.com