Hey everyone , I hope you are doing good, in this post I will be sharing my walkthrough for HTB Chatterbox machine , this involved a service which was exploited through BOF , that exploit was available to use just needed a little to tweak to make it work , we didn’t really needed to be a Admin or get a shell as System , we just needed to play around with permissions.
Rustscan
I first ran rustscan because it was taking way longer for nmap to scan ports
rustscan --batch-size 45000 -a 10.10.10.74
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.74:9255
Open 10.10.10.74:9256
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")[~] Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-13 02:38 PKT
Initiating Ping Scan at 02:38
Scanning 10.10.10.74 [4 ports]
Completed Ping Scan at 02:38, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:38
Completed Parallel DNS resolution of 1 host. at 02:38, 0.30s elapsed
DNS resolution of 1 IPs took 0.30s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:38
Discovered open port 9256/tcp on 10.10.10.74
Discovered open port 9255/tcp on 10.10.10.74
Completed SYN Stealth Scan at 02:38, 0.22s elapsed (2 total ports)
Nmap scan report for 10.10.10.74
Host is up, received echo-reply ttl 127 (0.19s latency).
Scanned at 2021-05-13 02:38:13 PKT for 1sPORT STATE SERVICE REASON
9255/tcp open mon syn-ack ttl 127
9256/tcp open unknown syn-ack ttl 127
NMAP
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat systemPORT 9256 (HTTP)
Visiting the 9256 we will just see a message “ERROR”
Also visiting port 9255 we will be redirected back to 9256 so nothing we can do here but from nmap scan it tells that this is AChat chat system so let's search for it on google
Right off the bat it returns with an exploit so let’s give this is a try, this repo has two files , one a bash script which will generate the raw payload that we have to edit it in the python script which is the actual exploit which will give the shell
Paste the payload in the python script
Also edit the target ip
Set the meterpreter listener
But when I run the exploit it gives me a shell but dies suddenly
I also tried by changning the payload from windows/meterpreter/reverse_tcp to windows/shell/reverse_tcp but it sill died
But using the payload windows/shell/reverse_tcp on metepreter I was able to get a shell
To get a meterpreter session let’s use the module post/multi/manage/shell_to_meterpreter
I ran winpeas after getting a metepreter uploaded it using upload file and saw that we have access to Administrator folder
But we can’t access file root. txt , it’s weird as we have access to the whole directory
I tried to give read access to root.txt but it gave access denied then used cacls which is a deprecated windows command which is replaced icacls
It’s showing N for user Alfred which means no permissions are given to this user on root.txt file , going to the documentation I was able to give rights to this file
