Chatterbox

CHATTERBOX

- Layout for this exercise:






1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Chatterbox, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

- Chatterbox's IP is 10.10.10.74:




- Scanning with Nmap:




- So threre are just two open ports, both of them running the Achat program.



3 - EXPLOITATION

- Searching for exploits related with Achat there are some of them available, for instance the 36025.py what exploits a Remore Buffer Overflow:












- Copying 36025.py to the local working directory:




- Reading 36025.py we learn s that is designed to execute calc.exe at a Windows machine:



etc ....


- Also, by default it uses this server address IP:




- So what we will do is to replace the shellcode provided at 36025.py by using Msfvenom changing the payload, local host and local port:

• payload -> windows/shell/reverse_tcp
• LHOST = 10.10.14.8 (my machine)
• LPORT = 1234 

- Editing 36025.py, copying and pasting here the shellcode originated at previous step with Msfvenom:







- Also, changing the default IP to Chatterbox's IP (10.10.10.74):






- Now, setting a listener session with Metasploit:




- Running 36025.py:





- As a consequence a remote shell is succesfully achieved:





4 - CAPTURING 1st FLAG

- Reading the first flag user.txt is easy:





5 - PRIVILEGE ESCALATION

- However access to the second flag root.txt is denied, so we need Privilege Escalation:





- Remembering that we are running the system as user Alfred:

- There is something weird because user Alfred is the owner of root.txt:






- ICACLS stands for Integrity Control Access Control List, and it displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls


- icacls.exe grants full access to user Alfred over root.txt:





6 - CAPTURING THE 2nd FLAG

- Now it is possible for user Alfred to read root.txt:

Granny

GRANNY

- Layout for this exercise:






1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Granny, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

- Granny's IP:




- Scanning with Nmap the only open port is 80, where the web server Microsoft IIS 6.0 is running:




- Connecting with the browser the site seems Under Construction:




3 - EXPLOITATION

- Searching for IIS vulnerabilities we find this one, what can be exploited with Metasploit:






- Running Metasploit and using exploit/windows/iis/iis_webdav_upload_asp, the only parameter we need to set is RHOST = 10.10.10.15:




- Running the exploit a Meterpreter session is achieved:




- With the purpose of stabilizing the Meterpreter session let's migrate to another process, just  entering the current session id to the module post/windows/manage/migrate:




- The module is completed:





4 - PRIVILEGE ESCALATION

- However, the previous session 1 has not System privileges:







- Getting a shell:




- Access is denied to main users folders:






- To perform successful Privilege Escalation let's use the module local_exploit_suggester, entering again the current session id:




- Running:




- Let's take this one:




- However, when running the exploit it fails, and the reason is because Metasploit has taken by default LHOST at 192.168.1.19, what is not the IP used by Kali to connect to Hack The Box VPN:





- Changing to LHOST =10.10.14.8 and running again, now the exploit works:






- This 2nd Meterpreter session has got System privileges:





5 - CAPTURING THE FLAGS

- Getting the flags is just a matter of browsing folders back and forth until finding them:







- Reading the 1st flag user.txt:








- Reading the 2nd flag root.txt: