HTB: Chatterbox writeup

Here is another writeup on Chatterbox. This is a retired machine in HTB.

  1. Reconnaissance

An NMAP scan reveals two ports open. 9255 and 9256

A quick google search yields the following exploit DB result:

Next I do a searchsploit for achat software and I get two results for a remote buffer overflow. One in python and the other a ruby metasploit module.

Easier route: Lets try the metasploit module:

So at first I tried multiple stage payloads but to no avail. Nothing worked. Keep in mind with buffer overflows you need to do staged payloads as your footprint will be smaller since you have a finite amount of space to exploit in memory.

Since that did not work I copied the python code from searchsploit to my home directory.

A few things about this python script. First we need to change the payload:

The payload in the script opens up calculator. We need this opening up a reverse shell. The author was also nice enough to provide the buf script with bad characters to avoid. So you need to do the following in msfvenom.

we will need to overwrite the python script starting with buf = b”” from our payload output

I also updated the commented line so I know exactly what they payload for the buffer overflow exploit does since we modified it:

Next we need to modify the socket address and point it to the IP that chatter box is using.

Next we set up a netcat listener to port 4444. Port 4444 is what I specified in my reverse shell payload.

Next we will check netcat

Unfortunately we are in as alfred so we will need to do some privilege escalation. Before I get to in depth and overthink things its always worth to check for folder ACL misconfigurations. If you can to a dir command on an administrator folder… something isn’t right.

As you can see from above we have full control of the Desktop folder

It's 2016 and all I found was Toilets running Telnet...using shodan