HTB | Chatterbox
Last updated
Last updated
This is a Windows box. You can find it here.
Modifying publicly available exploits (MS15-051)
Pivoting using Plink
IP: 10.10.10.74
null auth using smbmap and smbclient not working
RPC
I'll try to connect with null auth:
Looks like we do not have permission to view users and groups:
Let's run nmap for port 9255 and 9256
Looking for Achat exploit and we found one.
Let's copy the exploit to our directory
Let's modify the msf payload from the exploit.py. We have to change the buffer from the code,
Replace the output (buff values) in exploit.py and also change the server_address to box address
start nc -nlvp 1234 and run the script.
and boom we got the shell on our listener
We found the user.txt
Let's copy the winpeas.exe to box for further enumeration
and run it
We found Alfred's password
collect systeminfo from the box and run Windows Exploit Suggester
we found one CVE, Let's take a look
We found this EXE for exploitation
Let's download the exe and copy it to the box
But what if Alfred is a user who is also an administrator but they're just logging in as a regular account and then they provide creds when they want an administrative action? That's actually pretty common.
Since we a credential we can think the same. But first Let's look for internal ports
netstat -ano
Let's do port forward for 445 so we can exploit it internally
We will use Plink.exe Copy the Plink.exe to the box
and now run plink
This means that any connection attempt made to port 445 on the remote machine (10.10.14.7) will be forwarded to port 445 on the local machine (127.0.0.1).
For some reason, it is giving me errors
It took me hours, But I found the solution, HTB blocks port 22 outbound, so we will change port 22 to port 2222 for SSH (changes are to be done in '/etc/ssh/sshd_config') and restart the SSH service. Once done Let's try again
to confirm the connection run netstat -ano | grep 445 on our machine
Now we will connect using Welcome1!
and we are administrator. We found the root.txt
But it did not work
