HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Chatterbox, is retired.

The walkthrough

Let’s start with this machine.

Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN. The Chatterbox machine IP is 10.10.10.74. We will adopt the usual methodology of performing penetration testing to begin. Let’s start with enumeration in order to learn as much information about the machine as possible. As usual, let’s start with the nmap scan to gather more information about the services running on this machine. «nmap -sC -sV -oA Chatterbox 10.10.10.74»

Oh, wow, all standard nmap ports are filtered! Let’s widen the search a bit more. «nmap -sT -p- -min-rate 4000 –max-retries 1 10.10.10.74»

Above, we can see that some ports are reflected now. Let’s dig in to see more about that service. It turns out that this an AChat service. «nmap -sV -sC -p 9255 10.10.10.74»

Turns out we’ve got an exploit for the same in ExploitDB. We will use 36025.py.

Looking into the code for the exploit, we have altered the payload a bit. Rather than spinning up calc.exe, we are going to spawn a reverse shell, as shown below.

Inserting the above shellcode into exploit and changing the IP address to that of the target machine.

Running the exploit, we got a reverse shell. We traverse the file system to get user.txt.

Looking into root.txt, it is strange that we have access to the Admin directory but are not able to read/edit the root.txt file. «icacls root.txt»

Looking into directory permissions for the same, we got something very interesting. So it seems that our current user owns the file. «dir /q /a:»

With icacls, we grant FULL permissions to our current user on root.txt, since we own the file. And we can then read the root flag. «icacls root.txt /grant Alfred:(F)»

This was one of the most straightforward boxes on HTB. The interesting thing to know here is all about how Windows permissions work. We will continue this series with more in the way of interesting HTB machines.