![]() Once this shellcode was generated, I edited the exploit proof of concept and replaced the entire "buf" variable shown in the previous image with the generated shellcode. LHOST was my attacking machine's IP address. Appropriate shellcode for exploitation could therefore be generated by running the same command but with a reverse shell payload specified: The exploit author was nice enough to show the full msfvenom command used to generate the calc.exe shellcode, including bad characters. We can do that with the Metasploit Project's msfvenom program. However, if we want to use this script to actually compromise a system, we need to generate our own shellcode payload and use it instead of the calc shellcode. This is a common test that exploit writers use because it provides easy visual proof of exploitation and demonstrates the potential impact of the exploit (running a program on a remote system) while also being non-invasive relative to a shell or other payload. Two salient points jumped out at me while reading the exploit:įirst of all, the exploit as written is a proof of concept in the truest sense: its payload is not weaponized at all and does nothing but open Windows Calculator on the target machine. The script then sends the buffer to a hard-coded IP address and port a few thousand bytes at a time in UDP packets. The buffer consists of boilerplate to appease the application, junk bytes to overflow the application's buffer, and finally the shellcode that will be executed when the exploitation process is complete. Reading the exploit code, it seemed like a fairly simple Python script that constructs a buffer of a couple hundred thousand bytes. With this exploit, I quickly compromised the box.Įxploit Modification, Exploitation, User Flag I decided to use the public exploit in the above image, which can be found either in your install of Kali at the path described in the screenshot or at this url. A little bit more research told me that some versions of it are vulnerable to a remote buffer overflow attack: I hit the discovered services with a version scan to obtain more information:Ī little bit of research told me that Achat is a freeware solution for conducting instant messaging and file sharing across a LAN. Okay, now I had a little something to go on. ![]() ![]() I conducted a more comprehensive (though hasty) TCP connect port scan and discovered services on ports 92: That usually means that either the machine is behind some sort of network obstacle (such as a firewall) that's interfering with the scan, or the machine's services are listening on irregular ports that nmap won't scan by default. No listening ports were definitively detected by the scan. This machine didn't seem like a "chatterbox" so far. I began with an nmap scan of common TCP ports: Below I will describe a process for hacking this box and conclude with a description of some practical security lessons that can be learned from it. Yet we all start as beginners (I still consider myself one) and we all have gaps in our knowledge to be filled and faulty assumptions we sometimes must shed, so I can see how a machine such as this could be tricky for some infosec initiates. A few possible issues with reconnaissance aside, I believe it's a fairly easy machine to hack. It is a Windows hacking challenge that the site's users have classified as beginner-to-intermediate (4/10) in difficulty level. ![]() Chatterbox is a vulnerable machine found on the infosec puzzle platform. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |