Chatterbox

If you’re using the python script I think you’re using, look closely. Are you really editing the script correctly?

This box is creating problems. i have tested on my local win 7 vm and exploit is working and creating reverse shell but when i try on chatterbox vm then nothing happened and not receiving reverse shell. i also have done reset. can anyone help me??
i think this problem is happening due to other users using the chatterbox VM at same time or due to some firewall problem… if python exploit is working on my local VM then it should also work on chatterbox.

So … I’ve seen some advice about breaking up port scans on this box into smaller batches, something like -p 1-10000, rather than all of the ports at once.

Check out the horrific performance I’m getting from the following command:
nmap -sS -sU -p 1-10000 10.10.10.74

Stats: 8:40:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 17.18% done; ETC: 02:01 (41:48:13 remaining)

If I attempt to speed it up with the -T4/5 options, I get a very unreliable scan, and so far, I see no open ports from either approach.

Has anyone else had such poor performance scanning over the VPN, and would upgrading to a VIP account perhaps fix this?

Nice work, but it’s kind of a spoiler as it gives away the exact exploit technique, removed - Arrexel

For the record, you can absolutely get some type of meterpreter shell right off the bat. Gotta step that metasploit knowledge up.

If anyone can PM me about scanning the target, that would be nice. I have no luck with the scans. Thanks.

I can say only this: By reading all the posts above, the full solution (user + root) is… out there!
No more, no less to say… :wink:

Is priv esc broke or did I piggy back? I got the user by spamming that exploit and basically did not have to do any exploit to get root flag. Curious if I piggy backed as I had reset the box a half hour before.

@3lpsy said:
Is priv esc broke or did I piggy back? I got the user by spamming that exploit and basically did not have to do any exploit to get root flag. Curious if I piggy backed as I had reset the box a half hour before.

follows a Spoiler

this machine doesn’t even deserve to be on this platform… verified my exploit with a guru and been using it for over a day but can’t even spawn a shell with it because the service dies instantly… what could a person learn from it… so disappointed with hackthebox :anguished:

I set up VM test environment which is the same like this vbox. In my environment I can easily exploit vuln app but not at all on chatterbox machine… Any idea what I can do? I already reset vbox and tried on fresh VM but that doesnt help…

@blackangel said:
I set up VM test environment which is the same like this vbox. In my environment I can easily exploit vuln app but not at all on chatterbox machine… Any idea what I can do? I already reset vbox and tried on fresh VM but that doesnt help…

Very unstable VM… One second working fine and next time you need 3 resets that you can establish reverse shell again. Be patient with that vm :slight_smile:

I got the root.txt using the suggested tool of cacls before… Im not sure I understood why it worked though, can someone send a link or explain why/how this works?

@axel205 said:
I got the root.txt using the suggested tool of cacls before… Im not sure I understood why it worked though, can someone send a link or explain why/how this works?

With icalcs, you can grant a certain user the permissions to a certain folder and its underlying files. The user was already elevated, just the permissions were not yet properly configured.

@daddycocoaman said:
For the record, you can absolutely get some type of meterpreter shell right off the bat. Gotta step that metasploit knowledge up.

I rooted the box but didn’t manage to get meterpreter running. Can you PM me which flavor you used?

@UN1X00 said:
Spoiler Removed - Arrexel

God Bless this man or Woman (not judging) they just saved me throwing me and my laptop out of a first story window!

hi anybody can tell me about priv escalation for “chatter box”. i also have read comments that there is no need of priv escalation and just see in folder where your shell let you landed. but i have search folder nothing specious found ?

@fhlipZero said:
finally got it, dont kill yourself on priv esc, focus on the file itself

Thanks!! finally!

i have a session 1 sec rly ?

I’m cacl-ing after rooting this box. Can someone who spawned a full fledged shell PM me on your method? Practicing Windows privesc for OSCP. Thanks.