Chatterbox

@axel205 said:
I got the root.txt using the suggested tool of cacls before… Im not sure I understood why it worked though, can someone send a link or explain why/how this works?

With icalcs, you can grant a certain user the permissions to a certain folder and its underlying files. The user was already elevated, just the permissions were not yet properly configured.

@daddycocoaman said:
For the record, you can absolutely get some type of meterpreter shell right off the bat. Gotta step that metasploit knowledge up.

I rooted the box but didn’t manage to get meterpreter running. Can you PM me which flavor you used?

@UN1X00 said:
Spoiler Removed - Arrexel

God Bless this man or Woman (not judging) they just saved me throwing me and my laptop out of a first story window!

hi anybody can tell me about priv escalation for “chatter box”. i also have read comments that there is no need of priv escalation and just see in folder where your shell let you landed. but i have search folder nothing specious found ?

@fhlipZero said:
finally got it, dont kill yourself on priv esc, focus on the file itself

Thanks!! finally!

i have a session 1 sec rly ?

I’m cacl-ing after rooting this box. Can someone who spawned a full fledged shell PM me on your method? Practicing Windows privesc for OSCP. Thanks.

Got Root. Nice box.

A set of hints for this box is to audit the exploit script (do not use metasploit exploit), and see what it’s doing first.

Run the application on virtual machine (recommend windows 7)

do not use meterpreter/reverse_tcp as shell, this is why the service keeps crashing.

Use regular windows reverse shell (do not use meterpreter please), and you will have a stable shell.

Get your payload/exploit working locally first then move to live box.

Should be easy from there.

This box is frustrating. I got a shell working, was on my way to the user flag and it dies. Now it doesn’t even connect. Even after a reset.

rooted!

I scanned all 65535 at once in under 30 seconds. Try the --min-parallelism and set it to 1000.

Hi. I got root.txt by a method mentioned in this forum. Can someone pm me on how to get a administrator shell. Just for educational purposes…

Has anyone else experienced the box running very slowly when you have a shell? I had to give up on privesc because I was waiting a few minutes for each command to do its thing.

Also it’s very frustrating that I spent ages troubleshooting my exploit and payload, verifying it with others for it to repeatedly not work. Even after resets.

Turns out there was nothing wrong but the service was being killed in the time it took for nmap to verify port open and me to run the exploit.

Deffo a box to do on VIP when you are not battling against multiple other people

---->{00F}!

Anyone need hits (not answer), just PM me. :lol:

@onlyamedic said:
A set of hints for this box is to audit the exploit script (do not use metasploit exploit), and see what it’s doing first.

Run the application on virtual machine (recommend windows 7)

do not use meterpreter/reverse_tcp as shell, this is why the service keeps crashing.

Use regular windows reverse shell (do not use meterpreter please), and you will have a stable shell.

Get your payload/exploit working locally first then move to live box.

Should be easy from there.

First post and first box I’ve done on here, I must say I’m really loving this community and all of the helpful tips everyone has (using basics like netcat or just shell instead of meterpreter were HUGE for this one, as was trying out different nmap parameters!)

Also I don’t think it can be stressed enough to try exploits out on your own VM; it was first-try-Friday’s for me once I realized I had the right exploit & payload, and that the box just needed resetting so the exploit could actually work.

And if you need any hints, please feel free to PM literally anybody else that’s already offered as I doubt I’m the right person to be asking.

Hi everyone,
First post here.
I’ve got the root.txt but can’t figure how to get a nt/authority shell.

Does anyone here managed to root shell this box?

Regards,

got root, nice box :wink:

This is my first machine attempt ever, thought trying some retired machines and following along with some write ups would be a decent way to learn more, doesn’t seem so now though haha.

I know what ports are supposed to be targeted, but every nmap scan (even one that specifically targets the listening ports) is coming up with “all scanned ports are on ‘…’ are filtered” or “Host seems down. If it is really up, but blocking out ping probes, try -Pn Nmap done: 1 IP address (0 host up)” HTB status check lists Chatterbox as up. Just need to know if its something I’m doing or if this is a common issue with this box.