1. Target Overview

Machine Name: Chatterbox
Platform: HackTheBox
Operating System: Windows

Objective:
Chatterbox is a Windows-based Hack The Box machine that exposes several typical Windows networking services along with an unusual chat application running on a non-standard port. The goal is to enumerate exposed services, identify potential vulnerabilities in the running software, gain an initial foothold on the system, and ultimately escalate privileges to obtain full administrative access.

Tools Used

• Rustscan- Port scanning

• Nmap - Port scanning

• NetExec (nxc) - Enumeration

• Searchsploit - Enumeration

• Metasploit - Exploitation

• Impacket (PsExec) - Post exploitation shell

2. Enumeration

Initial Scanning

As always, I began the engagement with an Nmap scan to identify open ports and running services on the target machine.

The scan revealed several Windows services along with a web interface tied to a chat application.

Key Observations

• Ports 135, 139, and 445 confirmed standard RPC/SMB services

• The system is running Windows 7 Professional SP1

• A custom AChat service is exposed on:

  • 9255 (HTTP)

  • 9256 (AChat service port)

• The HTTP service did not return a functional web app—just a server identifier

SMB Enumeration

I attempted anonymous SMB enumeration using NetExec:

nxc smb <target> -u '' -p '' --shares

This resulted in:

• Access Denied

• No share enumeration possible

This indicated that anonymous access was not allowed, so SMB was not immediately useful for initial access.

Service Enumeration (AChat)

Since SMB didn’t yield results, I shifted focus to the AChat service, which stood out as:

• Non-standard

• Likely custom or third-party software

• High probability of known vulnerabilities

Interacting with the HTTP service only returned the server banner:

AChat chat system httpd

No additional functionality was exposed, reinforcing that this was not meant for browser interaction.

Vulnerability Research

I used Searchsploit to look for known vulnerabilities:

searchsploit achat

This revealed:

• AChat 0.150 beta7 - Remote Buffer Overflow

• Metasploit module available:

  • windows/misc/achat_bof

At this point, this was clearly the most promising attack vector.

3. Exploitation

Foothold

I used the Metasploit module targeting the AChat buffer overflow:

This successfully triggered the vulnerability and resulted in a reverse shell:

Shell Access

After gaining access, I verified my context:

Output:

chatterbox\alfred

This confirmed I had a low-privileged user shell.

4. Privilege Escalation

Initial Local Enumeration

Following my standard Windows privilege escalation methodology:

Step 1: Enumerate Users

Discovered users:

• Administrator

• Alfred (current user)

This confirmed a simple environment with a clear escalation target.

User Context

whoami

chatterbox\alfred

Privilege Escalation Path

Step 2: Check for AutoLogon Credentials

I queried the Winlogon registry key:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

This revealed:

• DefaultUserName: Alfred

• AutoAdminLogon: 1

• DefaultPassword: Welcome1!

This is a classic misconfiguration where credentials are stored in plaintext in the registry.

Root/System Access

Using the recovered credentials, I leveraged Impacket’s PsExec:

impacket-psexec administrator@<target>

After authentication, I obtained a SYSTEM shell:

whoami

nt authority\system

This completed the privilege escalation.

5. Lessons Learned

Key Takeaways

1. Always prioritize non-standard services during enumeration

   • The AChat service was the intended entry point and immediately exploitable

2. Vulnerability research is critical

   • A simple searchsploit search led directly to a working exploit

3. Don’t rely solely on SMB enumeration

   • Even when SMB fails, other services may provide easier access

4. Always follow a structured privesc methodology

   • Systematically checking registry keys led directly to credentials

5. AutoLogon credentials are extremely dangerous

   • Storing plaintext passwords in the registry is effectively handing over admin access

Attacker Insights

• Buffer overflow vulnerabilities in legacy applications remain a high-value attack vector

• Windows registry misconfigurations are often low-effort, high-reward escalation paths

• Combining public exploits + poor credential storage leads to rapid compromise

6. Defensive Insight

Hardening Opportunities

• Remove or patch vulnerable software like AChat

• Disable AutoAdminLogon

• Never store plaintext credentials in the registry

• Restrict unnecessary services and ports

Detection Opportunities

• Monitor for:

  • Unusual connections to uncommon ports (9255/9256)

  • Exploit signatures targeting known vulnerable services

• Alert on:

  • Registry queries involving Winlogon keys

  • Use of administrative tools like PsExec

Preventive Controls

• Enforce secure credential storage policies

• Apply regular patching and vulnerability management

• Limit administrative access and enforce least privilege

• Use EDR solutions to detect exploitation behavior

Useful Commands

Enumeration Commands

nmap -sC -sV <target>
nxc smb <target> -u '' -p '' --shares
searchsploit achat

Exploitation Commands

use exploit/windows/misc/achat_bof
run

Privilege Escalation Commands

whoami
cd C:\Users
dir

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

impacket-psexec administrator@<target>