From nmap default scan, there is no opened port. When scanning all ports, it shows that 9255 and 9256 are opened.

Local Picture

Further scanning these two ports, it shows that they are running AChat. From searchsploit, AChat 0.150 beta7 has a Remote Buffer Overflow vulnerability.

Local Picture

Local Picture

Local Picture

Use msfvenom to create a payload for accessing my reverse shell script, and paste the created payload to the exploit script.

Local Picture

Local Picture

Local Picture

Execute the script, I got a reverse shell as chatterbox\alfred.

Local Picture

Download PowerUp.ps1 from my computer for further investigation.

Local Picture

Invoke all checks, I got the default password.

Local Picture

Create a credential object for Administrator with default password. Access my reverse shell script with that credential.

Local Picture

Finally, I got the shell as administrator.

Local Picture