šš¦¶Enumeration/Foothold
I start every box by setting a variable to the boxes IP and runningĀ rustscan
Ā intoĀ xsltproc
Ā for an easy to read initial scan:
Reviewing the initial results I can seeĀ Port 80
Ā open so I head over to the website. It redirects me toĀ talkative.htb
Ā so I add it to my host file.
I have to give some kudos to both authors for going the extra mile (especially TheCyberGeek) and taking the time to make it feel like an actual company website with real sentences. So many boxes are boilerplate templates and miss the initial OSINT.
I see a few possible usernames and their profile page showsĀ [email protected]Ā as the email. I note all three users and continue. At the footer of the page I notice that theĀ ProductsĀ menu goes to additional links. I also notice that theĀ Talkative.htbĀ link goes to
Bolt CMS. I can see anĀ /bolt
Ā page endpoint confirming this but I will leave that till later.
Heading over to theĀ TALK-A-STATS (Coming Soon)Ā page I can seeĀ JAMOVI
Ā is listed, the application talks about data entry (possible entry point) and has a ‘beta’ version available:
The link takes me toĀ Port 8080
Ā and immediately I see the following:
Clicking the three dots in the top-right corner I can see the version isĀ 0.9.5.5. I Google around and navigate around the application. I findĀ Rj EditorĀ and see that a plugin to runĀ ruby
Ā code is installed:
I went down the š°š³ļø for a while and eventually found this articleĀ Ethz – R-ManualĀ which allowed me to get a reverse shell on the box.
I’ve been usingĀ pwncat
Ā more and more recently which came in handy as it allowed me to download theĀ bolt-administration.omvĀ file from the box locally:
Inside theĀ xdata.jsonĀ file I find a few usernames/passwords:
I try the passwords against the services I’ve seen so far and get a hit at the login to theĀ Bolt CMS admin page. Once I was logged in I went toĀ Settings > Configuration > Main ConfigurationĀ to see if database credentials were available. Next I went toĀ Settings > Configuration > All Configuration FilesĀ and noticed aĀ bundles.php
Ā file.
šEscalation to Root
I went into the file and put aĀ PHP
Ā one-liner and started aĀ pwncat
Ā listener. I then navigated to:Ā bundles.phpĀ to grab the shell. On the container I useĀ pwncat
Ā to uploadĀ LinPEAS
Ā to the box and proceeded to do a scan. I instantly notice:
I pulledĀ ping
Ā to the box and ran a loop. I then proceed to poke atĀ 172.18.0.1Ā until I got a hit forĀ SSH
. Password re-use provided access as the same password for bolt provided my access:
I usedĀ pwncat
Ā to uploadĀ LinPEAS
Ā to theĀ SSH
session. I ran a loud scan but didn’t see anything useful. I decided to uploadĀ pspy
Ā next to see if anything was running in the background:
I can see anĀ update_mongo.py
Ā script running. Looking at the theĀ MonoDB documentationĀ I can see the default ports listedĀ 27017 – 27020. I usedĀ LinPEAS
Ā alongside its host/port scan capabilities to find the database:
I then usedĀ chisel
Ā to forward the port to my local machine:
Saul Session
Attacker Session
Once the connection was in place I š for a moment realizing it requiredĀ anotherĀ tool to connect to this database. I found these instructionsĀ HERE, ignored them and found a single command for a deprecated tool (tool still works so proceeding with it š!):
Reviewing the results I could now see this database was being used for the Rocket Chat application which I had seen before inĀ HTB Paper. I referred to the linkĀ HEREĀ to reset the password.
The first thing I did was look for the version number as I saw no chats/channels available:
After some research I foundĀ CSEnox – CVE-2021-22911Ā ANDĀ THISĀ which showed I could get RCE by using a web hook. The process was pretty straight forward once I understood the script wasĀ Nodejs
.
š„First
š„Second
š„Third
Send the full curl
well make sure to have your listener running to catch the shell.
Once on the Box I ranĀ LinPEAS
Ā andĀ LinEnum
Ā and discovered the box was vulnerable toĀ Shocker. I altered the script to pull the root flag and compiled it. I then uploaded the binary to the box and ran it for the flag. This part is currently not documented (but will be when I’m feeling less lazy).
Rooted
One Comment
Leave A Comment
You must be logged in to post a comment.
I’ve been super busy with life (job, getting married, etc.) that I haven’t been actively writing guides. I have notes for Noter, StreamIO, Trick, Scrambled and Carpediem (ongoing) that I will be publishing on my site in due course.