I start every box by setting a variable to the boxes IP and running
xsltproc for an easy to read initial scan:
Reviewing the initial results I can see
Port 80 open so I head over to the website. It redirects me to
talkative.htb so I add it to my host file.
I have to give some kudos to both authors for going the extra mile (especially TheCyberGeek) and taking the time to make it feel like an actual company website with real sentences. So many boxes are boilerplate templates and miss the initial OSINT.
I see a few possible usernames and their profile page shows [email protected] as the email. I note all three users and continue. At the footer of the page I notice that the Products menu goes to additional links. I also notice that the Talkative.htb link goes to
Bolt CMS. I can see an
/bolt page endpoint confirming this but I will leave that till later.
Heading over to the TALK-A-STATS (Coming Soon) page I can see
JAMOVI is listed, the application talks about data entry (possible entry point) and has a ‘beta’ version available:
The link takes me to
Port 8080 and immediately I see the following:
Clicking the three dots in the top-right corner I can see the version is 0.9.5.5. I Google around and navigate around the application. I find Rj Editor and see that a plugin to run
ruby code is installed:
I went down the 🐰🕳️ for a while and eventually found this article Ethz – R-Manual which allowed me to get a reverse shell on the box.
I’ve been using
pwncat more and more recently which came in handy as it allowed me to download the bolt-administration.omv file from the box locally:
Inside the xdata.json file I find a few usernames/passwords:
I try the passwords against the services I’ve seen so far and get a hit at the login to the Bolt CMS admin page. Once I was logged in I went to Settings > Configuration > Main Configuration to see if database credentials were available. Next I went to Settings > Configuration > All Configuration Files and noticed a
🔝Escalation to Root
I went into the file and put a
PHP one-liner and started a
pwncat listener. I then navigated to: bundles.php to grab the shell. On the container I use
pwncat to upload
LinPEAS to the box and proceeded to do a scan. I instantly notice:
ping to the box and ran a loop. I then proceed to poke at 172.18.0.1 until I got a hit for
SSH. Password re-use provided access as the same password for bolt provided my access:
pwncat to upload
LinPEAS to the
SSHsession. I ran a loud scan but didn’t see anything useful. I decided to upload
pspy next to see if anything was running in the background:
I can see an
update_mongo.py script running. Looking at the the MonoDB documentation I can see the default ports listed 27017 – 27020. I used
LinPEAS alongside its host/port scan capabilities to find the database:
I then used
chisel to forward the port to my local machine:
Once the connection was in place I 😭 for a moment realizing it required another tool to connect to this database. I found these instructions HERE, ignored them and found a single command for a deprecated tool (tool still works so proceeding with it 😁!):
Reviewing the results I could now see this database was being used for the Rocket Chat application which I had seen before in HTB Paper. I referred to the link HERE to reset the password.
The first thing I did was look for the version number as I saw no chats/channels available:
After some research I found CSEnox – CVE-2021-22911 AND THIS which showed I could get RCE by using a web hook. The process was pretty straight forward once I understood the script was
Send the full
curl well make sure to have your listener running to catch the shell.
Once on the Box I ran
LinEnum and discovered the box was vulnerable to Shocker. I altered the script to pull the root flag and compiled it. I then uploaded the binary to the box and ran it for the flag. This part is currently not documented (but will be when I’m feeling less lazy).
I’ve been super busy with life (job, getting married, etc.) that I haven’t been actively writing guides. I have notes for Noter, StreamIO, Trick, Scrambled and Carpediem (ongoing) that I will be publishing on my site in due course.