In this post, I would like to share a walkthrough of the Talkative Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Talkative machine?

For the user flag, you will need to abuse R Injection and run an SSTI attack on BoltCMS.

As for the root flag, you need to change the admin’s password on rocketchat and execute javascript code inside the rocket chat application. Later, we need to use an exploit that retrieves the root’s flag

Information Gathering on Talkative Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan-initiated Fri Apr 15 21:25:13 2022 as: nmap -sC -sV -oA initial 10.10.11.155
Nmap scan report for talkative.htb (10.10.11.155)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   filtered ssh
80/tcp   open     http    Apache httpd 2.4.52
|_http-generator: Bolt
|_http-title: Talkative.htb | Talkative
|_http-server-header: Apache/2.4.52 (Debian)
3000/tcp open     ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: bErX5ujvFbttzzXXu
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sat, 16 Apr 2022 01:44:36 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: bErX5ujvFbttzzXXu
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sat, 16 Apr 2022 01:44:37 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   Help, NCP: 
|_    HTTP/1.1 400 Bad Request
8080/tcp open     http    Tornado httpd 5.0
|_http-title: jamovi
|_http-server-header: TornadoServer/5.0
8081/tcp open     http    Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
8082/tcp open     http    Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=4/15%Time=625A1B1A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:36\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten")%r(Help,1C,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\n\r\n")%r(NCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(HTT
SF:POptions,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten");
Service Info: Host: 172.17.0.13

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 15 21:26:04 2022 -- 1 IP address (1 host up) scanned in 50.66 seconds

Let’s access the website interface

A screenshot of a computer

Description automatically generated with medium confidence

Nothing much that we can look at while browsing the website

Let’s enumerate the website directory using gobuster

Graphical user interface, text

Description automatically generated

Nothing directory that caught my attention at least

Graphical user interface, text, application, email

Description automatically generated

However, we found a /bolt/forms which it might lead to <IP>/bolt

Graphical user interface, application, website

Description automatically generated

Let’s access another website interface with port 3000

Getting Shell using Jamovi R Language

Graphical user interface, application, table, Word

Description automatically generated

Let’s access another website interface with port 8080.

We have been presented with jamovi interface. Let’s do some research on the jamovi exploit.

Text

Description automatically generated
A screenshot of a computer

Description automatically generated with medium confidence

From the exploit that I read the article such as (cves/CVE-2021-28079.md at master · theart42/cves · GitHub) on the internet, I got some inspiration on how to proceed

Graphical user interface, application

Description automatically generated

We managed to see the “id” result using the R language

Graphical user interface, text

Description automatically generated

We have a Remote Code execution over here

A screenshot of a computer

Description automatically generated with medium confidence

Let’s start our nc listener

Graphical user interface, text

Description automatically generated

Therefore, let’s send our reverse shell so that we can obtain the connection back to us

Am I have gained root access already?

Ah! It’s a docker environment

Text

Description automatically generated

We found a file called bolt-administration.omv stored inside the /root/ directory

A picture containing graphical user interface

Description automatically generated

We need to transfer the file to our machine but some command such as wget and curl doesn’t exist on the machine. As a result, I transfer the file using base64 encoded method

Graphical user interface, text, application

Description automatically generated

We are required to convert the bsae64 encoded into a normal omv file format

Graphical user interface, text

Description automatically generated with medium confidence

Let’s open the omv file

Graphical user interface, text, application

Description automatically generated
Graphical user interface, application

Description automatically generated

There is a json file that caught my attention.

Graphical user interface, text, application, chat or text message

Description automatically generated

Inside the file, I notice that there are a few credentials that we might use on all login pages that we found earlier.

Bolt CMS enumeration on Talkative machine

A picture containing text, electronics, screenshot, display

Description automatically generated

Firstly, let’s see if the bolt directory exists and it does.

Graphical user interface, application

Description automatically generated

Therefore, let’s try login in using the credentials that we found earlier.

Graphical user interface, text, application

Description automatically generated

At last, we managed to access the dashboard

Graphical user interface, application, website

Description automatically generated

After doing some research, we need to edit the index.twig

SSTI Attack method

Graphical user interface, text, application, email

Description automatically generated

Let’s throw an SSTI attack injection on the source code

Graphical user interface, text, application, chat or text message

Description automatically generated

Save it!

Graphical user interface, text, application

Description automatically generated
Graphical user interface, text, application

Description automatically generated

After that, we also need to clear the cache so that we can execute the injection a

A screenshot of a person

Description automatically generated with low confidence

It works!

Graphical user interface, text, application

Description automatically generated

Let’s do some research on SSTI RCE Exploit

Graphical user interface, text, application, email

Description automatically generated

Let’s try retrieve the /etc/passwd and see if it works or not

A picture containing text, screenshot, computer

Description automatically generated

It work!

Text

Description automatically generated

Let’s encoded our reverse shell with base64

Graphical user interface, text, application, email

Description automatically generated

Therefore, let’s throw a code such as “echo <base64> | base64 -d | bash

Text

Description automatically generated

We got a reverse shell connection back to us.

Text

Description automatically generated

Sadly, we cannot use python to get a proper shell but we can try to get a proper shell with /usr/bin/script

Text

Description automatically generated

At least, we got a shell using those command

SSH to Saul access

Text

Description automatically generated

Let’s try to ssh to the machine with saul credentials. It works!

A screenshot of a computer

Description automatically generated with low confidence

We can read the user flag when executing the command “cat user.txt”

Escalate to Root Privileges Access on Talkative Machine

Graphical user interface

Description automatically generated

I notice that there’s port 27017 is waiting for a connection

Port Forwarding to obtain mongodb database access

Text

Description automatically generated

Let’s download chisel on the machine

We are running the chisel server on the victim’s machine

Text

Description automatically generated

We also need to start executing chisel as a client on our machine so that we can port forwarding the database

Change Current Admin’s Password to a different password

Text, chat or text message

Description automatically generated

Let’s start mongosh to see what is stored on the database

Text

Description automatically generated

There’s a username=admin that has been saved on the database.

A screenshot of a computer

Description automatically generated with medium confidence

Let’s change the current admin’s password with our own password

Graphical user interface, text, application

Description automatically generated

We can enter the password that we changed earlier and we managed to access the dashboard

Graphical user interface, text, application

Description automatically generated

I notice that there are integrations inside the admin control panel

Abuse Incoming Webhook to obtain a reverse shell connection

Graphical user interface, application

Description automatically generated with medium confidence

There is two webhook which are incoming and outgoing. We need to choose the incoming webhook

Graphical user interface, text, application, email

Description automatically generated
Graphical user interface, text, application, email

Description automatically generated

We have the javascript to launch the reverse shell and save it

Graphical user interface, text, application, email

Description automatically generated

For us to obtain a reverse shell connection back to us, we need to curl the packet shown in the screenshot above

Graphical user interface, website

Description automatically generated

Finally, we get a reverse shell connection to us

A screenshot of a computer

Description automatically generated with medium confidence

We can obtain a proper shell using script -qc /bin/bash /dev/null

The source of the exploit can be found at http://stealth.openwall.net/xSports/shocker.c

A screenshot of a computer

Description automatically generated with medium confidence

For the code, we can modify such as above

Use Pwncat to upload the file on docker environment

Graphical user interface, text

Description automatically generated with medium confidence

However, I change using pwncat which it’s easier to upload files to the victim’s machine

Text

Description automatically generated

We need to transfer the shocker.c into saul environment

Text

Description automatically generated with medium confidence

When we have finally transferred the file to the saul environment, we need to compile the shocker code

We can upload the file to the victim’s machine

A screenshot of a computer

Description automatically generated with low confidence

We need to give the execute permission to shocker

Graphical user interface, text

Description automatically generated
Graphical user interface, text

Description automatically generated with medium confidence

As you can see, we managed to retrieve /etc/shadow

A screenshot of a computer

Description automatically generated with medium confidence

For us to retrieve the root flag, we change the location on the code

Text

Description automatically generated

At last, we can read the root flag when we execute it

Another way to obtain a root flag is using CDK (https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search)

Graphical user interface, text

Description automatically generated

We have failed to obtain the root flag but wait.I notice my command is wrong

Graphical user interface, text

Description automatically generated

After I change my command, it work and we managed to read the root flag

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *