In this post, I would like to share a walkthrough of the Talkative Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
- What will you gain from the Talkative machine?
- Information Gathering on Talkative Machine
- Getting Shell using Jamovi R Language
- Bolt CMS enumeration on Talkative machine
- SSH to Saul access
- Escalate to Root Privileges Access on Talkative Machine
- Port Forwarding to obtain mongodb database access
- Change Current Admin's Password to a different password
What will you gain from the Talkative machine?
For the user flag, you will need to abuse R Injection and run an SSTI attack on BoltCMS.
As for the root flag, you need to change the admin’s password on rocketchat and execute javascript code inside the rocket chat application. Later, we need to use an exploit that retrieves the root’s flag
Information Gathering on Talkative Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
# Nmap 7.92 scan-initiated Fri Apr 15 21:25:13 2022 as: nmap -sC -sV -oA initial 10.10.11.155
Nmap scan report for talkative.htb (10.10.11.155)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.52
|_http-generator: Bolt
|_http-title: Talkative.htb | Talkative
|_http-server-header: Apache/2.4.52 (Debian)
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Instance-ID: bErX5ujvFbttzzXXu
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sat, 16 Apr 2022 01:44:36 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content="global" />
| <meta name="rating" content="general" />
| <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
| <meta name="mobile-web-app-capable" content="yes" />
| <meta name="apple-mobile-web-app-capable" conten
| HTTPOptions:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Instance-ID: bErX5ujvFbttzzXXu
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sat, 16 Apr 2022 01:44:37 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content="global" />
| <meta name="rating" content="general" />
| <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
| <meta name="mobile-web-app-capable" content="yes" />
| <meta name="apple-mobile-web-app-capable" conten
| Help, NCP:
|_ HTTP/1.1 400 Bad Request
8080/tcp open http Tornado httpd 5.0
|_http-title: jamovi
|_http-server-header: TornadoServer/5.0
8081/tcp open http Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
8082/tcp open http Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=4/15%Time=625A1B1A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:36\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten")%r(Help,1C,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\n\r\n")%r(NCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(HTT
SF:POptions,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten");
Service Info: Host: 172.17.0.13
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 15 21:26:04 2022 -- 1 IP address (1 host up) scanned in 50.66 seconds
Let’s access the website interface
Nothing much that we can look at while browsing the website
Let’s enumerate the website directory using gobuster
Nothing directory that caught my attention at least
However, we found a /bolt/forms which it might lead to <IP>/bolt
Let’s access another website interface with port 3000
Getting Shell using Jamovi R Language
Let’s access another website interface with port 8080.
We have been presented with jamovi interface. Let’s do some research on the jamovi exploit.
From the exploit that I read the article such as (cves/CVE-2021-28079.md at master · theart42/cves · GitHub) on the internet, I got some inspiration on how to proceed
We managed to see the “id” result using the R language
We have a Remote Code execution over here
Let’s start our nc listener
Therefore, let’s send our reverse shell so that we can obtain the connection back to us
Am I have gained root access already?
Ah! It’s a docker environment
We found a file called bolt-administration.omv stored inside the /root/ directory
We need to transfer the file to our machine but some command such as wget and curl doesn’t exist on the machine. As a result, I transfer the file using base64 encoded method
We are required to convert the bsae64 encoded into a normal omv file format
Let’s open the omv file
There is a json file that caught my attention.
Inside the file, I notice that there are a few credentials that we might use on all login pages that we found earlier.
Bolt CMS enumeration on Talkative machine
Firstly, let’s see if the bolt directory exists and it does.
Therefore, let’s try login in using the credentials that we found earlier.
At last, we managed to access the dashboard
After doing some research, we need to edit the index.twig
SSTI Attack method
Let’s throw an SSTI attack injection on the source code
Save it!
After that, we also need to clear the cache so that we can execute the injection a
It works!
Let’s do some research on SSTI RCE Exploit
Let’s try retrieve the /etc/passwd and see if it works or not
It work!
Let’s encoded our reverse shell with base64
Therefore, let’s throw a code such as “echo <base64> | base64 -d | bash”
We got a reverse shell connection back to us.
Sadly, we cannot use python to get a proper shell but we can try to get a proper shell with /usr/bin/script
At least, we got a shell using those command
SSH to Saul access
Let’s try to ssh to the machine with saul credentials. It works!
We can read the user flag when executing the command “cat user.txt”
Escalate to Root Privileges Access on Talkative Machine
I notice that there’s port 27017 is waiting for a connection
Port Forwarding to obtain mongodb database access
Let’s download chisel on the machine
We are running the chisel server on the victim’s machine
We also need to start executing chisel as a client on our machine so that we can port forwarding the database
Change Current Admin’s Password to a different password
Let’s start mongosh to see what is stored on the database
There’s a username=admin that has been saved on the database.
Let’s change the current admin’s password with our own password
We can enter the password that we changed earlier and we managed to access the dashboard
I notice that there are integrations inside the admin control panel
Abuse Incoming Webhook to obtain a reverse shell connection
There is two webhook which are incoming and outgoing. We need to choose the incoming webhook
We have the javascript to launch the reverse shell and save it
For us to obtain a reverse shell connection back to us, we need to curl the packet shown in the screenshot above
Finally, we get a reverse shell connection to us
We can obtain a proper shell using script -qc /bin/bash /dev/null
The source of the exploit can be found at http://stealth.openwall.net/xSports/shocker.c
For the code, we can modify such as above
Use Pwncat to upload the file on docker environment
However, I change using pwncat which it’s easier to upload files to the victim’s machine
We need to transfer the shocker.c into saul environment
When we have finally transferred the file to the saul environment, we need to compile the shocker code
We can upload the file to the victim’s machine
We need to give the execute permission to shocker
As you can see, we managed to retrieve /etc/shadow
For us to retrieve the root flag, we change the location on the code
At last, we can read the root flag when we execute it
Another way to obtain a root flag is using CDK (https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search)
We have failed to obtain the root flag but wait.I notice my command is wrong
After I change my command, it work and we managed to read the root flag
No responses yet