HackTheBox: Talkative Machine Walkthrough – Hard Difficulty

Reading Time: 9 minutes

In this post, I would like to share a walkthrough of the Talkative Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Talkative machine?

For the user flag, you will need to abuse R Injection and run an SSTI attack on BoltCMS.

As for the root flag, you need to change the admin’s password on rocketchat and execute javascript code inside the rocket chat application. Later, we need to use an exploit that retrieves the root’s flag

Information Gathering on Talkative Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan-initiated Fri Apr 15 21:25:13 2022 as: nmap -sC -sV -oA initial 10.10.11.155
Nmap scan report for talkative.htb (10.10.11.155)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   filtered ssh
80/tcp   open     http    Apache httpd 2.4.52
|_http-generator: Bolt
|_http-title: Talkative.htb | Talkative
|_http-server-header: Apache/2.4.52 (Debian)
3000/tcp open     ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: bErX5ujvFbttzzXXu
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sat, 16 Apr 2022 01:44:36 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-XSS-Protection: 1
|     X-Instance-ID: bErX5ujvFbttzzXXu
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sat, 16 Apr 2022 01:44:37 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/3ab95015403368c507c78b4228d38a494ef33a08.css?meteor_css_resource=true">
|     <meta charset="utf-8" />
|     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
|     <meta http-equiv="expires" content="-1" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="fragment" content="!" />
|     <meta name="distribution" content="global" />
|     <meta name="rating" content="general" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
|     <meta name="mobile-web-app-capable" content="yes" />
|     <meta name="apple-mobile-web-app-capable" conten
|   Help, NCP: 
|_    HTTP/1.1 400 Bad Request
8080/tcp open     http    Tornado httpd 5.0
|_http-title: jamovi
|_http-server-header: TornadoServer/5.0
8081/tcp open     http    Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
8082/tcp open     http    Tornado httpd 5.0
|_http-title: 404: Not Found
|_http-server-header: TornadoServer/5.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=4/15%Time=625A1B1A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:36\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten")%r(Help,1C,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\n\r\n")%r(NCP,1C,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n\r\n")%r(HTT
SF:POptions,31BA,"HTTP/1\.1\x20200\x20OK\r\nX-XSS-Protection:\x201\r\nX-In
SF:stance-ID:\x20bErX5ujvFbttzzXXu\r\nContent-Type:\x20text/html;\x20chars
SF:et=utf-8\r\nVary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2016\x20Apr\x202
SF:022\x2001:44:37\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html>\n<head>\n\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20class=\"__meteor-css__\"\x20href=\"/3ab95015403368c507c78b4228d
SF:38a494ef33a08\.css\?meteor_css_resource=true\">\n<meta\x20charset=\"utf
SF:-8\"\x20/>\n\t<meta\x20http-equiv=\"content-type\"\x20content=\"text/ht
SF:ml;\x20charset=utf-8\"\x20/>\n\t<meta\x20http-equiv=\"expires\"\x20cont
SF:ent=\"-1\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=
SF:\"IE=edge\"\x20/>\n\t<meta\x20name=\"fragment\"\x20content=\"!\"\x20/>\
SF:n\t<meta\x20name=\"distribution\"\x20content=\"global\"\x20/>\n\t<meta\
SF:x20name=\"rating\"\x20content=\"general\"\x20/>\n\t<meta\x20name=\"view
SF:port\"\x20content=\"width=device-width,\x20initial-scale=1,\x20maximum-
SF:scale=1,\x20user-scalable=no\"\x20/>\n\t<meta\x20name=\"mobile-web-app-
SF:capable\"\x20content=\"yes\"\x20/>\n\t<meta\x20name=\"apple-mobile-web-
SF:app-capable\"\x20conten");
Service Info: Host: 172.17.0.13

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 15 21:26:04 2022 -- 1 IP address (1 host up) scanned in 50.66 seconds

Let’s access the website interface

Nothing much that we can look at while browsing the website

Let’s enumerate the website directory using gobuster

Nothing directory that caught my attention at least

However, we found a /bolt/forms which it might lead to <IP>/bolt

Let’s access another website interface with port 3000

Getting Shell using Jamovi R Language

Let’s access another website interface with port 8080.

We have been presented with jamovi interface. Let’s do some research on the jamovi exploit.

From the exploit that I read the article such as (cves/CVE-2021-28079.md at master · theart42/cves · GitHub) on the internet, I got some inspiration on how to proceed

We managed to see the “id” result using the R language

We have a Remote Code execution over here

Let’s start our nc listener

Therefore, let’s send our reverse shell so that we can obtain the connection back to us

Am I have gained root access already?

Ah! It’s a docker environment

We found a file called bolt-administration.omv stored inside the /root/ directory

We need to transfer the file to our machine but some command such as wget and curl doesn’t exist on the machine. As a result, I transfer the file using base64 encoded method

We are required to convert the bsae64 encoded into a normal omv file format

Let’s open the omv file

There is a json file that caught my attention.

Inside the file, I notice that there are a few credentials that we might use on all login pages that we found earlier.

Bolt CMS enumeration on Talkative machine

Firstly, let’s see if the bolt directory exists and it does.

Therefore, let’s try login in using the credentials that we found earlier.

At last, we managed to access the dashboard

After doing some research, we need to edit the index.twig

SSTI Attack method

Let’s throw an SSTI attack injection on the source code

Save it!

After that, we also need to clear the cache so that we can execute the injection a

It works!

Let’s do some research on SSTI RCE Exploit

Let’s try retrieve the /etc/passwd and see if it works or not

It work!

Let’s encoded our reverse shell with base64

Therefore, let’s throw a code such as “echo <base64> | base64 -d | bash”

We got a reverse shell connection back to us.

Sadly, we cannot use python to get a proper shell but we can try to get a proper shell with /usr/bin/script

At least, we got a shell using those command

SSH to Saul access

Let’s try to ssh to the machine with saul credentials. It works!

We can read the user flag when executing the command “cat user.txt”

Escalate to Root Privileges Access on Talkative Machine

I notice that there’s port 27017 is waiting for a connection

Port Forwarding to obtain mongodb database access

Let’s download chisel on the machine

We are running the chisel server on the victim’s machine

We also need to start executing chisel as a client on our machine so that we can port forwarding the database

Change Current Admin’s Password to a different password

Let’s start mongosh to see what is stored on the database

There’s a username=admin that has been saved on the database.

Let’s change the current admin’s password with our own password

We can enter the password that we changed earlier and we managed to access the dashboard

I notice that there are integrations inside the admin control panel

Abuse Incoming Webhook to obtain a reverse shell connection

There is two webhook which are incoming and outgoing. We need to choose the incoming webhook

We have the javascript to launch the reverse shell and save it

For us to obtain a reverse shell connection back to us, we need to curl the packet shown in the screenshot above

Finally, we get a reverse shell connection to us

We can obtain a proper shell using script -qc /bin/bash /dev/null

The source of the exploit can be found at http://stealth.openwall.net/xSports/shocker.c

For the code, we can modify such as above

Use Pwncat to upload the file on docker environment

However, I change using pwncat which it’s easier to upload files to the victim’s machine

We need to transfer the shocker.c into saul environment

When we have finally transferred the file to the saul environment, we need to compile the shocker code

We can upload the file to the victim’s machine

We need to give the execute permission to shocker

As you can see, we managed to retrieve /etc/shadow

For us to retrieve the root flag, we change the location on the code

At last, we can read the root flag when we execute it

Another way to obtain a root flag is using CDK (https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search)

We have failed to obtain the root flag but wait.I notice my command is wrong

After I change my command, it work and we managed to read the root flag