Talkative
Last updated
Last updated
Talkative is about hacking multiple communication platforms and gaining access to multiple docker containers. Starting by getting the first foothold on a docker container by abusing R language editor on jamovi website to get code exec. From that docker I will get credentials for BOLT CMS. As admin I will modify a template so I can get code execution and get access to the next docker container. From this docker I can ssh to the host, where I will be finding a full docker network. Connecting to a specific docker gives the ability to work with mongoDB, so I will modify my user's role to admin and get admin acccess to rocket chat. Rocketchat is using webhooks which i will abuse to get connection back to me. This container have the CAP_DAC_READ_SEARCH capability which can be exploited to read all files on the hostmachine.
nmap revealed that 5 ports are open.
and ssh is filtered so maybe the firewall is blocking our packets and not getting a response let nmap consider that port as filtered. So quick mind note is that if i did get a foothold but not to the host machine maybe I can ssh from the machine i get access to hoping it trusted to ssh into the network.
At port 80 i can see the main website which is talkative
This website contains many useful informations like some potential users in the network which i can use later for bruteforce attacks.
and in the source code it reveals that it is using the bolt CMS
I worked with bolt before and I know that normally it is implemented at /bolt. Visiting talkative.htb/bolt
Nothing much here, i tried some default credentials but it didn't work. So its clear that i need credentials to access the bolt page.
Moving on to rocket chat
I tried some default credentials but it didn't work. So I created an account and tried to see how the platform looks like and if I can get any useful information.
it gives an error which says Invalid Domain, so I tried to change the domain of the email address to talkative.htb. Yeah it worked.
The only information I got from a normal user access, is that this user "Saul Goodman" is the admin.
Quick note: So if I can get Saul Goodman credentials or I can higher my privilege to admin then I can get admin access to rocket chat. Till then I'm moving on to jamovi webste.
Instantly I notice the logo of the R language so I check it out if I have the right to execute code. YES I have code exec capability so I googled how to execute system commands in R languge.
And "system" command appears and it requires multiple arguments but I will only need 2.
I just put the command i want to execute and set the intern to TRUE so i can get the output of the execution.
Going for reverse shell
I can notice from the name of the machine that is probably a docker container and the .dockerenv at / confirms this. I kept digging around till I found bolt-administration.omv at ~.
Sending this file to my attacking machine to analyze it in a comfortable environment.
receiving the data and putting in a bolt-administration.omv file
I checked the md5sum of both files to make sure nothing went wrong during the transfer.
Analyzing the file reveals that is a compressed file that contains different types of files
I unzipped the file and started navigating through the files hoping to find anything useful.
xdata.json is the most interesting file while it contains credentials.
Now I just need to figure out where I can use these creds. First thing that comes to mind is to simply ssh but like I said before ssh is filtered from outside so I can't have ssh connection from my machine, but if i can get it from this docker it will work. Unfortunately ssh isn't installed on this machine, i had an idea where i can tunnel my ssh to this container then use my ssh from this container to access the host machine but, i didn't take this path while i still have 2 login forms that i can test those creds on and if they didn't work then i will give this path a chance.
Trying the creds I found on bolt login form but none of them worked. I started to get confused here then I had the idea to try an admin email with one of those passwords hoping there is a password reuse vulnerability. And boom I got in with those creds.
I checked the configuration panel and it contained a lot of configurations files.
Here I had a lot of ideas to get code execution, what if I have write permission on those files and that will be so easy to get code exec from php or .yaml files. I went to the bolt file and checked the config.yaml file, unfortunately i had no write permission on this file.
but I kept reading and noticed that it is using a template as a theme called base-2021 and that's worth a look.
I went for the twig files since I have a good idea about twig and I know that if I can get write permission I can execute code. First I will try to inject some html to see if anything happens and since that this is the index.twig then this will effect the home page of the website that bolt cms is implemented on, in this case it is talkative.htb.
I hit the Save Changes button and reloaded the talkative.htb page but nothing happened. I got confused to be honest because I was sure that this is going to work. I went back to the bolt page and start digging around. Fortunately I found Clear the cache functionality.
I instantly knew this was the reason since the page keeps loading with the cache stored in without implementing any new changes, so I cleared the cache and reloaded the talkative.htb page and "ichyaboy" popped up.
Now I'm going for code execution. I used a payload from PayloadsAllTheThings
To be honest I went straight for reverse shell
I put my payload at index.twig, saved the changes, cleared the cache and started a listener on 443
then I reloaded the talkative.htb and boom I got a shell to the next docker container
I'm using the script command to stabilize my shell (I'm too lazy to use the python pty)
First thing that came to mind is if this container have ssh installed or not, if yes then I maybe i can get to the host machine.
hopefully it is installed so now I need to get the host machine ip address.
This file provides information about the Address Resolution Protocol (ARP) cache, which is used to map IP addresses to corresponding hardware (MAC) addresses on a local network. Since there is one connection this will definitely be the host-machine address. Now all I need is to get the right credentials to login through ssh. After multiple combinations, Saul and the password of the bolt cms gave me a successful connection
I got the user flag
Now I start enumerating the box if I can find anything. I tried to look at the docker network but the docker command isn't installed in this box so I need to do that manually. I transferred an executable for nmap to facilitate my enumeration and then I can get more information about the services running on each docker.
I ran this command to find the active hosts on the host machines network
Now to scan the services running on this hosts
one host got my attention which is the one with port 27017 open which is the common mongoDB port. I can't access this service from Saul's machine because I don't have the required tools to interact with mongodb so I will Port forward this service with chisel to my attack machine (without to mention that I need to transfer chisel to the victim machine).
So on my attacking machine I will run this command to listen on port 27017
and on the victim machine i will run
After port forwarding I need to download mongodb shell so I can work with that service.
now I have shell access to the database and I can look around.
users collections seems to be interesting
I got a lot of informations about the users in rocketchat
Admin's data:
my user's data:
the roles key got my attention since I'm assigned as a normal user and as I said in Rocket Chat port 3000, if I can elevate my privilege I can have more functionalities in Rocketchat platform. So the idea is to update my role key to admin (or just change the hash of the password with mine and login as admin with my password).
After looking around at platform, I found the integrations functionality which give the ability to create webhooks with the given script.
So my idea is to create a webhook with a script that returns shell back to me, but first I need to find out in which language should I write the script. After reading about Rocket chat in github I found out that it is written in typescript, so all I need is to write a script in js to get a reverse shell.
After trying multiple scripts this one worked
I saved the webhook then took it's URL, starting a listener at 1337 and curl that URL and I got a shell as root in rocket chat container.
After enumerating the box I didn't find any useful files, so I decided to check its capabilities but the problem is capsh isn't installed so I can't use capsh and linpeas. I went to check linpeas repository if I can find anything about the docker containers scan and yes i found 2_container.sh file which is responsible about this type of scans. I understood that capabilities are stored somewhere in /proc/self/status but hex encoded.
And to decode those files i will be using capsh
I started googling if any of these capabilities is dangerous. Hacktricks have an amazing explanation
I downloaded the shocker.c file and compiled it to shocker file
but transferring the file to the box was a bit tricky because neither nc, curl or wget are installed. So I just ran on my attacking machine
and at the victim machine I ran
I checked their md5sums and they are identical
now I execute it with giving the path of the file I want to read and give a filename to save its output to that file
