Chatty

Writeup for Chatty from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.184.164 all

Service Enumeration

HTTP (Port 3000)

Seems like this is running Rocket.Chat web app.

When we go to /api/info, we can see that this rocket chat is running version 3.12.1 which is vulnerable to NoSQL Injection vulnerabilities.

These can allow attackers to escalate their privileges, execute arbitrary system commands on the host server, and steal admin user data and chat messages.

Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)Exploit Database

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocketblog_SonarSource

Exploit

GitHub - jayngng/CVE-2021-22911: Modifed ver of the original exploit to save some times on password reseting for unprivileged userGitHub

We first create a low privilege with the namekali, the emailkali@local.local, and the password from the exploit Kali123!.

Then we must change the default password Test123@ in the script to our password which is Kali123!.

Note the changes on lines 63,73,96.

We run the script and we get RCE.

Payload: python3 cve-2021-22911.py -u "kali@local.local" -a "admin@chatty.offsec" -t "http://192.168.184.164:3000"

However, when we try any commands, we can't see the output. So let's try to get a reverse shell.

We first create a bash reverse shell payload shell.sh.

Next, we start our listener and host this file on a python webserver.

Then, we send the command through our exploit to instruct the server to download ourshell.sh and pipe it into bash.

Privesc

Running LinPeas on the target machine, we find that there is an unknown SUID binary.

maidagis a mail delivery agent and a part of GNU mailutils.

We can add the --version flag to find its version.

Turns out, maidag 3.7 is vulnerable and can be abused to write to arbitrary files on the host operating system.

GNU Mailutils 3.7 - Privilege EscalationExploit Database

local-exploits/exploit.ldpreload.sh at master · bcoles/local-exploitsGitHub

When we run the script, it seems to run into a few errors.

However, if we check /var/tmp , we realize that there is a new sh binary.

However, this sh binary is not owned by us but by rocketchat.

We can try to privilege escalate by trying to SSH to the target as rocketchat.

We don't know this user's password, and our authentication attempts will keep failing.

However, when we check sh again, it is now owned by root and has the SUID bit set.

We execute it and we get root.

PreviousNibbles NextBanzai

Last updated 2 years ago