Talkative
Talkative
Talkative 458
Talkative
RETIRED MACHINE

Talkative

Talkative - Linux Linux
Talkative - Hard Hard

4.8

MACHINE RATING

1090

USER OWNS

847

SYSTEM OWNS

09/04/2022

RELEASED
Created by TheCyberGeek & JDgodd

Machine Synopsis

Talkative is a hard Linux machine that starts off with a command injection in the `Jamovi` web application, which leads us into the `Jamovi` docker in which we find an `omv` file. Decompressing this `omv` file gives us the credentials for the `admin` user in Bolt CMS. This leads us to get a shell as user `www-data` by exploiting a Server Side Template Injection in `twig`. Further network enumeration gives us a shell as user `saul` on the host. For `root` we need to leverage port forwarding for connecting to a `MongoDB` server running in a separate container and through that we need to modify RocketChat's registered user role in order to access the admin's dashboard in the RocketChat web GUI. Further exploitation of the RocketChat's webhook functionality gives us a `root` shell in the RocketChat docker container. Since we are `root` in the docker container, we can install `libcap2` and view the system capabilities, which lead to abusing the `CAP_DAC_READ_SEARCH` capability to run the `shocker` exploit and read the root flag.

Machine Matrix

Ready to start your
hacking journey?