22---ssh

  • Published on
    This machine was quite the conundrum. First, we exploited a Jamovi RCE, which led to Rocket Chat, then Bolt CMS. With Bolt we got template injection, code was reflecting, so we did SSTI to gain a reverse shell. Now with foothold, we scanned the local network with nmap, finding a MongoDB. We used chisel to create a tunnel to MongoDB, enumerate it, and then eventually exploit cap_dac from capsh not being installed by using shocker.