Paper — Hackthebox Walkthrough

Kavishka Gihan
5 min readJun 19, 2022


This was a box that I learned the importance of enumeration. Really loved the realism of the box and the exploitation chain.


As usual, starting with nmap gave me 3 open ports.

nmap -sV -sC

22/tcp open tcpwrapped syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
443/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/organizationalUnitName=ca-3899279223185377061/emailAddress=root@localhost.localdomain

Visiting port 80 was the default Centos webpage.

Looking at the server response headers, there was a header specifying the backend server as office.paper

NOTE: “You can also find this out by using curl with -I option.”

Adding the entry to my hosts config file and visiting the domain, we see a WordPress installation.

sudo echo office.paper >> /etc/hosts

Running wpscan against the site told me the WordPress version.

wpscan --url http://office.paper

Googling around, I found a vulnerability that lets read me saved drafts unauthenticated.

As mentioned, I was able to read a saved drafts by setting the static parameter to 1 in the URL.


The drafts tells about a new vhost which is . Adding this to the hosts config file and visiting it, gives us a chat application called “Rocket chat”.

As mentioned, we need a secret registration link to register. We did get that from the draft we saw in WordPress. So we can use that to register as user.

After registering and logging in, we can see that there is a general channel which we have read access to. Looking at the chat history, we can see that there is a server bot named “recylops”.

In the chat we can see how to use the bot as well. And we see that we can list and read files through the bot.

So we can try to use the bot to list the files in the server. First we have to start a conversation with the bot.

Then with this command we can list the files in the present directory.

recyclops list .

I was able to read the /etc/passwd file with this command.

recyclops file ../../../etc/passwd

We can list the files in one directory up with this.

recyclops list ..

I saw a a directory as hubot which sound interesting. Listing file inside that directory, I saw .env was there.

And I was able to find some the credentials of the dwight user in /hubot/.env

recyclops file ../hubot/.env
user: dwight 
pass: Queenofblad3s!23

Then I sshed in as dwight with this credentials.


Running linpeas as dwight right away I saw the box is vulnerable to CVE-2021–3560.

NOTE: “Make sure to run the updated linpeas, the old one won’t catch this.”

This vulnerability exploits a functionality in polkit .Googling around I found a script that automates the process of exploitation.

With this script, I was able to add a new user with sudo privileges. Ran the script as follows which added a new user named test with the password of test

./ -u=test -p=test

Then I logged in as test and then used sudo su to get a root shell.


Contact me though social media:

Email —
Instagram —
Discord — kavigihan#8518

Happy Hacking !!! 😄



Kavishka Gihan

Cyber Security Student | Machine author @hackthebox | find me on instagram @_kavi.gihan