Rocket-Chat » THOVITI SIDDHARTH

Rocket-Chat

June 8, 2022

Paper – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec CVE-2021-3560, Directory-Traversal, Gobuster, HackTheBox, HTB, htb-paper, Infosec, LinPeas, Linux Box, paper-hackthebox, Pwnkit, Rocket-Chat, Writeup 0

Machine Name: Paper
IP: 10.10.11.143
Difficulty: Easy

Summary

Paper is a relatively easy box and teaches enumeration and a bit of reading API documentations. It forces the attacker to keep looking for sensitive information that can be utilized to run commands and eventually get a shell. To get a user shell, we find credentials on the system through a chat bot. They can be used for logging in through SSH. Another way was to find a command hidden from the ones listed by the bot by reading the API documentation or finding a scripts directory to run commands as user and get a shell. Escalating privileges as root was simple as it was vulnerable to a popular vulnerability with a simple PoC.