Paper
An easy Linux box from HackTheBox, getting access using a Wordpress exploit, and then a kernel exploit for root.
Recon
Using the usual nmap, followed by one with all ports being scanned
nmap -sC -sV -oA nmap/paper 10.10.11.143
sleep 180; nmap -p- -sC -sV -oA nmap/paper 10.10.11.143
Then a good ol’ gobuster
gobuster dir -u http://10.10.11.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster/paper.dirs
The nmap found port 80 (HTTP) and 443 (HTTPS), but also noticed that the TRACE method is allowed, classifying it as risky
The full port scan didnt find anything extra, all the gobuster found was /manual, the manual for Apache
When we curl the IP with the -I flag (for just the response headers)
curl -I 10.10.11.143
HTTP/1.1 403 Forbidden
Date: Wed, 23 Mar 2022 02:07:37 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
Can see that that they leak the host, with the X-Backend-Server being set to office.paper, so we can add it to /etc/hosts
And when we go to office.paper using the browser, get greeted with a wordpress site
Navigating through the site, find that there are a few users, Creed Bratton, Prisonmike, and nick
Also find that Prisonmike has some sensitive info in his drafts
Run another gobuster in the background on the new office.paper wordpress site to see if theres anything interesting
Also run a full wordpress scan on the site, along with a sql map to check for sql injections
Exploitation
From the wordpress scan, find that the version is 5.2.3, which has a vulnerability that displays secret content when you append “?static=1”
Find the previously mentioned secret draft that nick was talking about, contained in
office.paper/?static=1
It’s a URL to register for the chat app, chat.office.paper
http://chat.office.paper/register/8qozr226AhkCHZdyY
After adding chat.office.paper to /etc/hosts, create a user with the given url and login
Find out that there is a recyclops that navigates files and cat’s files as a chatbot
It’s vulnerable to directory traversal, can do ../ to go into the home directory of dwight
There we find the file for the setup of the bot, in the /hubot/ directory
recyclops list ../hubot
There is a .env file, when you use
recyclops file ../hubot/.env
Find a password
- <!=====Contents of file ../hubot/.env=====>
- export ROCKETCHAT_URL='[http://127.0.0.1:48320](http://127.0.0.1:48320)'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
- <!=====End of file ../hubot/.env=====>
We have a password!
Trying it on the ssh, with dwight as the password (the owner of the home directory of the bot)
ssh dwight@10.10.11.137
We get in!
Now just using a python server to download linpeas.sh onto the machine, and running it, find that the sudo version is vulnerable to CVE-2021-3560
Then downloading the POC from a github repo , and making a exploit.py file with vim and pasting it in on the target machine, run it and get root