Contents

HackTheBox - Paper Writeup

Box author | secnigmasecnigma

Nmap

Let’s scan the IP Address first by using Nmap.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Nmap 7.92 scan initiated Wed Feb  9 07:45:26 2022 as: nmap -sC -sV -oN nmap/paper 10.129.156.206
Nmap scan report for 10.129.156.206
Host is up (0.23s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn: 
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb  9 07:45:54 2022 -- 1 IP address (1 host up) scanned in 27.74 seconds

Only 3 open ports

Http/HttpS

From the Nmap scan result above, the port 80,443 is open. So, like a normal human being. I’m navigating through it using a web browser :)

/posts/htb/paper/webpage-1.png
apache default page in centOS

Well, that’s not what I expected. It shows the default page after installation in CentOS.

Gobuster

When I found a webpage, the first thing I’ll do is run the gobuster to find any hidden directory. Unfortunately, I can’t find anything useful.

Header: X-Backend-Server

To be honest, I’m stuck and don’t know what to do. Then, I remember that I didn’t even check the header. I’m going to check it using the curl command. OH WOW! the X-Backend-Server just exposes the hostname called office.paper. So, I’ll add the hostname into the /etc/hosts file.

/posts/htb/paper/curl-head.png
hostname expose

/posts/htb/paper/etc-hosts-office-paper.png
add hostname in /etc/hosts

Http: office.paper

Then, I navigate to http://office.paper. Turns out, it’s a blog. Down to the footer, it says Proudly Powered by WordPress and this indicates it’s using WordPress as CMS.

/posts/htb/paper/office-paper-home.png
office.paper webpage

The first thing I’ll do is start messing around with it. However, one comment sticks out. It says something about drafts is not secure and should be deleted ASAP.

/posts/htb/paper/office-paper-drafts.png
sensitive comment

CVE-2019-17671

As the comment above shown. The drafts section is not secure. So, with this information. I’m searching on the net about it and found this article with PoC and it got assigned as CVE-2019-17671.

CVE description
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

So, I’ll try to read the secret draft with this URL http://office.paper/?static=1 and it’s successfully retrieved. After I read it, I found the secret registration URL that leads into the chat subdomain. Like always, I’ll add it into the /etc/hosts file.

/posts/htb/paper/office-paper-drafts-secret.png
hostname chat.office.paper expose

/posts/htb/paper/etc-hosts-chat-office-paper.png
add hostname chat.office.paper in /etc/hosts

Http: chat.office.paper

I’m copying and pasting the URL in my web browser and being greeted by rocket.chat registration page. Well, I’m registering a new account and taking a look inside it. Turns out, it’s just a chat app and I can’t find anything useful. However, it’s has a bot called recyclops that can be interacted with.

/posts/htb/paper/recyclops-general.png
recyclops bot

Recyclops

To interact with the bot, first, click the bot's profile and click the direct message button. So, I’ll try the help command first. There is some interesting stuff this bot can do. However, I’m interested in the Files and List commands.

/posts/htb/paper/recyclops-help.png
view help command

Recyclops: path traversal

To invoke the list command, type recyclops list. It’s just giving me a listing of the /sales/ directory. However, this makes me wonder, can I make it list another directory as path traversal the answer is YES!. Here’s the command that I put in, recyclops list ..

/posts/htb/paper/recyclops-list-dot2.png
listing directory

Hubot

There is a .ssh directory present and the Nmap scan shows, that this machine has port 22 open. Unfortunately, there’s nothing in that directory. On top of that, I found the directory called hubot. It’s a robot for a chat room. So, I assumed recyclops are based on hubot.

Hubot: /.env

After listing the hubot directory. The file called .env really stands out above the rest. Here’s the command that I put in recyclops file ../hubot/.env to read the file. Finally, I found something useful this time. It is a password belonging to the recyclops user.

Note: these creds also share with the dwight user and can be also SSH into the box

/posts/htb/paper/hubot-env-pass.png
found recyclops credentials

Hubot: RUN command

Futher enumeration, I found the javascript file called run.js in the hubot/scripts directory. When I inspect the file, it executes the command with the RUN function. Well, let me try put the simple bash reverse shell. YES! successfully get the foothold as a dwight user.

/posts/htb/paper/recyclops-run.png
execute reverse shell

/posts/htb/paper/foothold-as-dwight.png
shell as dwight

PEASS-ng: linpeas.sh

I’m already in as dwight. First, I’ll check the sudo permission with sudo -l using the credentials found earliear. Unfortunatelly, dwight can’t run sudo in this machine. So, to make it quick, I’m going to run linpeas.

/posts/htb/paper/run-the-linpeas-as-dwight.png
execute linpeas

CVE-2021-3560

The linpeas script is already done running. OH WOW! it says this machine is vulnerable to CVE-2021-3560. The funny thing is when I searched on the internet about this CVE. I found secnigma github repos and this machine was created by secnigma.

CVE description
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user.

/posts/htb/paper/linpeas-find-CVE-2021-3560.png
linpeas output

The github repos itself is about bash PoC script. Also, the original research is done by Kevin Backhouse, and here’s his blog post talking about it. Well, it’s time to run the PoC script.
Disclaimer: MULTIPLE TRIES ARE USUALLY REQUIRED for this exploit to work.

/posts/htb/paper/download-the-poc-script-on-victim-machine.png
transfer exploit

/posts/htb/paper/run-the-script-and-get-the-root-shell.png
become root

I’M ROOT BABYYY!