Paper @ Hack The Box
A write-up on HTB Paper Box
Paper is a Linux box set up by secnigma at Hack the Box. This machine is easy in terms of difficulty and rewards 20 points.
Reconnaissance
Starting with recon, i.e. the first phase of information gathering, we can scan the machine (10.10.11.143) using nmap.
┌──(kali㉿blackbox)-[~/Documents/HTB/Paper]
└─$ sudo nmap 10.10.11.125 -sV -sC 10.10.11.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-09 02:37 UTC
Nmap scan report for 10.10.11.125
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4: de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.10.11.143
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 42.36 seconds
We can check the website at http://10.10.11.143/.
It is just the test page of a CentOS server. I don’t find anything interesting here. I also tried exploring more information about the webserver and related involved dependencies using WhatWeb, a well-known website identifier. It can recognise the web technologies, including content management systems (CMS), blogging platforms etc.
┌──(kali㉿blackbox)-[~/Documents/HTB/Paper]
└─$ whatweb 10.10.11.143
http://10.10.11.143 [403 Forbidden] Apache[2.4.37][mod_fcgid/2.3.9], Country[RESERVED][ZZ], Email[webmaster@example.com], HTML5, HTTPServer[CentOS][Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9], IP[10.10.11.143], MetaGenerator[HTML Tidy for HTML5 for Linux version 5.7.28], OpenSSL[1.1.1k], PoweredBy[CentOS], Title[HTTP Server Test Page powered by CentOS], UncommonHeaders[x-backend-server], X-Backend[office.paper]
Something interesting is there as X-Backend. Let’s browse it at http://office.paper/.
It seems we can’t access the website right now. Let’s try adding it to the trusted sources (/etc/hosts in our local machine) list and access once again. Maybe it can be helpful.
Awesome! We can access it now. Here, ’Feeling Alone!’ post seems interesting as the author might have shared something there. Lets’s check it out:
Initial foothold
On arriving at the main ’Feeling Alone!’ post, I see an interesting comment that hints that there can be some secret in the drafts.
But how this guy, Nick, get to know that..? Exactly, there must reside some loophole of perhaps the vulnerability. It is clear from the footer that office.paper is a WordPress website. So, the best approach is to do a wp-scan. A wp-scan tells about any vulnerabilities that might lead us to the drafts of http://office.paper/.
Here we will be using flags -e with vt, vp, & u values for querying about theme, plugins and user-id range, respectivally.
I didn’t find any exact vulnerability, but two important things are disclosed from the above scan:
- There are three users currently on the site who are active on posts. These are: - prisonmike
- nick
- creedthoughts- As per the following snippet of the output of wp-scan, an insecure version of WordPress is detected,, i.e. WordPress version 5.2.3.
[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Found By: Rss Generator (Passive Detection)
| - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
Here the real hack starts…
I believe that there must exist some exploit(s) for the WordPress version 5.2.3, which might lead us to escalate the privilege and ultimately give access to some sensitive information without any authentication process.
Woohooo!! After searching through web, I found the following on the Exploit-DB:
Although, while searching on a couple more sources, I found that the current version of WordPress (running the office.paper) consists of 2 vulnerabilities, namely Cross-Site Host Modification & Viewing Unauthenticated/Password/Private Posts. As per the current requirement and the above image, we’ll go with CVE-2019-17671 to view the posts.
To exploit the same, we will have to alter the URL by appending it with a UTM parameter, i.e. ?static=1. So, we’ll just browse http://office.paper/index.php/author/prisonmike/?static=1.
Perfect! So here we get a draft of user ‘prisonmike’. Here I found a secret chat (RIP name) registration link for new users as http://chat.office.paper/register/8qozr226AhkCHZdyY. Let’s just sign up and get in quickly!!
You might have trouble accessing the chat page. Well, add the chat.office.paper to the list of the trusted hosts, as done earlier.
Well, after logging into the chatting app, I saw a bot, recycleops.
Initially, starting a chat with recycleops may fail, but it’ll be up once refreshed.
It has a plenty of features that we can use to meet our our next objectives. Consider exploring it a little more as it’s an interesting one ;)
Privilege escalation
I tried to get some files and look around the directorie After few failed attempts, I got something mind blowing! Actually, we have located the file of flag i.e. user.txt in ./../hubot directory. But unfortunately, we can not retrieve the flag from using the recycleops does not have permission to open this file.
Let’s try for some other way around anyways!!
Gaining user (dwight) access
I explored the directory, where user.txt resides and got to know that it is a GIT repository. Navigate to the ../hubot/.env and view its content.
It gives me the user credentials of recyclops… Great enough!!
<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>
Now, I looked for the system password file. Luckily, just after a few failures, finally got it as ../../../etc/passwd.
Here I got an idea that we might get into the account of dwight. Simply, try logging in as dwight using the credentials, previously found from ../hubot/.env, using SSH.
We just pwned dwight!
I look around the directories for existing files. As now we are logged in user, this time we have access to the user.txt file. Simply trace it and grab the flag!
Flag found from user.txt file is 45603e😈😈😈😈😈😈😈fae7f4.
Gaining root access
Now the target is root! Try uploading linpeas tool on the system that could help us scanning it for any existing vulnerability. The bash script of the same can be found at https://github.com/Th3l5D/linux-privilege-escalation-awsome-script/blob/master/linpeas.sh. I served the linpeas.sh script from my local system over a python server and stored it on the user account of dwight at Paper.
Once uploaded to the remote system, execute bash linpeas.sh:
So, the current system is vulnerable to the CVE-2021-3560, which is a vulnerability of polkit (earlier PolicyKit), developed by Red Hat. While searching for its exploits, I found one on GitHub at https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py. It is written in python.
Save the exploit on the machine. Actually it aims to create a new user that will work as a backdoor for dwight to get the root access.
You may update the usernme and password in exploit beforing running it. Anyways, I kept everything unchanged and saved the exploit as exploit.py. Now run the exploit as below and see how quickly we get the root shell.
[root@paper dwight]# python3 exploit.py
Roam around and locate the root’s flag as current directory seems not having the same.
We simply have to wrap it up by collecting the main root.txt flag. Navigate to the /root/ directory and collect the flag as:
Finally… we pwned the root! Flag is: 137c3f😈😈😈😈😈😈😈38bbff.
Ravi Prakash Tripathi
Research Associate
A Ph.D. fellow working on “Security in Socio-industrial Metaverse” who could often be found somewhere messing up with bugs & vulnerabilities, contributing to open source or writing poems.