From bcd17f74efedd0c59af22b09d4b4ff34a840ee56 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 20 Jun 2022 11:53:37 +0500
Subject: [PATCH] Create Paper.md

---
 HackTheBox/Paper.md | 148 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 HackTheBox/Paper.md

diff --git a/HackTheBox/Paper.md b/HackTheBox/Paper.md
new file mode 100644
index 0000000..e03b609
--- /dev/null
+++ b/HackTheBox/Paper.md
@@ -0,0 +1,148 @@
+# HackTheBox-Paper
+
+## NMAP
+
+```bash
+PORT    STATE SERVICE  VERSION
+22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
+| ssh-hostkey:                                                         
+|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
+|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
+|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)   
+80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
+|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
+| http-methods: 
+|   Supported Methods: POST OPTIONS HEAD GET TRACE
+|_  Potentially risky methods: TRACE
+|_http-title: HTTP Server Test Page powered by CentOS
+443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
+| http-methods: 
+|_  Supported Methods: GET
+| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
+| Subject Alternative Name: DNS:localhost.localdomain
+| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2021-07-03T08:52:34
+| Not valid after:  2022-07-08T10:32:34
+| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
+|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
+| tls-alpn: 
+|_  http/1.1
+
+```
+
+## PORT 80/443 (HTTP/HTTPS)
+
+<img src="https://i.imgur.com/NcYV9NX.png"/>
+
+On web service we see a default web page which  tells that it's using centos, running `dirsearch` to fuzz for files and directories it only finds `manaul` and `cgi-bin`
+
+<img src="https://i.imgur.com/byjRFT7.png"/>
+
+And `cgi-bin` doesn't show anything there
+
+<img src="https://i.imgur.com/Ag0s8lj.png"/>
+
+So checking the response headers we see a domain `office.paper`  , so we'll need to add this domain in `hosts` file
+
+<img src="https://i.imgur.com/3iwpbmp.png"/>
+
+<img src="https://i.imgur.com/nQ6lSlY.png"/>
+
+Now accessing the domain we see a web page which is using wordpress (from the output of wappalyzer extensions)
+
+<img src="https://i.imgur.com/bs33AIG.png"/>
+
+<img src="https://i.imgur.com/zD2T5a7.png"/>
+
+Checking the blog post we find some usernames
+
+<img src="https://i.imgur.com/O2bDRPc.jpg"/>
+
+To enumerate wordpress further for users and plugins we can use `wpscan`
+
+<img src="https://i.imgur.com/Mix5SBU.png"/>
+
+<img src="https://i.imgur.com/trO6RLt.png"/>
+
+Searching for vulns for this wordpress version there was
+
+https://www.exploit-db.com/exploits/47690
+
+<img src="https://i.imgur.com/ob2XweX.png"/>
+
+So just by adding `?static=1` to the url would reveal the draft to us
+
+<img src="https://i.imgur.com/sjdN8aG.jpg"/>
+
+We get a subdomain  with a link to register  so add this subdomain in hosts file 
+
+`http://chat.office.paper/register/8qozr226AhkCHZdyY`
+
+<img src="https://i.imgur.com/oWKficA.png"/>
+
+Here I tried to register an account
+
+<img src="https://i.imgur.com/upGkoKt.png"/>
+
+After creating an account we can read the chat and see that there's a bot that can allow us to perform local file read
+
+<img src="https://i.imgur.com/wrbXzSx.png"/>
+
+Since this chat is read only we can directly send command to bot that can read files
+
+<img src="https://i.imgur.com/ycQFmMd.png"/>
+
+This gives an error about cat command so  it's actually possible to do that
+
+<img src="https://i.imgur.com/G3O6Rtf.png"/>
+
+## Foothold
+
+Interestingly we can also list files in the directory using `list` command and this way we can see the source code of the bot
+
+<img src="https://i.imgur.com/bVFIBFP.png"/>
+
+Listing contenst of `hubot` we see a `scripts` folder
+
+<img src="https://i.imgur.com/AuvHBF1.png"/>
+
+<img src="https://i.imgur.com/RsmSRPu.png"/>
+
+There's a script `run.js` so this must be the source of this bot so taking a look at it would reveal that we can also run shell commands through `run`
+
+<img src="https://i.imgur.com/HO2wBUS.png"/>
+
+<img src="https://i.imgur.com/j0llnRr.png"/>
+
+So let's just get a reverse shell from here , but this was an issue when I was trying to get a reverse shell as it was just getting hanged
+
+<img src="https://i.imgur.com/KWJbJqL.png"/>
+
+Instead we can just add our ssh key in `authorized_keys` file 
+
+<img src="https://i.imgur.com/HpdXa6u.png"/>
+
+We can confirm that the contents are written to authorized_keys file by listing `..ssh` directory
+
+<img src="https://i.imgur.com/Ff7HFFH.png"/>
+
+<img src="https://i.imgur.com/C7stgAG.png"/>
+
+## Privilege Escalation
+
+Now privesc in the box was the easier I have ever seen in a HTB machine , we can see as script named `pk.sh `, that was exploiting `polkit` and creating a new user named `hacked` with the password `password` , adding that user to sudoers file
+
+<img src="https://i.imgur.com/qwaNn0U.png"/>
+
+So running the script
+
+<img src="https://i.imgur.com/gWThbsw.png"/>
+
+<img src="https://i.imgur.com/hAtEsa5.png"/>
+
+## References
+- https://www.exploit-db.com/exploits/47690
+- https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/