# HackTheBox-Paper
## NMAP
```bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Supported Methods: GET
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after: 2022-07-08T10:32:34
| MD5: 579a 92bd 803c ac47 d49c 5add e44e 4f84
|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
| tls-alpn:
|_ http/1.1
```
## PORT 80/443 (HTTP/HTTPS)
On web service we see a default web page which tells that it's using centos, running `dirsearch` to fuzz for files and directories it only finds `manaul` and `cgi-bin`
And `cgi-bin` doesn't show anything there
So checking the response headers we see a domain `office.paper` , so we'll need to add this domain in `hosts` file
Now accessing the domain we see a web page which is using wordpress (from the output of wappalyzer extensions)
Checking the blog post we find some usernames
To enumerate wordpress further for users and plugins we can use `wpscan`
Searching for vulns for this wordpress version there was
https://www.exploit-db.com/exploits/47690
So just by adding `?static=1` to the url would reveal the draft to us
We get a subdomain with a link to register so add this subdomain in hosts file
`http://chat.office.paper/register/8qozr226AhkCHZdyY`
Here I tried to register an account
After creating an account we can read the chat and see that there's a bot that can allow us to perform local file read
Since this chat is read only we can directly send command to bot that can read files
This gives an error about cat command so it's actually possible to do that
## Foothold
Interestingly we can also list files in the directory using `list` command and this way we can see the source code of the bot
Listing contenst of `hubot` we see a `scripts` folder
There's a script `run.js` so this must be the source of this bot so taking a look at it would reveal that we can also run shell commands through `run`
So let's just get a reverse shell from here , but this was an issue when I was trying to get a reverse shell as it was just getting hanged
Instead we can just add our ssh key in `authorized_keys` file
We can confirm that the contents are written to authorized_keys file by listing `..ssh` directory
## Privilege Escalation
Now privesc in the box was the easier I have ever seen in a HTB machine , we can see as script named `pk.sh `, that was exploiting `polkit` and creating a new user named `hacked` with the password `password` , adding that user to sudoers file
So running the script
## References
- https://www.exploit-db.com/exploits/47690
- https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/