CTF-Writeups/HackTheBox/Paper.md

HackTheBox-Paper

NMAP

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:                                                         
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)   
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|   Supported Methods: POST OPTIONS HEAD GET TRACE
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|_  Supported Methods: GET
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
| tls-alpn: 
|_  http/1.1

PORT 80/443 (HTTP/HTTPS)

On web service we see a default web page which tells that it's using centos, running dirsearch to fuzz for files and directories it only finds manaul and cgi-bin

And cgi-bin doesn't show anything there

So checking the response headers we see a domain office.paper , so we'll need to add this domain in hosts file

Now accessing the domain we see a web page which is using wordpress (from the output of wappalyzer extensions)

Checking the blog post we find some usernames

To enumerate wordpress further for users and plugins we can use wpscan

Searching for vulns for this wordpress version there was

https://www.exploit-db.com/exploits/47690

So just by adding ?static=1 to the url would reveal the draft to us

We get a subdomain with a link to register so add this subdomain in hosts file

http://chat.office.paper/register/8qozr226AhkCHZdyY

Here I tried to register an account

After creating an account we can read the chat and see that there's a bot that can allow us to perform local file read

Since this chat is read only we can directly send command to bot that can read files

This gives an error about cat command so it's actually possible to do that

Foothold

Interestingly we can also list files in the directory using list command and this way we can see the source code of the bot

Listing contenst of hubot we see a scripts folder

There's a script run.js so this must be the source of this bot so taking a look at it would reveal that we can also run shell commands through run

So let's just get a reverse shell from here , but this was an issue when I was trying to get a reverse shell as it was just getting hanged

Instead we can just add our ssh key in authorized_keys file

We can confirm that the contents are written to authorized_keys file by listing ..ssh directory

Privilege Escalation

Now privesc in the box was the easier I have ever seen in a HTB machine , we can see as script named pk.sh , that was exploiting polkit and creating a new user named hacked with the password password , adding that user to sudoers file

So running the script

References

• https://www.exploit-db.com/exploits/47690
• https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/