HacktheBox Writeup: Paper

This was an easy-difficulty Linux box that required basic scanning and enumeration to gain a foothold on the machine and get the user flag. The privilege escalation to root was also a relatively simple process and required using the Linux privilege escalation called CVE-2021–3560 (i.e. Polkit).

Enumeration

I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports:

nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report 10.10.11.143
PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 63
80/tcp  open  http    syn-ack ttl 63
443/tcp open  https   syn-ack ttl 63

The scan identified three ports open (i.e. port 22, 80, and 443). I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit:

nmap -sV -sC -Pn -v -oN nmap-report -p 22,80,443 10.10.11.143
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

I can see that port 22 is running SSH, while ports 80 and 443 are web servers running Apache/2.4.37 (centos). I decided that I had enough information to move on and start examining the website being hosted on port 80.

HTTP — Port 80 Analysis

Navigating to http://10.10.11.143/ , I am presented with a default HTTP server test page.

HTTP server test page.

Next, I decided to use FFuF to fuzz for hidden directories and web pages.

ffuf -c -u http://10.10.11.143/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.bak,.old
cgi-bin/               [Status: 403, Size: 199, Words: 14, Lines: 8]
manual                 [Status: 301, Size: 235, Words: 14, Lines: 8]

I found a directory called “manual” and used FFuF to fuzz for any subdirectories.

ffuf -c -u http://10.10.11.143/manual/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .php,.bak,.old
developer        [Status: 301, Size: 245, Words: 14, Lines: 8]
faq              [Status: 301, Size: 239, Words: 14, Lines: 8]
howto            [Status: 301, Size: 241, Words: 14, Lines: 8]
images           [Status: 301, Size: 242, Words: 14, Lines: 8]
index.html       [Status: 200, Size: 9164, Words: 541, Lines: 125]
LICENSE          [Status: 200, Size: 11358, Words: 2516, Lines: 203]
misc             [Status: 301, Size: 240, Words: 14, Lines: 8]
mod              [Status: 301, Size: 239, Words: 14, Lines: 8]
programs         [Status: 301, Size: 244, Words: 14, Lines: 8]
ssl              [Status: 301, Size: 239, Words: 14, Lines: 8]
style            [Status: 301, Size: 241, Words: 14, Lines: 8]

I spent some time looking through these directories but I did not immediately see anything of interest. I decided to change my approach and gather more information using Nikto web vulnerability scanner.

nikto -h 10.10.11.143 -o nikto.txt
+ Target Host: 10.10.11.143
+ Target Port: 80
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET Uncommon header 'x-backend-server' found, with contents: office.paper
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Retrieved x-powered-by header: PHP/7.2.24
+ OPTIONS Allowed HTTP Methods: GET, POST, OPTIONS, HEAD, TRACE 
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ OSVDB-3268: GET /manual/images/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.

Looking at the output above, Nikto identified an interesting GET request header that provides a hostname called “office.paper” for a backend server.

+ GET Uncommon header 'x-backend-server' found, with contents: office.paper

I added this hostname to my “/etc/hosts” file and visited the website.

office.paper website.

Initial Foothold

Looking at “office.paper” website, I can see three posts by a user called “Prisonmike”. One post has a comment from a user called “nick”, suggesting that there is secret content stored in post drafts.

Comment mentioning secret content in post drafts.

I can also see that the website is powered by WordPress. I used wpscan to enumerate user and vulnerability information related to the WordPress version being used by the website.

wpscan --url http://office.paper/ -e u,ap

Looking through the output, I discovered the WordPress version being used is vulnerable and found three users.

Vulnerable WordPress Version.

WordPress Users Discovered.

Searching for the vulnerabilities related to WordPress version 5.2.3, I found a vulnerability that allows unauthenticated View Private/Draft Posts. The comment from the user Nick earlier hints at secret content saved in draft posts. I used the proof of concept example shown in the link above on the website.

http://office.paper/?static=1

This presents a post draft, which provides a link to a new sub domain called “chat.office.paper”.

Post draft contains interesting link.

I added this sub domain to my “/etc/hosts” file and followed the link. This takes me to RocketChat, an open-source team chat client, similar to other team chat solutions such as Slack and Mattermost. I created an account and logged in. Once logged in, there is a channel called general, which mentions that Dwight has created a Bot called recyclops. Looking at the actions that can be performed with the Bot, I can see that it can retrieve file content and list the contents of folders.

Interesting Bot Actions.

User Flag: Command Injection

I created a separate conversation with recyclops and checked what files were in the “sale” directory.

Contents of “sale” directory.

Next, I attempted to print the contents of the “portfolio.txt” file but found that I needed to specify the “sale” directory as well.

Contents of “portfolio.txt” file.

I can see the full path used to view the “portfolio.txt” file.

/home/dwight/sales/sale/portfolio.txt

Next, I decided to list the contents of other folders, including the folder “dwight”.

Contents of user “dwight” folder.

I can see the “user.txt” file but I do not have permission to access it. Looking through the other files, I found a folder called “hubot”. Looking at the contents of this folder, I found a hidden file called “.env”. Viewing the contents of this file provides the password for the user “dwight”.

User “dwight” password.

I used the credentials to SSH into the machine and get the user flag.

User Flag.

Root Flag: CVE-2021–3560 Polkit

Looking at the contents of the user “dwight” directory, I found a file called “poc.sh” which references a Linux privilege escalation called CVE-2021–3560. According to this Github:

CVE-2021–3560 is an authentication bypass on polkit, which allows unprivileged user to call privileged methods using DBus, in this exploit we will call 2 privileged methods provided by accountsservice (CreateUser and SetPassword), which allows us to create a priviliged user then setting a password to it and at the end logging as the created user and then elevate to root.

I can use the exploit found on this Github and upload it to the target machine from my attacking machine. Then, I can execute the exploit and get root privileges.

[dwight@paper ~]$ python3 CVE-2021-3560.py
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root
[root@paper dwight]#

I can then retrieve the root flag.

Root flag.

Final Thoughts

Overall, I found this machine to be good practice for enumeration. It highlights the importance of using different tools and methods for enumeration, which was key to gaining an initial foothold. Once I found the initial compromise, the rest was pretty straightforward. Thank you for reading till the end and happy hacking 😄!