Hello everyone, today, I’ll try to explain the Paper Hackthebox machine’s solution. Before starting, it’s a Linux box.
User
First of all, let’s look at the open ports.
sudo nmap -sS -sV -sC 10.10.11.143
(After a long time, I changed the theme of the terminal :D)
22, 80 and 443 ports are open. Let’s look at port 80 in the browser.
I’ve reviewed this page but haven’t found any interesting files or directories. After then, I looked at the response header. Bingo!!! There’s a subdomain.
I’ve added this subdomain in my hosts (/etc/hosts). After then, when I open http://office.paper, I saw that the company page.
I found an interesting comment while reviewing the page.
Hmm. There’s a secret thing in drafts. Well, Could I see to drafts? Maybe, wordpress has an exploit. So, I used wpscan to find the wordpress version (wordpress 5.2.3). I found the this PoC (CVE-2019-17671) when I searched exploit for wordpress 5.2.3.
Okay, Let’s open to draft page according to the PoC.
http://office.paper/?static=1
New subdomain founded. I’ve added “chat.office.paper” in hosts.
When I opened the link, I saw that there was a register page and I registered.
I reviewed the page…
I found the recyclops bot. I wrote “help” from DM for how could I use the bot.
There are interesting commands like “List” and “File”. I used the “file” command to view the file contents and the “list” command to list the folders/files. Let’s try LFI.
Ohh yeaah, I can run commands on the system.
I found “dwight” user. Continued to review the system. During the review, I found credentials in “/hubot/.env”
Let’s login on the ssh using dwight.
ssh [email protected]
OooYeaaa I’m in.
Privilege Escalation
I used the Linpeas for privilege escalation (LinPEAS is a script that search for possible paths to escalate privileges on Linux). And, Linpeas found the CVE-2021-3560.
The Polkit service allows unprivileged users to call privileged methods because of CVE-2021-3560 (more details).
Okay. Let’s exploit.
I found this exploit code. According to the link, I created a new user using poc.sh.
./poc.sh -u=kabadayi -p=necdet
Changed to the new user using “su kabadayi”. And, I took root using “sudo bash”