Hack The Box – Paper (EN)

Eren Çar

Hello everyone, today, I’ll try to explain the Paper Hackthebox machine’s solution. Before starting, it’s a Linux box.

User

First of all, let’s look at the open ports.

sudo nmap -sS -sV -sC 10.10.11.143

(After a long time, I changed the theme of the terminal :D)


22, 80 and 443 ports are open. Let’s look at port 80 in the browser.

I’ve reviewed this page but haven’t found any interesting files or directories. After then, I looked at the response header. Bingo!!! There’s a subdomain.

I’ve added this subdomain in my hosts (/etc/hosts). After then, when I open http://office.paper, I saw that the company page.

I found an interesting comment while reviewing the page.

Noluyo GIFfrom Noluyo GIFs

Hmm. There’s a secret thing in drafts. Well, Could I see to drafts? Maybe, wordpress has an exploit. So, I used wpscan to find the wordpress version (wordpress 5.2.3). I found the this PoC (CVE-2019-17671) when I searched exploit for wordpress 5.2.3.

Okay, Let’s open to draft page according to the PoC.

http://office.paper/?static=1

New subdomain founded. I’ve added “chat.office.paper” in hosts.

When I opened the link, I saw that there was a register page and I registered.

I reviewed the page…

I found the recyclops bot. I wrote “help” from DM for how could I use the bot.

There are interesting commands like “List” and “File”. I used the “file” command to view the file contents and the “list” command to list the folders/files. Let’s try LFI.

Ohh yeaah, I can run commands on the system. I found “dwight” user. Continued to review the system. During the review, I found credentials in “/hubot/.env”

Let’s login on the ssh using dwight.

ssh [email protected]

OooYeaaa I’m in.

Kobra Murat Roman GIFfrom Kobra Murat GIFs


Privilege Escalation

I used the Linpeas for privilege escalation (LinPEAS is a script that search for possible paths to escalate privileges on Linux). And, Linpeas found the CVE-2021-3560.



The Polkit service allows unprivileged users to call privileged methods because of CVE-2021-3560 (more details).


Okay. Let’s exploit.

I found this exploit code. According to the link, I created a new user using poc.sh.

./poc.sh -u=kabadayi -p=necdet

Changed to the new user using “su kabadayi”. And, I took root using “sudo bash”

Adnan Oktar GIFfrom Adnan GIFs


Thanks For Reading

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.