HACK THE BOX “PAPER” WALKTHROUGH
summary
In this Machine there’s a WordPress vulnerability that allows reading draft posts. In a draft post, I’ll find the URL to register accounts on a Rocket Chat instance. Inside the chat, there’s a bot that can read files. I’ll exploit a directory traversal to read outside the current directory, and find a password that can be used to access the system. To escalate from there, I’ll be exploiting CVE-2021–3560. After exploiting it I was able to get root access on the system.
RECONNAISSANCE
I started by scanning the IP using “Nmap” was able to find 3 open ports.
port 80
Right click and select inspect and in the network tab you will find a domain named “office.paper” which is also the backend-server.
edit the /etc/hosts file
ENUMERATION
Next I raan feroxbuster to enumerate file but nothing interesting was found.
The HTTPS site for ‘office.paper’ returns the same default page. But the HTTP site has a new page for a paper company named Blunder Tiffin
Using “whatweb” I found that it was running Wordpress and also it’s current version is out-dated
After some time of googling was able to find a possible Vulnerability for the current version
Exploit URL : https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
These are some possible usernames you can use to bruteforce if it’s neccessary
‘?static=1’ using this in the URL as a parameter as we saw it in the POC I was able to find a new page which had the URL to login to a chat forum in the network.
Next I visited the ‘chat.office.paper’ domain
Then I registered myself to dive deep into the application register myself in the forum.
In this chat forum you would find a bot named “recyclops” and it allows us to get files from the internal server.
Saw I requested to get the “/etc/passwd” file from the bot using the following command and I was able to receive the whole file from the server
command: recyclops file /etc/passwd
What is /proc/self/environ LFI Method ?
In Linux based system the environment-variables of the current process (self) can be accessed via /proc/self/environ . One of the environment-variables set (if apache2 is running) is the user-agent which can be controlled through a HTTP request. So I thought of getting the following file from the server.
CMD: recyclops file ../../../../../proc/self/environ
Sure enough I was able to find a username and a password from the server.
trying to access the SSH server with the username ‘dwight’ and using the found password and I was able to login
EXPLOITATION
after getting the user.txt Iran the ‘linpeas.sh’ script by transfering the script to the ssh server
From the results of LinPeas Ifound that the system us vulnerable for the pwnkit exploit.
“Pwnkit” is a vulnerability that uses a bug in “polkit” to elevate permissions to root.
exploit URL : https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
THE EXPLOIT CODE
Executing the exploit to elevate privileges
After some time the exploit completed
And i was able to get root access on the system by executing the command “su ahmed” which is the user the exploit created and was able to get a root shell.
Thank you for reading, Hope you’ll learnt something.
Nathaneal
