HackTheBox — Paper write-up

4 min readJun 18, 2022

Paper is an easy difficulty-rated linux machine. It is retired now but I solved it when it was active. It requires exploiting one WordPress vulnerability to get into the system and another linux Pwnkit vulnerability to escalate our privilege.


Machine IP is and as always, I started with nmap scan

nmap -sC -sV -oN nmap

nmap result

Nmap result showed that it has three ports open — 22 for ssh, and 80 for HTTP, and the banner indicated that it has an Apache server running, and port 443.

Visited the website (TCP port 80), It is only a static page.

checked https (TCP 443) too, but nothing interesting.

Then I ran gobuster on it but got no useful info.

I checked the API calls in the network tab of the developer tools to get something useful, and I noticed the X-Backend-Server header in the API call.

API call header


I added office.paper to my hosts file and visited http://office.paper and I noticed there is one comment in which it tells Michael to remove secret content.

comment on the feeling alone article

I noticed that the site is a WordPress site. checking my Wappalyzer, I noticed that the WordPress version 5.2.3.


After a little bit of google search, I found that the 5.2.3 version of WordPress is vulnerable to unauthenticated view private/draft posts.

To exploit that vulnerability, we just need to add ?static=1 to the URL.


Now, a private chat is available. It gave the new employee chat system URL.

exploited WordPress vulnerability

added chat.office.paper to my hosts file and visited the URL and got a registration form. registered a user and logged in. After that, click on the general room.

Looked through the chats and found a bot called recyclops bot. It helps users to see the sales directory using the list command and to see the content of a file using the file command.

Tried directory Path traversal using the list command. hublot directory looked interesting, checked the content of it, we found a .env file.

list ../

list ../hubot

checked the content of the .env file using the file command, we got a username [recyclops] and a password[Queenofblad3s!23].

.env file content

Tried to ssh with that username and password, but didn’t work.

so, went back to the recyclops bot, checked for some users, and found dwight.


Tried to ssh with username dwight and the password found earlier.

ssh dwight@

user flag

And, logged in.


since sudo -l didn’t work, ran linPeas. And noticed that the machine is vulnerable to PwnKit CVE-2021–3560. This vulnerability allows unprivileged users to call privileged methods.


Got the exploit inside the machine -


Made the python file executable and ran it —

chmod +x CVE-2021-3560.py

python3 CVE-2021-3560.py

And, got root -

root flag

If you have any questions, you can ask them in the comment or you can DM me on Twitter.

I will be posting more write-ups for HackTheBox Linux boxes as soon as they retire. Until then, keep being awesome.