Paper is an easy difficulty-rated linux machine. It is retired now but I solved it when it was active. It requires exploiting one WordPress vulnerability to get into the system and another linux Pwnkit vulnerability to escalate our privilege.
Recon
Machine IP is 10.10.11.143 and as always, I started with nmap scan
nmap -sC -sV -oN nmap 10.10.11.143
Nmap result showed that it has three ports open — 22 for ssh, and 80 for HTTP, and the banner indicated that it has an Apache server running, and port 443.
Visited the website (TCP port 80), It is only a static page.
checked https (TCP 443) too, but nothing interesting.
Then I ran gobuster on it but got no useful info.
I checked the API calls in the network tab of the developer tools to get something useful, and I noticed the X-Backend-Server header in the API call.
Foothold
I added office.paper to my hosts file and visited http://office.paper and I noticed there is one comment in which it tells Michael to remove secret content.
I noticed that the site is a WordPress site. checking my Wappalyzer, I noticed that the WordPress version 5.2.3.
After a little bit of google search, I found that the 5.2.3 version of WordPress is vulnerable to unauthenticated view private/draft posts.
To exploit that vulnerability, we just need to add ?static=1 to the URL.
http://office.paper/?static=1Now, a private chat is available. It gave the new employee chat system URL.
added chat.office.paper to my hosts file and visited the URL and got a registration form. registered a user and logged in. After that, click on the general room.
Looked through the chats and found a bot called recyclops bot. It helps users to see the sales directory using the list command and to see the content of a file using the file command.
Tried directory Path traversal using the list command. hublot directory looked interesting, checked the content of it, we found a .env file.
list ../
list ../hubot
checked the content of the .env file using the file command, we got a username [recyclops] and a password[Queenofblad3s!23].
Tried to ssh with that username and password, but didn’t work.
so, went back to the recyclops bot, checked for some users, and found dwight.
User
Tried to ssh with username dwight and the password found earlier.
ssh dwight@10.10.11.143
And, logged in.
Root
since sudo -l didn’t work, ran linPeas. And noticed that the machine is vulnerable to PwnKit CVE-2021–3560. This vulnerability allows unprivileged users to call privileged methods.
Got the exploit inside the machine -
https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.pyMade the python file executable and ran it —
chmod +x CVE-2021-3560.py
python3 CVE-2021-3560.py
And, got root -
If you have any questions, you can ask them in the comment or you can DM me on Twitter.
I will be posting more write-ups for HackTheBox Linux boxes as soon as they retire. Until then, keep being awesome.
