HackTheBox — Paper write-up

Paper is an easy difficulty-rated linux machine. It is retired now but I solved it when it was active. It requires exploiting one WordPress vulnerability to get into the system and another linux Pwnkit vulnerability to escalate our privilege.

Recon

Machine IP is 10.10.11.143 and as always, I started with nmap scan

nmap -sC -sV -oN nmap 10.10.11.143

Nmap result showed that it has three ports open — 22 for ssh, and 80 for HTTP, and the banner indicated that it has an Apache server running, and port 443.

Visited the website (TCP port 80), It is only a static page.

checked https (TCP 443) too, but nothing interesting.

Then I ran gobuster on it but got no useful info.

I checked the API calls in the network tab of the developer tools to get something useful, and I noticed the X-Backend-Server header in the API call.

Foothold

I added office.paper to my hosts file and visited http://office.paper and I noticed there is one comment in which it tells Michael to remove secret content.

I noticed that the site is a WordPress site. checking my Wappalyzer, I noticed that the WordPress version 5.2.3.

After a little bit of google search, I found that the 5.2.3 version of WordPress is vulnerable to unauthenticated view private/draft posts.

To exploit that vulnerability, we just need to add ?static=1 to the URL.

http://office.paper/?static=1

Now, a private chat is available. It gave the new employee chat system URL.

added chat.office.paper to my hosts file and visited the URL and got a registration form. registered a user and logged in. After that, click on the general room.

Looked through the chats and found a bot called recyclops bot. It helps users to see the sales directory using the list command and to see the content of a file using the file command.

Tried directory Path traversal using the list command. hublot directory looked interesting, checked the content of it, we found a .env file.

list ../

list ../hubot

checked the content of the .env file using the file command, we got a username [recyclops] and a password[Queenofblad3s!23].

Tried to ssh with that username and password, but didn’t work.

so, went back to the recyclops bot, checked for some users, and found dwight.

User

Tried to ssh with username dwight and the password found earlier.

ssh dwight@10.10.11.143

And, logged in.

Root

since sudo -l didn’t work, ran linPeas. And noticed that the machine is vulnerable to PwnKit CVE-2021–3560. This vulnerability allows unprivileged users to call privileged methods.

Got the exploit inside the machine -

https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py

Made the python file executable and ran it —

chmod +x CVE-2021-3560.py

python3 CVE-2021-3560.py

And, got root -

If you have any questions, you can ask them in the comment or you can DM me on Twitter.

I will be posting more write-ups for HackTheBox Linux boxes as soon as they retire. Until then, keep being awesome.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Subhajit

Subhajit

InfoSec researcher, and a little bit developer.