• Donald Ashdown

Hack the Box - Paper

Engagement flow

Summary

This was a fairly straight forwards machine that involved subdomain enumeration, WordPress exploitation, chat bot abuse and a simple CVE to root.


References

https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/

Enumeration
  1. Enumerate all ports

  2. Web enumeration

  3. Enumeration with Burpsuite for paper.office

  4. wp-scan

We have a fairly narrow attack surface with both port 80 and 443 open. This is quite interesting.

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9



Web Enumeration

Looking at the website reveals nothing but the default page. This is the same for port 80 and 443.


Taking a look with burpsuite revealed the domain for the X-Backend-Server. Office.paper.


Adding office.paper to our etc hosts file, we can being browsing to office.paper revealed the following website.

User
  1. Research WP version

  2. Identify CVE

  3. Exploit CVE

  4. Read chat application

  5. Leverage bot to read files with credentials

Looking around on the website reveals it is "Proudly Powered By WordPress"


WordPress Version is 5.2.3 as identified by the WpScan output.


Here we played around with the payload and managed to achieve information disclosure.


We browse to http://chat.office.paper/register/8qozr226AhkCHZdyY


We are able to register a new user and login.



Looking through the chats we learn about the recyclops bot.


There is a guide on how to use the bot which really makes are lives much easier. The first thing I notice is that we can use the list command which is similar to the LS command. We can also use the Files command which is equivalent to the cat command.


We were not able to interact with recyclops so I opened a private message with the recyclops bot.


Using the commands provided we are able to list the content of /etc/passwd.


recyclops file ../../../../etc/passwd 



Checking the directory of /sales/ we see nothing helpful.


Dropping a directory provides interesting directories including a hubot.


Looking at the .env folder for hubot provides credentials.


Sure enough these grant us access to the target.


Root
  1. Internal enumeration

  2. Exploit linpeas suggested CVE


Running linpeas

We learn about a CVE

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/


This next on has a bash script that did not work.

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation


We now try it and gain root.

https://github.com/Almorabea/Polkit-exploit


13 views0 comments