top of page
  • BlueDolphin

Hack the Box - Paper

Engagement flow


This was a fairly straight forwards machine that involved subdomain enumeration, WordPress exploitation, chat bot abuse and a simple CVE to root.


  1. Enumerate all ports

  2. Web enumeration

  3. Enumeration with Burpsuite for

  4. wp-scan

We have a fairly narrow attack surface with both port 80 and 443 open. This is quite interesting.

22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9

Web Enumeration

Looking at the website reveals nothing but the default page. This is the same for port 80 and 443.

Taking a look with burpsuite revealed the domain for the X-Backend-Server. Office.paper.

Adding office.paper to our etc hosts file, we can being browsing to office.paper revealed the following website.

  1. Research WP version

  2. Identify CVE

  3. Exploit CVE

  4. Read chat application

  5. Leverage bot to read files with credentials

Looking around on the website reveals it is "Proudly Powered By WordPress"

WordPress Version is 5.2.3 as identified by the WpScan output.

Here we played around with the payload and managed to achieve information disclosure.

We are able to register a new user and login.

Looking through the chats we learn about the recyclops bot.

There is a guide on how to use the bot which really makes are lives much easier. The first thing I notice is that we can use the list command which is similar to the LS command. We can also use the Files command which is equivalent to the cat command.

We were not able to interact with recyclops so I opened a private message with the recyclops bot.

Using the commands provided we are able to list the content of /etc/passwd.

recyclops file ../../../../etc/passwd 

Checking the directory of /sales/ we see nothing helpful.

Dropping a directory provides interesting directories including a hubot.

Looking at the .env folder for hubot provides credentials.

Sure enough these grant us access to the target.

  1. Internal enumeration

  2. Exploit linpeas suggested CVE

Running linpeas

We learn about a CVE

This next on has a bash script that did not work.

We now try it and gain root.

49 views0 comments

Recent Posts

See All


bottom of page