Hack the Box - Paper
This was a fairly straight forwards machine that involved subdomain enumeration, WordPress exploitation, chat bot abuse and a simple CVE to root.
Enumerate all ports
Enumeration with Burpsuite for paper.office
We have a fairly narrow attack surface with both port 80 and 443 open. This is quite interesting.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) | http-methods: |_ Potentially risky methods: TRACE |_http-title: HTTP Server Test Page powered by CentOS |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE |_http-title: HTTP Server Test Page powered by CentOS | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2021-07-03T08:52:34 |_Not valid after: 2022-07-08T10:32:34 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
Looking at the website reveals nothing but the default page. This is the same for port 80 and 443.
Taking a look with burpsuite revealed the domain for the X-Backend-Server. Office.paper.
Adding office.paper to our etc hosts file, we can being browsing to office.paper revealed the following website.
Research WP version
Read chat application
Leverage bot to read files with credentials
Looking around on the website reveals it is "Proudly Powered By WordPress"
WordPress Version is 5.2.3 as identified by the WpScan output.
Here we played around with the payload and managed to achieve information disclosure.
We browse to http://chat.office.paper/register/8qozr226AhkCHZdyY
We are able to register a new user and login.
Looking through the chats we learn about the recyclops bot.
There is a guide on how to use the bot which really makes are lives much easier. The first thing I notice is that we can use the list command which is similar to the LS command. We can also use the Files command which is equivalent to the cat command.
We were not able to interact with recyclops so I opened a private message with the recyclops bot.
Using the commands provided we are able to list the content of /etc/passwd.
recyclops file ../../../../etc/passwd
Checking the directory of /sales/ we see nothing helpful.
Dropping a directory provides interesting directories including a hubot.
Looking at the .env folder for hubot provides credentials.
Sure enough these grant us access to the target.
Exploit linpeas suggested CVE
We learn about a CVE
This next on has a bash script that did not work.
We now try it and gain root.