Hack The Box: Paper

 Hack The Box

Paper


Today, I decided to tackle my first live Hack The Box machine, and I decided my first box to be Paper. This is an easy rated machine, though community ratings look like it's a little more on the harder side of easy. Either way, I was excited to give it a shot. 

Enumeration

So as usual, I start by adding the machine to the hosts file, and begin the Nmap scan. 



So we have SSH, an HTTP server and server running on HTTPS. I head over to both the HTTP and HTTPS page and find the same thing. 



With nothing of interest on the page or in the source code, I start fuzzing for directories, but have no luck on anything other than manual. Given that we don't have any leads still at this point, my next idea then was to scan for subdomains or virtual hosts on this box. 

I start by using GoBuster's VHOST mode to enumerate for any virtual hosts, and indeed we were able to get a hit on one. (I later realized there is an HTTP header for this page that references this VHOST, but I did not catch it at the time.) 



I add office.paper to my hosts file, and proceed to the webpage. 


We come to a blog here for Blunder Tiffin Paper Company. I am a huge fan of The Office so I was immediately excited. I begin to poke around and find a comment left on one of the blog posts by nick (the I.T. guy for a short while in the show) telling Prisonmike to remove the secret content from his drafts ASAP. 


I use Wappalyzer to analyze the page and see it's running WordPress 5.2.3, so I look up any exploits for that and I come across this vulnerability on Exploit DB 


It mentions that if we tack on '?static=1' to the URL, it should leak some sensitive info from the page. I return to the office.paper home page and append that parameter to the URL.


I get back the draft that Nick was talking about, and we see a registration link for a secret "employee chat system." And it's on a subdomain of chat. I add "chat.office.paper" to my hosts file and head to that page. 


I created a test account to see if it would let me without any additional checks, and it sure did. 

You first see a welcome to Rocket chat message, and I see a search bar at the top so I click on it and find a #general chat that has some chat history. I can read that Dwight had created a bot, and that it can perform some functions on files. 







So we can see that we can run "recyclops file/list <file.txt>" and it will give us some output. We don't see Recyclops in the user list, but we can click on the bot's name and view his full profile, where it gives us the option to DM him. Perfect. I start up a DM, and run exactly what's in the help text, and get the following results. 







Notice the error, it's using "cat" to print the contents of files. Now that we know this, the real fun begins.



Exploitation


So we know that if we use the Recyclops file command, it prints out the content of a file. If we run "Recyclops list <directory>" then it lists the directory (using the 'ls -la' command)


My first thought here was to see if we could move up directories with list. I attempt to add a '../' after "list" 

Awesome! We absolutely can. We are looking into the home directory of the user Dwight, and I also see there is a script there called "bot_restart.sh" owned Dwight. So there is a username for the machine that we can use in the future as well. I now see if I can use the "file" command to read the contents of it. 




Yep! Very nice, we're on to something here. Near the end of the script, we see it call to execute another script called "start_bot.sh" that's located in the "hubot" directory. So, I use the "file" command again to read that file. 


Okay, so we analyze this bash script and see that it changes to the Hubot directory, and sources the ".env" as an argument for the script, then runs the file "hubot." I once again use the "file" command to read the contents of the .env file. 

We see that it's passing some information, and with it.... credentials in clear text! Now, these credentials are for the recyclops bot for this web app, but knowing that Dwight created this bot, I took a chance at him reusing his server password. I fire up a terminal and attempt to login with SSH.



It worked!! Dwight did in fact reuse his password, giving us our initial foothold onto this machine! We can go ahead and snag the User flag! 



Now, we move on to escalating up to the root user! 




Post-Exploitation 



I am able to get LinPEAS.sh onto the machine, and see that the sudo binary on this device is vulnerable to CVE-2021-3560, which is a PolKit vulnerability. After a little research, I stumbled across an exploit written in Bash by "secnigma" on Github. 


I download the script, get it onto the machine and run it. 




Okay, the exploit supposedly worked! It was able to inject the user "secnigma," along with the password provided in the script into this server as a root user. It says we should be able to use "su" to the secnigma user, then just run 'sudo bash' to obtain a shell as root. Let's give it a shot


Okay that worked, now lets try 'sudo bash' 



It worked!! We have successfully gained root access to this machine, and we can now snag the root flag!






Conclusion

   
This machine was one of the more fun ones that I have tackled since I started my journey getting into penetration testing. We were able to exploit a vulnerability using an outdated and vulnerable WordPress application, and a user not properly handling sensitive information on the web app to discover a registration link to another application running on a different virtual host. Once we had this link, we registered an account, and took advantage of the chat bot that Dwight had built out, which was essentially a fancy front end for a terminal output. There was some filtering in place on the bot that would prevent us from running any other commands than "find" and "list," but with enough enumeration, we were able to eventually find an executable script that passed credentials through cleartext, giving us that initial foothold on the server. Once we were there, we exploited yet another outdated executable, the 'sudo' binary. Doing so, we were trivially able to escalate our privileges to root and completely own the machine. This is one of the few machines I was able to knock out with out looking up hints/walkthroughs, so I think my learning and studying are starting to pay off! I can't wait to continue learning, and tackle my next Hack The Box machine! 

Thank you for reading this write up, and that it brought some help to those in need! 





























Popular Posts