Paper - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/432
• 10.10.11.143

端口扫描

22,80,443:

$ nmap -sC -sV 10.10.11.143
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-08 09:54 CST
Nmap scan report for 10.10.11.143
Host is up (0.19s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| tls-alpn:
|_  http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.91 seconds

80/443

默认页面：

响应中得到域名：

office.paper

加hosts后访问：

office.paper

wordpress 5.2.3，其中一个comment中提示信息：

draft无法直接查看，但可以搜到相关漏洞：

• WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts WordPress Security Vulnerability
  https://wpscan.com/vulnerability/9909

得到Secret Registration URL：

http://chat.office.paper/register/8qozr226AhkCHZdyY

chat.office.paper

同样添加hosts后访问，是rocket.chat：

使用secret url注册登录：

recyclops bot

频道里有个机器人，可以执行一些命令：

频道是只读的，但可以和机器人私聊：

list file

可以使用list查看目录，file查看文件，并且存在目录遍历：

../hubot/.env

env文件中得到密码：

export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23

username

/etc/passwd文件和home目录确认用户名：

user flag

dwight ssh密码就是bot密码，得到user.txt

ssh dwight@office.paper
Queenofblad3s!23

提权信息

linpeas发现CVE-2021-3560：

• Almorabea/Polkit-exploit: Privilege escalation with polkit - CVE-2021-3560
  https://github.com/Almorabea/Polkit-exploit

提权 & root flag

exp一键打：

[root@paper ~]# cat /etc/shadow
root:$6$rfCS6Tb3sgIjkTux$UhBHq5wWPncgtVnltzm3Squ9KBcX3/9k0y6o8AG6lNSKOobHatUWFzPS1J8uuh/QML6kyhZ10ngXa5nCBLDkL.:18811:0:99999:7:::

参考资料

• WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts WordPress Security Vulnerability
  https://wpscan.com/vulnerability/9909
• Almorabea/Polkit-exploit: Privilege escalation with polkit - CVE-2021-3560
  https://github.com/Almorabea/Polkit-exploit
• HTB Paper Writeup | 0xDedinfosec Blog
  https://0xdedinfosec.vercel.app/posts/hackthebox-paper-writeup
• Paper - Discussion [easy] | RaidForums
  https://raidforums.com/Thread-Tutorial-Paper-Discussion-easy