ūüĒéūü¶∂Enumeration/Foothold

Paper is an Easy Linux box from HTB and created by secnigma. This box features an outdated WordPress environment susceptible to reading drafts. This allows you to find a hidden sub-domain running rocket.chat which has a bot running. You can use the bot for path traversal and use it to find credentials. Finally, Once on the box we use LinPEAS for enumeration and a variation of the PolKit exploit CVE-2021-3560 made by the author for root.

I began this box by running a quick RustScan on the IP to grab open ports and send it to xsltproc to convert it to HTML for easer reading:

Copy

Reviewing the open ports I can see both¬†80/443¬†are open. Navigating to the site I see the default¬†HTTP SERVER¬†test page. I try running directory and sub-domain scans but don’t get a hit. Next I run¬†nikto¬†which gets a hit:

HTTP Server test Page.

HTTP Server test Page.

Copy

I add the new sub-domain¬†office.paper¬†into my hosts file and browse to the site. The site is running WordPress so I kick off a¬†wpscan¬†and continue to navigate well it runs. In the comments section I can see someone mentioning¬†‘removing of drafts ASAP’.

WordPress comments talking about drafts not being safe.

WordPress comments talking about drafts not being safe.

Running a WordPress environment myself I could tell this was in reference to an unauthenticated vulnerability allowing someone to view private/draft posts without authentication. I reviewing the wpscan results which confirms the WordPress version:

Copy

More information regarding the vulnerability can be found here: CVE-2019-17671

After navigating over to the draft post I can see that a new subdomain, chat. I navigate over to the chat service after adding it to my host file and register for the chat.

Rocket.chat registration process on the chat.office.paper sub-domain.

Rocket.chat registration process on the chat.office.paper sub-domain.

Clicking the globe icon shows the General channel which mentions a bot:

Rocket.chat #general talking about a bot and its ability to grab files.

Rocket.chat #general talking about a bot and its ability to grab files.

I speak to the bot and use the list ../ command to view files outside the sales directory. Eventually I find that in the hubot directory are credentials:

Copy

ūüĒĚEscalation

I use those credentials to .SSH onto the box and check to see if the box was vulnerable to CVE-2021-3560 as I noticed the box was running CentOS earlier:

Copy

After a short Google seeing the authors GitHub have a proof-of-concept script I knew I was in the right direction:

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy
Copy

Rooted

Published On: June 30th, 2022 / Categories: HTB, Technology / Tags: , , , /

One Comment

  1. Christopher Soehnlein 21st February 2022 at 1:27 pm

    So this guide was late as I’ve been super busy with my day job and I focused on finishing Acute within 72hours of its release. Lots of boxes – Acute, Pandora, Meta and (possibly) Hancliff guides on the horizon.

Leave A Comment