Paper is an Easy Linux box from HTB and created by secnigma. This box features an outdated WordPress environment susceptible to reading drafts. This allows you to find a hidden sub-domain running
rocket.chat which has a bot running. You can use the bot for path traversal and use it to find credentials. Finally, Once on the box we use
LinPEAS for enumeration and a variation of the
CVE-2021-3560 made by the author for root.
I began this box by running a quick
RustScan on the IP to grab open ports and send it to
xsltproc to convert it to HTML for easer reading:
Reviewing the open ports I can see both
80/443 are open. Navigating to the site I see the default
HTTP SERVER test page. I try running directory and sub-domain scans but don’t get a hit. Next I run
nikto which gets a hit:
I add the new sub-domain
office.paper into my hosts file and browse to the site. The site is running WordPress so I kick off a
wpscan and continue to navigate well it runs. In the comments section I can see someone mentioning ‘removing of drafts ASAP’.
WordPress comments talking about drafts not being safe.
Running a WordPress environment myself I could tell this was in reference to an unauthenticated vulnerability allowing someone to view private/draft posts without authentication. I reviewing the
wpscan results which confirms the WordPress version:
More information regarding the vulnerability can be found here: CVE-2019-17671
After navigating over to the draft post I can see that a new subdomain, chat. I navigate over to the chat service after adding it to my host file and register for the chat.
Rocket.chat registration process on the chat.office.paper sub-domain.
Clicking the globe icon shows the General channel which mentions a bot:
Rocket.chat #general talking about a bot and its ability to grab files.
I speak to the bot and use the
list ../ command to view files outside the sales directory. Eventually I find that in the hubot directory are credentials:
I use those credentials to
.SSH onto the box and check to see if the box was vulnerable to
CVE-2021-3560 as I noticed the box was running CentOS earlier:
After a short Google seeing the authors GitHub have a proof-of-concept script I knew I was in the right direction:
⚠ Attack Machine