HTB-Paper
Linux based box with the difficulty level easy.
Box overview
This box is based on two CVEs i.e. CVE-2019–16671 & CVE-2021–3560. CVE-2019–16671 could allow an unauthenticated user to view private or draft post due to an issue within WP_Query. This will be our holy grail to gain the initial footholds on the target machine. While CVE-2021–3560 will help us to escalate privileges and become root. This box requires extreme level of enumeration, an idea about the recent vulnerabilities and enough patience to make you stick the with the box. Without any further due, lets dive into the technicalities.
Enumeration
Initiating the nmap scan to find the open ports and running services. Starting our nmap scan i.e. nmap -sC -sV -p- --min-rate 500 10.10.11.143 -oA full-scan
Command explanation:
nmap: to initiate the command
-sC: to run the default nmap scripts
-sV: to get the service version details
-p-: to scan all ports
--min-rate to define the number of packets per second
500: number of packets
10.10.11.143 ip address of machine
-oA to get output in all format i.e. nmap,gnmap,xml
full-scan name of the output file
Output of above command:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Short notes derived from the above result:
22/tcp:
Port is open and runningOpenSSH 8.0
This version of OpenSSH does not associate with any major vulnerability which can give us remote code execution or at least initial footholds.80/tcp:
Port is open and runningApache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
This version of Apache is vulnerable to CVE-2019–0215 which is a bug inmod_ssl
when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions. Since this may or may not provide a RCE, therefore we will keep this as our last resort.443/tcp:
Port is open and running same service as on port 80.- Some other things to be noted are that the target machine is running on
centos
andhttp trace method
is enabled.
We didn’t get any juicy information from the above scan. Lets check what is happening on port 80 and port 443.
Port 80 and port 443 are showing the same result as shown above. As mentioned earlier, this box requires a lots of enumeration. Lets try with directory brute forcing and see if it works.
For the same, we will be using gobuster Initiating our gobuster scan i.e. gobuster dir --url http://10.10.11.143/ -w /usr/share/wordlists/dirb/common.txt -t 100
Command explanation:
gobuster: to initiate the command
dir: to specify the directory or file enumeration
--url: to specify the url
-w: to specify the wordlist
-t: to specifyt the number of concurrent threads
Output of above command:
/.hta (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/manual (Status: 301) [Size: 235] [--> http://10.10.11.143/manual/]
On visiting the above directories, we didn’t get anything to proceed with. Lets try some command line tool to find something usable. Using curl
to request the same pages i.e. curl --head http://10.10.11.143/
Output of above command:
HTTP/1.1 403 Forbidden
Date: Tue, 22 Mar 2022 10:44:24 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8
We got some something interesting at X-Backend-Server: office.paper
this is not a common header and looks fishy. This might be a virtual host too.
Add this virtual host into the /etc/hosts
file.
Now visit http://office.paper/
here we go, it looks like a functional website.
After exploring this website, found three users i.e. prisonmike,nick,jan
These might be the users of any login page. Noting down these users for future reference if required. After some lateral movements, found a wordpress login page.
Tried the aforementioned users to find if they are valid users. prisonmike
is the only valid user. Also tried password bruteforcing but it took too long and no luck :(
Since this is a wordpress site, we can also use wpscan
to enumerate vulnerable themes or plugins.
wpscan --url http://office.paper/ -v -t 10 -e vp vt --api-token xxxxxxxxxxxxxxxxxxxxxxxxxx --random-user-agent --force -o wpscan_report
Command explanation:
wpscan: to initiate the command
--url: to define the url
-v: to enable verbose mode
-t: to specify the maximum number of threads
-e: to define what to enumerate(vp: vulnerable
plugins vt: vulnerable themes)
--api-token: to specify the api-token
--random-user-agent: to use random user agent
--force: disallow wp check
-o: to specify the output file name
wpscan_report: output file name
From the output of the above command, found that Wordpress 5.2.3
is vulnerable to multiple vulnerabilities. Taking an important part from the scan to proceed with. Find full scan report here.
Finally, we found a reliable vulnerability to proceed with. This is CVE-2019-16671
which could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query. Since we have found that our target is vulnerable to the above vulnerability. No we will go ahead for exploitation.
Exploitation
After some research, found an exploit on exploitdb which states that adding ?static=1
to a wordpress url should leak its secret content. Now we need to visit http://office.paper/?static=1
to see if it works…
Here we found a chat registration link. Before visiting that link, notice there is another virtual host i.e. chat.office.paper
We need to add this in our /etc/hosts
file.
Now visit the registration link…
Register on the above portal with following credentials:
NOTE: These are not fixed credentials and you can register with any other information too.
username: kalki
email: kalki@office.paper
passwd: kalki@123
Once we logged in, we will find our self a part of the general
group and found something interesting.
After reading the chat, found that dwight
is the admin and he made a bot named recyclops
to answer his co-workers. We can DM to recyclops
for any query. But the communication with recyclops
can be made only in certain pattern or way. Lets send hey
to recyclops.
It asks to send help
to see his true power. Tried sending help
and received a long string of how to interact with recyclops
That reply can be found here. In short, that is a manual of command which can be used in recyclops DM. Lets try some of those…
We found user.txt
, a directory hubot
, and other files too. Tried accessing user.txt file…
Not able to read user.txt
but we can explore more files and directories.
In hubot
directory, found .env
file. It contains some juicy information.
Here we got the password for ROCKETCHAT_USER recyclops
Since this bot is created by admin dwight
therefore it might be his credentials. We can try ssh into target machine using these credentials.
We logged in as user dwight
Now we can have some lateral movements to get the user.txt
flag.
Now lets move ahead to get the root flag. For privilege escalation, we will be transfering linPEAS script from our local machine to target (or victim) machine.
Now give it an executable permission and run it.
Since linpeas script provides lots of information, therefore we pasted here the important part.
From the above report, the target is vulnerable to CVE-2021–3560. While researching about this vulnerability, I came across this article. This vulnerability states that polkit could be tricked into bypassing the credentials checks for D-Bus requests, elevating the privileges of requestor to the root user. This flaw can be used by a local attacker to create a new local administrator user.
Now, we have two methods of exploitation i.e. manual and automatic. Since this is a timing based attack it will require multiple attempts to add the new user but via automatic method, we can get it done in less number of attempts. Found an existing exploit for the same. Now we need to transfer the exploit code to our target machine.
Give it an executable permission and run it. It might be possible that it doesn’t succeed in one time, if that case, give it multiple tries.
But before running it, have a look at its help menu.
If we do not pass any username & password, then its default credentials are secnigma:secnigmaftw
Lets try to execute it…
Username & password are successfully inserted. Now try to login…
When I tried it, it showed Authentication failure multiple times. After making several attempts, finally got the root shell…
Got the root flag :)