Paper

Personal Rating: Easy

Enumeration

Running an nmap scan:

sudo nmap -A <IP>

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
<SNIP>

I found the subdomain office.paper in the header. Its a Wordpress site.

I started subdomain/vhost fuzzing with ffuf as well as a wpscan.

<SNIP>
WordPress version 5.2.3 identified
WordPress theme in use: construction-techup
<SNIP>
www.office.paper
chat.office.paper
alpblog.office.paper
www.paper
office.paper
alpblog.paper

I added the discovered subdomains to my hosts file

chat.office.paper/livechat was particularly interesting

Additionally, Wappalyzer detected Handlebars to be in use.

Hidden Content Exploit

The wordpress version was vulnerable, checking the wpscan output. If you append ‘?static=1’ to the url, you can view otherwise hidden content.

http://office.paper/?static=1

From the content revealed I got the url http://chat.office.paper/register/8qozr226AhkCHZdyY which is the secret registration url mentioned earlier

I registered an account

There was a group chat with interesting information

This bot could potentially give me the ssh key, but it did not work

Pillaging via Chatbot

Enumerating the folder of the webapp, a config file can be found that contains credentials

recyclops file ../hubot/.env

Using the creds recyclops:Queenofblad3s!23 I could log in with ssh with the user dwight. The password was reused and from the enumeration with the bot I knew that the user dwight exists on the system.

Basic Privesc

Running LinPEASS, Baron Samedits's sudo exploits are suggested, but the PoCs that I tried did not work. The host was also vulnerable to the well-known polkit exploit CVE-2021-3560, which could be exploited with this PoC

LogoPolkit 0.105-26 0.117-2 - Local Privilege EscalationExploit Database
PreviousOptimumNextPhotobomb

Last updated