HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Hidden Content Exploit
  • Pillaging via Chatbot
  • Basic Privesc
  1. Boxes: Easy

Paper

Personal Rating: Easy

PreviousOptimumNextPhotobomb

Last updated 1 year ago

Enumeration

Running an nmap scan:

sudo nmap -A <IP>

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
<SNIP>

I found the subdomain office.paper in the header. Its a Wordpress site.

I started subdomain/vhost fuzzing with ffuf as well as a wpscan.

<SNIP>
WordPress version 5.2.3 identified
WordPress theme in use: construction-techup
<SNIP>
www.office.paper
chat.office.paper
alpblog.office.paper
www.paper
office.paper
alpblog.paper

I added the discovered subdomains to my hosts file

chat.office.paper/livechat was particularly interesting

Additionally, Wappalyzer detected Handlebars to be in use.

Hidden Content Exploit

The wordpress version was vulnerable, checking the wpscan output. If you append ‘?static=1’ to the url, you can view otherwise hidden content.

http://office.paper/?static=1

I registered an account

There was a group chat with interesting information

This bot could potentially give me the ssh key, but it did not work

Pillaging via Chatbot

Enumerating the folder of the webapp, a config file can be found that contains credentials

Using the creds recyclops:Queenofblad3s!23 I could log in with ssh with the user dwight. The password was reused and from the enumeration with the bot I knew that the user dwight exists on the system.

Basic Privesc

Running LinPEASS, Baron Samedits's sudo exploits are suggested, but the PoCs that I tried did not work. The host was also vulnerable to the well-known polkit exploit CVE-2021-3560, which could be exploited with this PoC

From the content revealed I got the url which is the secret registration url mentioned earlier

http://chat.office.paper/register/8qozr226AhkCHZdyY
Polkit 0.105-26 0.117-2 - Local Privilege EscalationExploit Database
Logo
recyclops file ../hubot/.env