In this post, I would like to share a walkthrough of the Paper Machine from Hack the Box

This room will be considered as an Easy machine on Hack The box

What will you gain from Paper machine?

For the user flag, you will need to use an exploit from WordPress which I found a link to register the chat system. After that, we should be able to obtain credentials that we can use for ssh service.

As for the root flag, you need to abuse the latest vulnerability “polkit” so that we can obtain a root shell.

Information Gathering on Paper Machine

Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

The interface shows us a page related to HTTP Server Test Page

As a result, let’s further our enumeration method by running gobuster tool

Nothing that we can take advantage of.

Therefore, let’s run nikto command to get a better understanding of the website.

We have found an uncommon header “office.paper

Let’s slam that domain into our /etc/hosts

Finally, we got other web interfaces than before. However, it does look such as WordPress from a glance.

Let’s try to access a common WordPress Directory to prove that it’s really WordPress CMS running behind.

A WordPress Login page has been appearing before our eyes.

As a result, let’s enumerate more with wpscan tool

Sadly, there’s nothing that we can use from the result.

To be frankly honest, I’m stuck until this point but let’s try to enumerate the vhost of the machine

We got a hit on the vhost of the machine

Enumerate further on

Finally, we got a new website interface that we can investigate. However, we don’t have any credentials to use for accessing the chat channel.

As I remember back, there’s a piece of information about the WordPress version. Therefore, let’s do some research on the exploit for the WordPress version.


At last, we managed to find a vulnerability for the version which it leads to Unauthenticated View Private/Draft Posts on the WordPress

From the website we found, let’s test the Proof of Concept on office.paper website interface.

Finally, we found a draft post of WordPress which also highlighted the Secret Registration URL of the New Employee chat system. Let’s copy the link and paste it into the URL browser.

We got an interface that requires us to register a new account. The details can be anything at all.

We can use any username that we wanted.

Looking into chat system Dashboard

Boom! We are inside the chat system Dashboard.

There is a lot of conversations on the chat general channel so let’s read all those.

From the screenshot above, we are aware that DwightKschrute can be assumed as Admin

We are also aware that DwightKSchrute creates a bot to help lessen his burden over here.

Oh wow! We can send a Direct Message to recyclops (bots that have been created by Dwight)

Let’s enter the magic word “recyclops help” and the bot give us some information on how to use the bot.

There is given an example of the command to use for a list.

Moving fast forward, we notice that there’s a sale/../../hubot directory

There’s a .env file that might contain some valuable information

Sadly, we cannot use the command “list” to read the file

However, we can use the command “file” to read the content of the .env file.

Wow! We have sighted the password which we can use for the ssh session.

Voila! We have successfully accessed the machine via ssh service.

We can read the user flag by running the command “cat user.txt

Escalate to Root Privileges Access

Let’s enumerate the directory using into our machine

I notice that there’s a polikit service is running

Let’s verify that polkit is running on the machine by going to /usr/lib directory

Let’s do some research on polkit vulnerability

For a better understanding of the bash file, let’s read the content of the file

From my understanding, i notice that the script will create a new user and password.

Disclaimer: change the owner user “secnigma” to any user that you wanted. In my case, I use “hacked” and “password”

Therefore, let’s execute the file using the command “bash

Oh, wait! The script needs to run a few times which in my case, i did run it two-time

My bad! There’s my mistake of the command which now we are accessing as root

We can read the root flag by executing the command “cat root.txt


Happy Learning Guys!

Extra Information on Paper machine

We can go to /etc/shadow so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published. Required fields are marked *