In this post, I would like to share a walkthrough of the Paper Machine from Hack the Box
This room will be considered as an Easy machine on Hack The box
What will you gain from Paper machine?
For the user flag, you will need to use an exploit from WordPress which I found a link to register the chat system. After that, we should be able to obtain credentials that we can use for ssh service.
As for the root flag, you need to abuse the latest vulnerability “polkit” so that we can obtain a root shell.
Information Gathering on Paper Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
The interface shows us a page related to HTTP Server Test Page
As a result, let’s further our enumeration method by running gobuster tool
Nothing that we can take advantage of.
Therefore, let’s run nikto command to get a better understanding of the website.
We have found an uncommon header “office.paper“
Let’s slam that domain into our /etc/hosts
Finally, we got other web interfaces than before. However, it does look such as WordPress from a glance.
Let’s try to access a common WordPress Directory to prove that it’s really WordPress CMS running behind.
A WordPress Login page has been appearing before our eyes.
As a result, let’s enumerate more with wpscan tool
Sadly, there’s nothing that we can use from the result.
To be frankly honest, I’m stuck until this point but let’s try to enumerate the vhost of the machine
We got a hit on the vhost of the machine
Enumerate further on rocket.chat
Finally, we got a new website interface that we can investigate. However, we don’t have any credentials to use for accessing the chat channel.
As I remember back, there’s a piece of information about the WordPress version. Therefore, let’s do some research on the exploit for the WordPress version.
At last, we managed to find a vulnerability for the version which it leads to Unauthenticated View Private/Draft Posts on the WordPress
From the website we found, let’s test the Proof of Concept on office.paper website interface.
Finally, we found a draft post of WordPress which also highlighted the Secret Registration URL of the New Employee chat system. Let’s copy the link and paste it into the URL browser.
We got an interface that requires us to register a new account. The details can be anything at all.
We can use any username that we wanted.
Looking into chat system Dashboard
Boom! We are inside the chat system Dashboard.
There is a lot of conversations on the chat general channel so let’s read all those.
From the screenshot above, we are aware that DwightKschrute can be assumed as Admin
We are also aware that DwightKSchrute creates a bot to help lessen his burden over here.
Oh wow! We can send a Direct Message to recyclops (bots that have been created by Dwight)
Let’s enter the magic word “recyclops help” and the bot give us some information on how to use the bot.
There is given an example of the command to use for a list.
Moving fast forward, we notice that there’s a sale/../../hubot directory
There’s a .env file that might contain some valuable information
Sadly, we cannot use the command “list” to read the file
However, we can use the command “file” to read the content of the .env file.
Wow! We have sighted the password which we can use for the ssh session.
Voila! We have successfully accessed the machine via ssh service.
We can read the user flag by running the command “cat user.txt“
Escalate to Root Privileges Access
Let’s enumerate the directory using linpeas.sh into our machine
I notice that there’s a polikit service is running
Let’s verify that polkit is running on the machine by going to /usr/lib directory
Let’s do some research on polkit vulnerability
For a better understanding of the bash file, let’s read the content of the file
From my understanding, i notice that the script will create a new user and password.
Disclaimer: change the owner user “secnigma” to any user that you wanted. In my case, I use “hacked” and “password”
Therefore, let’s execute the poc.sh file using the command “bash poc.sh“
Oh, wait! The script needs to run a few times which in my case, i did run it two-time
My bad! There’s my mistake of the command which now we are accessing as root
We can read the root flag by executing the command “cat root.txt“
-THE END-
Happy Learning Guys!
Extra Information on Paper machine
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet