Edit

Paper

Enumeration

Nmap

First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.143 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.143.

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time

We have a an Apache webserver running on ports 80 and 443 in addition to SSH on port 22. Browsing to the website shows "HTTP Server Test Page powered by CentOS".

Apache

Directory bruteforcing doesn't provide any details: gobuster dir -u http://10.10.11.143 -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt., Couldn't find any vulnerabilties for the Apache/OpenSSL/PHP versions (x-powered-by header: PHP/7.2.24) being used.

Running nikto with nikto -h http://10.10.11.143 finds Uncommon header 'x-backend-server' found, with contents: office.paper. So, lets add that to the /etc/hosts file: echo "10.10.11.143 office.paper" | sudo tee -a /etc/hosts.

Wordpress

office.paper is a wordpress instance. Browsing around we find the page http://office.paper/index.php/2021/06/19/feeling-alone/ with a comment saying "Michael, you should remove the secret content from your drafts ASAP, as they are not that secure as you think! -Nick," which indicates that there is information in drafted posts for us to find.

Let's run wpscan: wpscan --url http://office.paper.

Based on the comment we found, it looks like "WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts" is going to be the exploit we want to use. Navigating to wpscan.com link, we see a proof of concept, http://wordpress.local/?static=1&order=asc. However, this didn't work. Exploring another linked page that goes into more detail, we see that just using http://wordpress.local/?static=1 should work. Navigating to http://office.paper/?static=1 we see the below post:

We have discoverd a new subdomain. Let's add it to /etc/hosts: echo "10.10.11.143 chat.office.paper" | sudo tee -a /etc/hosts.

Rocket.chat

Navigating to http://chat.office.paper reveals a rocket.chat instance. Going to the "Secret Registration URL", http://chat.office.paper/register/8qozr226AhkCHZdyY, shows a registration page. After signing up we see the rocket.chat interface. We can click the globe icon in the top left to see a directory of channels we can join. The general channel has messages about how a bot, "recyclops," was recently added. We can direct message the bot to interaction with it. Running the recyclops help command lists the available commands.

Foothold

Interactions with the recyclops bot to find some useful information:

Lateral Movement

As you can see, running recyclops file ../hubot/.env gives us a password of Queenofblad3s!23. Using that password to SSH into the box as the user dwight (since that name has been mentioned a lot and it is the user whose file we have been browsing) works. We can now cat user.txt and get the user flag.

Privilege Escalation

Connect with calebstewart/pwncat with pwncat-cs [email protected]. Pwncat's built-in escalation techniques (escalate list -u root) do not work. Upload LinPEAS to the box with upload linpeas.sh. Then, run LinPEAS with bash linpeas.sh

LinPEAS immediately tells us that the installed version of sudo is vulnerable to CVE-2021-3560.

I initially read CVE-2021-3560 as CVE-2021-4034, which are both polkit local privilege escalation vulnerabilities. CVE-2021-4034 is a very recent exploit (disclosed to public on January 25th, 2022) and I thought it unlikely to be the intended solution because it is so new. Downloading berdav/CVE-2021-4034 as a ZIP file, copying the file over, unzipping it, running make in the directory, and then executing ./cve-2021-4034 doesn't work:

If we run ls -la /usr/bin/pkexec we can see that the permissions are -rwxr-xr-x not -rwsr-xr-x.

The older polkit local privilege escalation exploit, CVE-2021-3560 (Official blog post by person who discovered exploit), is the one that LinPEAS recommended and it does work.

Searching GitHub for this CVE finds several repositories, but after trying several, secnigma/CVE-2021-3560-Polkit-Privilege-Esclation seems to work the best at the time of writing. Download the script, upload it to the target machine, and then run it like so: ./poc.sh -u=john -p=john. Then, run su - john to switch to the new user and execute sudo bash to get a root shell. I was able to get this root shell after running the script for the third time.

Finally, cat /root/root.txt to get the root flag.

PreviousSecretNextOpenAdmin

Last updated

Was this helpful?