Strik3r Blog
  • $ whoami
  • Security Research
    • CVEs POCs
      • CVE-2023-37831
      • CVE-2023-37832
      • CVE-2023-37833
      • CVE-2023-37835
      • CVE-2023-39695
      • CVE-2023-36082
      • CVE-2023-36081
      • CVE-2023-34673
      • CVE-2023-34672
      • CVE-2023-34671
      • CVE-2022-44354
      • CVE-2022-44355
      • CVE-2022-44356
      • CVE-2022-48164
      • CVE-2022-48165
      • CVE-2022-48166
      • CVE-2022-44357
    • How To Pass Your eJPT Exam
    • Hacking IoT Introduction
    • Hacking wireless by monitoring
    • The Art of Camouflage: Exploring Advanced PHP Backdoor Obfuscation Techniques
    • Beyond the Desktop: Exploiting a Leaked Token for API
  • Hack The Box
    • Paper
  • CyberTalents Challenges
    • Web Chanllenges
      • Private Agent
    • Intro to Cybersecurity Bootcamp CTF Assessment
  • Bug Bounty
    • Easy LFI
    • HTTP PUT Method Exploit
Powered by GitBook
On this page
  • Information Gathering
  • Backend-Server
  • Disclosed Secrets
  • Bot
  • Privilege Escalation

Was this helpful?

  1. Hack The Box

Paper

PreviousBeyond the Desktop: Exploiting a Leaked Token for APINextWeb Chanllenges

Last updated 2 years ago

Was this helpful?

Table Of Content

  • Information Gathering

  • Backend-server

  • Disclosed Secrets

  • Bot

  • Privilege Escalation

Information Gathering

Like always start with port scanning to figure out what is the services on target machine

nmap -sC -sV -A 10.10.11.143

We got 3 open ports ( 22, 80, 443 )

Try to visit http://10.10.11.143 i found HTTP Server Test Page running on Apache 2.4.37

So, the First thing that came to my mind was to enumerate any sensitive directories and files

  1. open burpsuit and see anything interesting ( and it was indeed )

Backend-Server

The target website returns X-Backend-Server Include potential internal / hide IP Header of address or hostname. By exposing these values, An attacker may bypass the security agent and access the host directly

  • Add office.paper to /etc/hosts

10.10.11.143 office.paper

Disclosed Secrets

  • So we can use http://office.paper/?static=1

test

Micheal please remove the secret from drafts for gods sake!

Hello employees of Blunder Tiffin,

Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.

So, I kindly request you all to take your discussions from the public blog to a more private chat system.

-Nick

# Warning for Michael

Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick

Threat Level Midnight

A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT

[INT:DAY]

Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….

# Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.

# Also, stop looking at my drafts. Jeez!

Found a secret registration page on http://chat.office.paper/register/8qozr226AhkCHZdyY

So now navigate on this website but remember to add it in /etc/hosts

Bot

Complete this registration form and login

After a little bit of time, a pop-up will appear with a chat general. Now we can see that this bot use his own command like this:

Hello. I am Recyclops. A bot assigned by Dwight. I will have my revenge on earthlings, but before that, I have to help my Cool friend Dwight to respond to the annoying questions asked by his co-workers, so that he may use his valuable time to... well, not interact with his co-workers.
Most frequently asked questions include:
- What time is it?
- What new files are in your sales directory?
- Why did the salesman crossed the road?
- What's the content of file x in your sales directory? etc.
Please note that I am a beta version and I still have some bugs to be fixed.
How to use me ? :
1. Small Talk:
You can ask me how dwight's weekend was, or did he watched the game last night etc.
eg: 'recyclops how was your weekend?' or 'recyclops did you watched the game last night?' or 'recyclops what kind of bear is the best?
2. Joke:
You can ask me Why the salesman crossed the road.
eg: 'recyclops why did the salesman crossed the road?'
<=====The following two features are for those boneheads, who still don't know how to use scp. I'm Looking at you Kevin.=====>
For security reasons, the access is limited to the Sales folder.
3. Files:
eg: 'recyclops get me the file test.txt', or 'recyclops could you send me the file src/test.php' or just 'recyclops file test.txt'
4. List:
You can ask me to list the files
5. Time:
You can ask me to what the time is
eg: 'recyclops what time is it?' or just 'recyclops time'

we can’t talk in this chat because is “read only” so, let’s communicate with the bot privately and try to use this command.

recyclops file ../../../../../etc/passwd

After that we can enumerate the user and we will find the correct password:

recyclops file ../hubot/.env

export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=<REDACTED>
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1

$ ssh REDACTED@10.10.11.143

[<REDACTED>@paper ~]$ cat user.txt 
FLAG HERE :)

Privilege Escalation

  • Upload py Script and run

And .. Boom we are Root




Thanks for reading

run dirb on

visit http://office.paper and notice that was detected that it runs WordPress CMS version5.2.3

Search for exploit and found

Now we can login in ssh!! with this password! and Get User Flag

Now, we need to scan machine and try to get root access. I use to do internal scan

Found that the machine is vulnerable to -Polkit-Privilege-Esclation. It allows non privileged users to use DBus Call privileged methods.

CVE-2021-3560 POC:

🎉
😄
http://10.10.11.143/
Wappalyzer
CVE-2019-17671:Wordpress Unauthorized access vulnerability recurrence
LinPEAS
CVE-2021-3560
https://github.com/Almorabea/Polkit-exploit