Overview

Welcome to Paper machine from Hack The Box!

Spoilers: In this machine, we will conduct some reconnaissance on a default CentOS HTTP test page, to reveal a hidden Wordpress blog behind a subdomain. A vulnerability in that Wordpress version allowed us to see the site's draft posts, led us to a hidden Rocketchat app. After having registered and entered the Rocketchat session, we found a bot which ultimately gave us a glimpse on the credentials in the machine's environment variables. Using that credentials, we got into SSH, eventually found a Polkit vulnerability and escalated to root.

I. Initial Reconnaissance

1. Port scan

tl;dr: Nothing out of ordinary
As per usual, we start with a port scan:

# Nmap 7.92 scan initiated Wed Jun 15 04:58:52 2022 as: nmap -p- -sC -sV -oN nmap.txt 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.16s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 15 04:59:20 2022 -- 1 IP address (1 host up) scanned in 27.89 seconds

Nothing seemed out of place. There’s a web service on port 80, and port 443 was just its HTTPS version, nothing different. Port 22 was running the most up-to-date version of OpenSSH. Overall, seems like our only attack vector lied in that web application.

2. Examining the web page

tl;dr: Found out a subdomain
Upon opening it in a web browser, we’re greeted with something like this:

default centos http test page
Default CentOS HTTP test page

A completely unmodified, invulnerable, CentOS HTTP test page, which rose a question of whether its source code was hiding anything abnormal. In an attempt to find any unusualness, I came across an unexpected clue.

a burp suite request to root web path

This was a request intercepted by Burp Suite. Taking a closer look, we found the X-Backend-Server header in that response contained something quite novel: definitely a new attack vector. Weirdly enough, there should had been a hint to this subdomain somewhere in Nmap’s scan result, but in reality it was nowhere to be found - why?

Anyway, first off, this subdomain need to be added to our /etc/hosts file. The file should now look somewhat like this:

127.0.0.1	localhost
127.0.1.1	kali
10.10.11.143	office.paper

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

3. Checking the subdomain page

tl;dr: A vulnerable version of Wordpress led to another subdomain
Opening it in a web browser, we found a typical Wordpress site:

office.paper as opened in web browser
office.paper in a web browser

This speculation was confirmed by this line at the very bottom:

Powered by Wordpress footer
Made by Wordpress confirmation in footer

This subdomain seemed to housed a Wordpress blog site. We can see a fictional tragic character development here: a sad character development in blog posts

That’s a bonus point for this machine’s realism. Looking around the posts, we found a rather valuable comment: a comment mentioned about secret content in draft posts

As a secret that may be useful was hidden in draft posts, our only reasonable next step was to attack this web page.

A quick wpscan revealed a neat vulnerability.

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
 |  - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

This unupdated version of Wordpress contained a vulnerability that would be of use, whose details can be found here: https://vulners.com/zdt/1337DAY-ID-33546.

In short, it offered exactly what we needed - unauthenticated view of draft posts. Adding ?static=1 after the URL and that was all it took to get all hidden posts.

Unauthenticated posts view
Unauthenticated posts view

Another hidden subdomain came into sight. Accordingly, we modified our /etc/hosts.

10.10.11.143	office.paper chat.office.paper

II. User Flag

1. Discovering Rocket Chat instance

Going to http://chat.office.paper, we found a login page.

Rocket Chat login form
rocket.chat login form

For those who don’t know, basically Rocket Chat resembles Discord to a certain degree, except that it’s open source and can be self-hosted.

Head over to the register form we got earlier, simply register an account (made up credentials were accepted) and log in.

Rocket Chat register form
Rocket Chat register form

For those who have used Discord or IRC, you can find this interface a bit familiar.

Rocket Chat blank interface
Rocket Chat blank interface

2. Toying with the bot

tl;dr: Chat bot
Lurking around the chat without any permission (which always brings a sense of illegal, even when it was just a ctf challenge), we found nothing noticeable but this bot: Rocket Chat bot

The help message pretty much summarized all the functionalities this bot served. To our security eyes, only the third one matter: that file read command. Test file read function on Rocket Chat bot

We can reasonably deduce that it simply print out anything that was fed in the cat command. I tried to inject other OS commands in, but it didn’t work.

To this point, we’d had file read permission. Which file can we read to go further into this machine?

None other than files in the /proc directory, and in this particular case, environment variables seemed to be the answer.

Read environment variables in /proc/self/environ from Rocket Chat bot

That command yielded quite a surprise - some credentials were hidden inside environment variables: Environment variables printed by Rocket Chat bot

Wondering what purpose they are used for, I tried them against the Rocket Chat login form.

Rocket Chat login failed with newly gained credentials
Rocket Chat didn’t accept those credentials

But the credentials were deemed incorrect. Where else can they be used? Maybe, on the SSH? Successful SSH login attempt

To no one surprise, those credentials got me a stable SSH connection. You can find the user flag right off the bat in that user’s home directory. User flag in home directory

III. Root Flag

Lazy as I am, I let Linpeas do all the heavy lifting and sweetly riped this fruit: Linpeas running result

It was trivial to find exploits for this infamous CVE on Github. In my particular case, since the machine already had Python 3.6, I went with this exploit script:

Merely running the script would give you full root-level control:

IV. Conclusion

And that’s about it - all involved around outdated softwares and a vulnerable bot. Hope you have enjoyed this machine and learned things along the way!