Try   HackMD

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

hello hacker, just wanted to share with you this easy retired machine from hack the box. I was just bored and decided to do something that won't consume my enegy, actually it was easy but i like it, learned something new because always HTB is cool with exploits, i like the struggle with HTB.

N/B: To access the machine you must be a VIP member.

lets start hacking our baby paper retire machine. fire up the instance

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SCANNING

# Nmap 7.94SVN scan initiated Wed May  8 08:11:33 2024 as: nmap -sC -sV -oN nmap.txt -Pn -vvv -p 22,80,443 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up, received user-set (0.87s latency).
Scanned at 2024-05-08 08:11:37 EDT for 31s

PORT    STATE SERVICE  REASON  VERSION
22/tcp  open  ssh      syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcZzzauRoUMdyj6UcbrSejflBMRBeAdjYb2Fkpkn55uduA3qShJ5SP33uotPwllc3wESbYzlB9bGJVjeGA2l+G99r24cqvAsqBl0bLStal3RiXtjI/ws1E3bHW1+U35bzlInU7AVC9HUW6IbAq+VNlbXLrzBCbIO+l3281i3Q4Y2pzpHm5OlM2mZQ8EGMrWxD4dPFFK0D4jCAKUMMcoro3Z/U7Wpdy+xmDfui3iu9UqAxlu4XcdYJr7Iijfkl62jTNFiltbym1AxcIpgyS2QX1xjFlXId7UrJOJo3c7a0F+B3XaBK5iQjpUfPmh7RLlt6CZklzBZ8wsmHakWpysfXN
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/Xwcq0Gc4YEeRtN3QLduvk/5lezmamLm9PNgrhWDyNfPwAXpHiu7H9urKOhtw9SghxtMM2vMIQAUh/RFYgrxg=
|   256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdmmhk1vKOrAmcXMPh0XRA5zbzUHt1JBbbWwQpI4pEX
80/tcp  open  http     syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
443/tcp open  ssl/http syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
| tls-alpn: 
|_  http/1.1
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/organizationalUnitName=ca-3899279223185377061/emailAddress=root@localhost.localdomain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after:  2022-07-08T10:32:34
| MD5:   579a:92bd:803c:ac47:d49c:5add:e44e:4f84
| SHA-1: 61a2:301f:9e5c:2603:a643:00b5:e5da:5fd5:c175:f3a9
| -----BEGIN CERTIFICATE-----
| MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV
| BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3
| OTIyMzE4NTM3NzA2MTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMTA3
| MDMwODUyMzRaFw0yMjA3MDgxMDMyMzRaMG4xCzAJBgNVBAYTAlVTMRQwEgYDVQQK
| DAtVbnNwZWNpZmllZDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1/3n1pZvFgeX1ja/w84jNxT2NcBkux
| s5DYnYKeClqncxe7m4mz+my4uP6J1kBP5MudLe6UE62KFX3pGc6HCp2G0CdA1gQm
| 4WYgF2E7aLNHZPrKQ+r1fqBBw6o3NkNxS4maXD7AvrCqkgpID/qSziMJdUzs9mS+
| NTzWq0IuSsTztLpxUEFv7T6XPGkS5/pE2hPWO0vz/Bd5BYL+3P08fPsC0/5YvgkV
| uvFbFrxmuOFOTEkrTy88b2fLkbt8/Zeh4LSdmQqriSpxDnag1i3N++1aDkIhAhbA
| LPK+rZq9PmUUFVY9MqizBEixxRvWhaU9gXMIy9ZnPJPpjDqyvju5e+kCAwEAAaNg
| MF4wDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwIAYDVR0RBBkwF4IVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMB8GA1UdIwQYMBaAFBB8mEcpW4ZNBIaoM7mCF/Z+7ffA
| MA0GCSqGSIb3DQEBCwUAA4ICAQCw4uQfUe+FtsPdT0eXiLHg/5kXBGn8kfJZ45hP
| gcuwa5JfAQeA3JXx7piTSiMMk0GrWbqbrpX9ZIkwPnZrN+9PV9/SNCEJVTMy+LDQ
| QGsyqwkZpMK8QThzxRvXvnyf3XeEFDL6N4YeEzWz47VNlddeqOBHmrDI5SL+Eibh
| wxNj9UXwhEySUpgMAhU+QtXk40sjgv4Cs3kHvERvpwAfgRA7N38WY+njo/2VlGaT
| qP+UekP42JveOIWhf9p88MUmx2QqtOq/WF7vkBVbAsVs+GGp2SNhCubCCWZeP6qc
| HCX0/ipKZqY6zIvCcfr0wHBQDY9QwlbJcthg9Qox4EH1Sgj/qKPva6cehp/NzsbS
| JL9Ygb1h65Xpy/ZwhQTl+y2s+JxAoMy3k50n+9lzCFBiNzPLsV6vrTXCh7t9Cx07
| 9jYqMiQ35cEbQGIaKQqzguPXF5nMvWDBow3Oj7fYFlCdLTpaTjh8FJ37/PrhUWIl
| Li+WW8txrQKqm0/u1A41TI7fBxlUDhk6YFA+gIxX27ntQ0g+lLs8rwGlt/o+e3Xa
| OfcJ7Tl0ovWa+c9lWNju5mgdU+0v4P9bqv4XcIuyE0exv5MleA99uOYE1jlWuKf1
| m9v4myEY3dzgw3IBDmlYpGuDWQmMYx8RVytYN3Z3Z64WglMRjwEWNGy7NfKm7oJ4
| mh/ptg==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May  8 08:12:08 2024 -- 1 IP address (1 host up) scanned in 35.25 seconds

So far we can see that we have three open ports,But i was not sustified with this port only so i decided also to scan further but didn't find any usufull ports

ENUMERATION

With enumeration here i started enumerating one port after another, so that i can get the full structural of how things are supposed to be while approaching this target.

port 22

with port 22, nothing of interest for now because we don't have any creds to login with, but also tried to check for vulnerable version of this just ended up with DoS.

port 80

with port 80 also we find nothing of interest.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

port 443

with port 443 we need first a domain name, because if we try to access it by just adding the 'https' it displays with the same as port 80

N/B: So far I didn't get anything even the nmap scanning was proving more info.

enumerating directories with gobuster

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We see that we have a '/manual' directory, but wasn't usufull for me. so i decided to move on.

After a while strugle finding more info about my target i just found myself onto burp-suite LOL. i spend like 40 minutes trying to find a initial footholding

If you take a close look with burp suite request and response you will find that there is some juice info there dispite it is responding (client error or 403).

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More → 

domain:office.paper

Now from here, lets add this into our host(/etc/hosts) file.After doing that I tried to access the with both https and http but the one with more info is 'http://office.paper'

Decided to give a visite now and play around and see what i can get from here

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

At this stage i decided to do three things at one time, while am studying the site i will let them run at the background.

  • the first one is running gobuster and ffuf for directories
  • the second one is gobuster for subdomains
  • the third one is enumerating wordpress with wpscan tool

N/B: To identify this target technolgies being used here i normally use wappalyzer tool on my browser it is easy to tell me which technlogies are being used

Lets go with command line tool.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now we can see that we have something like wordpress and its version, so I decide to google the CVE of this wordpress version

wordpress version 5.2.3

After some such i found this CVE

The idea behind this CVE is Viewing Unauthenticated/Password/Private Posts

payload: ?static=1&order=asc`

url: http://office.paper/?static=1&order=asc`

And I found this interesting info by just adding this payload.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now i saw that there is a convo abt secret registration url for employees

url:http://chat.office.paper/register/8qozr226AhkCHZdyY

subdomain:chart.office.paper(new subdomain) //added to /etc/hosts

After visiting the site we find a registration form, you can try to register also and login as well

Screenshot 2024-05-08 at 11-47-03 chat.paper.htb

After some google-fu about rocket.chart I found that I can interact with a bot(recyclops).

EXPLOITATION

exploiting a bot

Here we can see that this bot is used to interact with some

Screenshot 2024-05-08 at 11-51-08 chat.paper.htb

After checking the help menu, found this interesting

Firefox_Screenshot_2024-05-08T15-52-10.385Z

Firefox_Screenshot_2024-05-08T15-54-01.527Z

After checking i decided to look for something like id_rsa but wasn't present.

My next phase was try to access the /etc/passwd and know the number of users here i have.

Firefox_Screenshot_2024-05-08T15-58-31.127Z

Now since I knew that id_rsa wasn't present my next step i was finding the password for user 'dwight'

after some deep checking here and there, i found this files being linked together

Firefox_Screenshot_2024-05-08T16-02-18.133Z

To understabd abt how to reach here is that there is a start_bot.sh try to follow that path and you will endup with the .env file with the password.

ssh creds

username:dwight
password:Queenofblad3s!23

Screenshot from 2024-05-08 12-05-57

PRIVILEGE ESCALATION

With privilege escalation 'sudo -l' is not usesfully here, uploading linpeas and executing it give us some interesting things such as sudo version.

Screenshot from 2024-05-08 12-10-48

exploit: Sudo version 1.8.29

After some google-fu i found this CVE CVE abt how to exploit this sudo version and its exploit can be found github which is a simple to use.

The idea behind this CVE is the polkit priv escalation.

Firefox_Screenshot_2024-05-08T16-14-47.573Z

After transfering the payload to the target i decided to edit alittle bit this exploit because i knew what it was doing so far.( if u dodn't understand you can just change the username and password but it is better to understand it first).

Screenshot from 2024-05-08 12-27-35

There you can find all the flags, user(user.txt) and root.txt

Screenshot 2024-05-08 at 12-31-39 Hack The Box Hack The Box

Hope you enjoyed it was very easy

Last changed by 
alienX
security analyst ,penetration tester,red teamer, CTF player
1
1
134

Read more

PUBLIC-KEY CRYPTOGRAPHY

These challenges first introduce us to the many footguns of RSA, and soon see you performing attacks which real software has been vulnerable to. Next, we will look at Diffie-Hellman key exchange and explore how the core problem behind it, and later on we will see how we can use the power of programming language to solve attacks such as Man-In-The-Middle attacks by intercepting and crack the secret messages

Mar 28, 2025
OVERVIEW

Hellow forks its alienkeric again from this side before the 2024 ended I had some goals to accomplish which were one ex

Jan 14, 2025
SEA-WRITEUP

Hello forks, lets wanted to share with season-6 machine from hackthebox,

Dec 21, 2024
MANAGE

From nmap scanning we can see that our target has 3 open ports i.e

Oct 16, 2024
Read more from alienX
Published on HackMD