hello hacker, just wanted to share with you this easy retired machine from hack the box. I was just bored and decided to do something that won't consume my enegy, actually it was easy but i like it, learned something new because always HTB is cool with exploits, i like the struggle with HTB.
**N/B:** To access the machine you must be a VIP member.
lets start hacking our baby paper retire machine. fire up the instance
# SCANNING
```
# Nmap 7.94SVN scan initiated Wed May 8 08:11:33 2024 as: nmap -sC -sV -oN nmap.txt -Pn -vvv -p 22,80,443 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up, received user-set (0.87s latency).
Scanned at 2024-05-08 08:11:37 EDT for 31s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcZzzauRoUMdyj6UcbrSejflBMRBeAdjYb2Fkpkn55uduA3qShJ5SP33uotPwllc3wESbYzlB9bGJVjeGA2l+G99r24cqvAsqBl0bLStal3RiXtjI/ws1E3bHW1+U35bzlInU7AVC9HUW6IbAq+VNlbXLrzBCbIO+l3281i3Q4Y2pzpHm5OlM2mZQ8EGMrWxD4dPFFK0D4jCAKUMMcoro3Z/U7Wpdy+xmDfui3iu9UqAxlu4XcdYJr7Iijfkl62jTNFiltbym1AxcIpgyS2QX1xjFlXId7UrJOJo3c7a0F+B3XaBK5iQjpUfPmh7RLlt6CZklzBZ8wsmHakWpysfXN
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/Xwcq0Gc4YEeRtN3QLduvk/5lezmamLm9PNgrhWDyNfPwAXpHiu7H9urKOhtw9SghxtMM2vMIQAUh/RFYgrxg=
| 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdmmhk1vKOrAmcXMPh0XRA5zbzUHt1JBbbWwQpI4pEX
80/tcp open http syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
443/tcp open ssl/http syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
| tls-alpn:
|_ http/1.1
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain
| Subject Alternative Name: DNS:localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/organizationalUnitName=ca-3899279223185377061/emailAddress=root@localhost.localdomain
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-03T08:52:34
| Not valid after: 2022-07-08T10:32:34
| MD5: 579a:92bd:803c:ac47:d49c:5add:e44e:4f84
| SHA-1: 61a2:301f:9e5c:2603:a643:00b5:e5da:5fd5:c175:f3a9
| -----BEGIN CERTIFICATE-----
| MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV
| BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3
| OTIyMzE4NTM3NzA2MTEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMTA3
| MDMwODUyMzRaFw0yMjA3MDgxMDMyMzRaMG4xCzAJBgNVBAYTAlVTMRQwEgYDVQQK
| DAtVbnNwZWNpZmllZDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkw
| JwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJ
| KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1/3n1pZvFgeX1ja/w84jNxT2NcBkux
| s5DYnYKeClqncxe7m4mz+my4uP6J1kBP5MudLe6UE62KFX3pGc6HCp2G0CdA1gQm
| 4WYgF2E7aLNHZPrKQ+r1fqBBw6o3NkNxS4maXD7AvrCqkgpID/qSziMJdUzs9mS+
| NTzWq0IuSsTztLpxUEFv7T6XPGkS5/pE2hPWO0vz/Bd5BYL+3P08fPsC0/5YvgkV
| uvFbFrxmuOFOTEkrTy88b2fLkbt8/Zeh4LSdmQqriSpxDnag1i3N++1aDkIhAhbA
| LPK+rZq9PmUUFVY9MqizBEixxRvWhaU9gXMIy9ZnPJPpjDqyvju5e+kCAwEAAaNg
| MF4wDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwIAYDVR0RBBkwF4IVbG9jYWxo
| b3N0LmxvY2FsZG9tYWluMB8GA1UdIwQYMBaAFBB8mEcpW4ZNBIaoM7mCF/Z+7ffA
| MA0GCSqGSIb3DQEBCwUAA4ICAQCw4uQfUe+FtsPdT0eXiLHg/5kXBGn8kfJZ45hP
| gcuwa5JfAQeA3JXx7piTSiMMk0GrWbqbrpX9ZIkwPnZrN+9PV9/SNCEJVTMy+LDQ
| QGsyqwkZpMK8QThzxRvXvnyf3XeEFDL6N4YeEzWz47VNlddeqOBHmrDI5SL+Eibh
| wxNj9UXwhEySUpgMAhU+QtXk40sjgv4Cs3kHvERvpwAfgRA7N38WY+njo/2VlGaT
| qP+UekP42JveOIWhf9p88MUmx2QqtOq/WF7vkBVbAsVs+GGp2SNhCubCCWZeP6qc
| HCX0/ipKZqY6zIvCcfr0wHBQDY9QwlbJcthg9Qox4EH1Sgj/qKPva6cehp/NzsbS
| JL9Ygb1h65Xpy/ZwhQTl+y2s+JxAoMy3k50n+9lzCFBiNzPLsV6vrTXCh7t9Cx07
| 9jYqMiQ35cEbQGIaKQqzguPXF5nMvWDBow3Oj7fYFlCdLTpaTjh8FJ37/PrhUWIl
| Li+WW8txrQKqm0/u1A41TI7fBxlUDhk6YFA+gIxX27ntQ0g+lLs8rwGlt/o+e3Xa
| OfcJ7Tl0ovWa+c9lWNju5mgdU+0v4P9bqv4XcIuyE0exv5MleA99uOYE1jlWuKf1
| m9v4myEY3dzgw3IBDmlYpGuDWQmMYx8RVytYN3Z3Z64WglMRjwEWNGy7NfKm7oJ4
| mh/ptg==
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 8 08:12:08 2024 -- 1 IP address (1 host up) scanned in 35.25 seconds
```
So far we can see that we have three open ports,But i was not sustified with this port only so i decided also to scan further but didn't find any usufull ports
# ENUMERATION
With enumeration here i started enumerating one port after another, so that i can get the full structural of how things are supposed to be while approaching this target.
## port 22
with port 22, nothing of interest for now because we don't have any creds to login with, but also tried to check for vulnerable version of this just ended up with DoS.
## port 80
with port 80 also we find nothing of interest.
## port 443
with port 443 we need first a domain name, because if we try to access it by just adding the 'https' it displays with the same as port 80
N/B: So far I didn't get anything even the nmap scanning was proving more info.
## enumerating directories with gobuster
We see that we have a '/manual' directory, but wasn't usufull for me. so i decided to move on.
After a while strugle finding more info about my target i just found myself onto burp-suite LOL. i spend like 40 minutes trying to find a initial footholding
If you take a close look with burp suite request and response you will find that there is some juice info there dispite it is responding (client error or 403).
```
domain:office.paper
```
Now from here, lets add this into our host(/etc/hosts) file.After doing that I tried to access the with both https and http but the one with more info is 'http://office.paper'
Decided to give a visite now and play around and see what i can get from here
At this stage i decided to do three things at one time, while am studying the site i will let them run at the background.
* the first one is running gobuster and ffuf for directories
* the second one is gobuster for subdomains
* the third one is enumerating wordpress with wpscan tool
N/B: To identify this target technolgies being used here i normally use wappalyzer tool on my browser it is easy to tell me which technlogies are being used
Lets go with command line tool.
Now we can see that we have something like wordpress and its version, so I decide to google the CVE of this wordpress version
```
wordpress version 5.2.3
```
After some such i found this [CVE](https://www.exploit-db.com/exploits/47690)
The idea behind this CVE is Viewing Unauthenticated/Password/Private Posts
```
payload: ?static=1&order=asc`
url: http://office.paper/?static=1&order=asc`
```
And I found this interesting info by just adding this payload.
Now i saw that there is a convo abt secret registration url for employees
```
url:http://chat.office.paper/register/8qozr226AhkCHZdyY
subdomain:chart.office.paper(new subdomain) //added to /etc/hosts
```
After visiting the site we find a registration form, you can try to register also and login as well
After some google-fu about rocket.chart I found that I can interact with a bot(recyclops).
## EXPLOITATION
### exploiting a bot
Here we can see that this bot is used to interact with some
After checking the help menu, found this interesting
After checking i decided to look for something like id_rsa but wasn't present.
My next phase was try to access the /etc/passwd and know the number of users here i have.
Now since I knew that id_rsa wasn't present my next step i was finding the password for user '**dwight**'
after some deep checking here and there, i found this files being linked together
To understabd abt how to reach here is that there is a start_bot.sh try to follow that path and you will endup with the .env file with the password.
### ssh creds
```
username:dwight
password:Queenofblad3s!23
```
## PRIVILEGE ESCALATION
With privilege escalation 'sudo -l' is not usesfully here, uploading linpeas and executing it give us some interesting things such as sudo version.
```
exploit: Sudo version 1.8.29
```
After some google-fu i found this CVE [CVE](https://www.exploit-db.com/exploits/50011) abt how to exploit this sudo version and its exploit can be found github which is a simple to use.
The idea behind this CVE is the polkit priv escalation.
After transfering the payload to the target i decided to edit alittle bit this exploit because i knew what it was doing so far.( if u dodn't understand you can just change the username and password but it is better to understand it first).
There you can find all the flags, user(user.txt) and root.txt
Hope you enjoyed it was very easy
Sign in with Wallet
Connect another wallet