Open in app

Sign in

Write

Sign in

Hackthebox — Paper Walkthrough

Atalay Samet Ergen
5 min readJun 18, 2022

--

As always, we run nmap to see which ports are open and which services are running on those ports.

-sC : run default nmap scripts

-sV : enumerate service versions

The result shows that three port are open.

  • Port 22 is for SSH service
  • Port 80 and 443 is for HTTP service

We visit the HTTP service in the browser. A default test page is welcoming us.

We run nikto and get an uncommon header which contains office.paper “.

We add it into our hosts file.

Run a ffuf scan.

Visit the page and start enumerating.

Nick’s comment leads to a point. Need to research Michael account especially his drafts.

Let’s run wpscan to find more information.

The version is 5.2.3.

Let’s google it to find any related vulnerability we can exploit.

According to the post, we can leak the content by adding “?static=1” to the URL.

We try it and get some disclosure successfully.

Add the subdomain into the hosts file before navigate.

We create an account and login.

So, there is a chatbot that we can interact and give specific commands.

Start chatting in direct message.

Let’s mess things up a bit.

There is local file inclusion vulnerability. Need to surf around to find interesting stuff.

After enumerating the system, we get some credentials in .env file.

Let’s ssh as user dwight.

Perfect. We are in and get the user flag.

Time to escalate our privileges to root user. To do so, we need to enumerate the box to get further information. Download linpeas.sh

Give the execution permission and run the script.

The script reveals that the system is vulnerable to CVE-2021–3560.

In other words, the vulnerability exploits the flaw in PolKit (policy kit) that allows an attacker to create a new superadmin.

We will use a script that automates the exploitation written by secnigma.

Download the script.

We can change the username and password. It is optional. So that, we leave it as default.

Run the script.

We see that the execution is successful.

Switch the user to secnigma by using the Polkit exploit and run “sudo bash” which gives us a root shell.

Finally, get the root flag.

Thank you for your time.

Originally published at https://atalaysblog.wordpress.com on June 18, 2022.

Hackthebox
Hackthebox Walkthrough
Hackthebox Paper
Htb Paper Writeup
Cybersecurity

--

--

Atalay Samet Ergen
Atalay Samet Ergen

Written by Atalay Samet Ergen

24 Followers
10 Following

I’m a computer engineer. Interested in security, privacy and policy.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams