Paper is an easy HackTheBox machine that was released on the 5th February 2022. It is a linux machine and features an insecure WordPress blog.
Initial Foothold
I started as always with a nmap scan:
sudo nmap -sS -sV -sC -T4 paper.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.12 seconds
I found three open ports: ssh, http and https. SSH is usually used for easier access once we pwned the user access so let’s have a look at the webpages.
Even though this tool is pretty old and often produces a lot of false-positives I still often run it in the background: nikto
└─$ nikto -h http://paper.htb/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.135.85
+ Target Hostname: paper.htb
+ Target Port: 80
+ Start Time: 2022-05-01 15:02:09 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-backend-server' found, with contents: office.paper
And this time it quickly discovered an uncommen header: office.paper
I added this to my /etc/hosts file:

and had a look at it:

Wappalyzer already told me this is a WordPress Site and the WordPress Version is 5.2.3, some research on startpage.com pointed me to this PoC: https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
User
The execution of this exploit is very easy, I just append `/?static=1` to the url. This revealed a secret note:

In the secret node is a secret registration URL to a rocket chat chat system. I was able to create a new user using the form:

I found the people (office characters) in the chat talk about their new bot named “recyclops” and it’s new features. It is capable of a couple of commands, especially the “file” command caught my interest. The “file” works by it’s own description like this: “eg: ‘recyclops get me the file test.txt’, or ‘recyclops could you send me the file sale/secret.xls’ or just ‘recyclops file test.txt'”.
I started to play a little bit with that command and quickly found out that I can get good information about the file system. For example ‘file ..’ reveales that the command uses ‘cat’ and our working directory is /home/dwight/sales/..

I found an interesting file using this command: ‘file ../hubot/.env’

The password there turns out to be the ssh password for the user dwight.
Root
You might argue that it is a little bit overkill to run linpeas.sh on an easy rated machine and that would be reasonable. I ran it anyway and it instantly reveals that this machine is vulnerable to CVE-2021-3560. A PoC is available here: https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
To execute the exploit I simply uploaded poc.sh to the machine and ran it with this syntax ‘./poc.sh -u=hexp -p=hexp’ this will create a new user with privileges to run sudo. Afterwards I just changed user via ‘su – hexp’ and ran ‘sudo bash’ to get a root shell:
