034#:HTB - Paper
I am feeling good after that last room. I actually just finished posting my last walkthrough and I am ready to get hackin again.
Looks like a website is being hosted here and they are using HTTPS. We start by enumerating the site directories.
The directory we discover just appears to be documentation. Given the lack of new leads, I started exploring searchsploit for exploits against apache 2.3 and openssl 1.1.
For now, I’m just going to work down this list and just prioritize ones I think are more likely to be relevant.
I tried about 7 exploits but wasn’t making progress. I switched over to metasploit to see if it had something for me. Tried a few apache exploits that failed.
I’m still coming up empty handed. I began reviewing nmap and saw something, mod_fcgid/2.3.9, that I didn’t recognize. That didn’t get anywhere either. I’m hitting a wall so I ran another gobuster scan with a larger wordlist.
I began checking exploit DB in case there was something else I could use. Feeling a bit stuck so I looped back to the nmap results. I began looking over the site’s source code again and eventually saw a potentially interesting bit of info. In the response headers we have a x-backend-server value.
I haven’t seen this header much, so I gave it a quick google and it said this header includes hostnames or IP’s. I went ahead and added this hostname to my /etc/hosts file and navigated to it in my browser.
I started another gobuster scan, this time against the office.paper domain.
Looks like we are dealing with a wordpress site here. I start poking around the directories. Not much to see though, so I began running wpscan to enumerate wordpress.
We learned a little bit here. I forgot to make a user list with names I saw on the blog, so I do that now. We can also use wpscan to try to brute force the login, so I get that running as well.
This is really slow, I’m wondering if hydra would be faster. While that runs I continue to pick over the wpscan results. I checked searchsploit for this version of wordpress and got a few results. One of which recommends manipulating the URL to cause data exposure.
Well this gave us some interesting leads. Mainly, that we have a subdomain to explore. After adding it to my /etc/hosts file I can navigate to it.
Creating an account allows us to view their #general chat logs. There is some narrative about a chat bot and its capabilities. Something that stands out is it mentions it can read files on command.
The chat is locked but they mentioned we can send the Recyclops bot a direct message. I tested by just asking it to list files.
What proceeded was a bunch of playing around with the syntax and trying to use this chat bot to explore files. It is clunky, but you can list and read things the account has access to.
When I tried to view dwight’s home folder I got a hint to help us navigate. We can see how recyclops tried to find our request so we can modify it using ../’s.
In dwight’s home folder there is a bash script for recyclops. That script shows us that recyclops’ files are in /home/dwight/hubot. I checked out the bot start script which then led me to looking at /home/dwight/hubot/.env which contains a password!
This is actually the login info for recyclops. I move to log in with these new credentials we found.
Nope. But this is still valuable. People often reuse passwords, so I checked the home folder for any other user accounts before attempting to ssh into the machine as dwight using the password we found.
This works and it gets us our first flag! It looks like dwight can’t run sudo and I’ve already poked around their home folder, so I moved on to running linpeas. Early into the results we get a flag on PATH.
It’s been a while since I’ve done this type of attack so I refer to their documentation. I don’t think this will be our priv esc method though. For this to work we would want to be able to run something as root that is on PATH or have a scheduled task that could be abused.
No luck, let’s try another. I ended up moving the exploit to the /tmp folder because I had some issues.
I had to run this a few times for it to work, but when it did I was able to log in as the new user account “hacked” and then sudo su to root. This of course gets us the final flag.
This room was a blast to do. The chatbot was an interesting spin and I’m a fan of The Office so I dug the theme.