Paper

Linux · Easy

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.143

22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)

80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9

443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34

Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 5.1 (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

nmap finds three open TCP ports, SSH (22), HTTP (80), and HTTPS (443):

Based on the Apache version, the host is likely running Centos 8. There’s a TLS certificate, but it just has localhost.localdomain, which isn’t interesting. The HTTP port and the HTTPS port seem to be the same.

LogoApache HTTPD versions supported by Red Hat - Red Hat Customer PortalRed Hat Customer Portal

Enumeration: HTTPS

Enumeration: HTTP

WAP:

Web servers

  • Apache HTTP Server 2.4.37

Operating systems

  • CentOS

Web server extensions

  • OpenSSL 1.1.1k

SOURCE CODE: view-source:http://10.10.11.143/

BURP: Surprisingly, the default page doesn’t load as index.html on either port. One interesting note is that that default page is coming back with an HTTP 403 Forbidden response (and not a 200 OK). Not sure that means anything, but interesting.

X-Backend-Server is a non-standard header, and it’s leaking a domain name, office.paper.

DIR BRUTE FORCE: I’ll run gobuster against the site, and it finds /manual, but nothing else. /manual is an Apache default page:

SCANNERS:

/etc/hosts:

I’ll add chat.office.paper to my /etc/hosts file as well.

Subdomain Fuzz: Knowing that there are different DNS names in use, I’ll fuzz for subdomains using wfuzz. I’ll start this without any filtering, and see the the default case is 199691 characters. I’ll kill it, and restart with --hh 199691. It finds one additional subdomain:

office.paper - TCP 80

The HTTPS site for office.paper returns the same default page. But the HTTP site has a new page for a paper company, Blunder Tiffin:

This is a clearly a play on the company from the TV show “The Office”, which focuses on a paper company called Dunder Mifflin.

There are three posts, all by Prisonmike, and all a similar character to the dumb boss like on the TV show. There is one comment on one of the posts that has a hint:

I’ll make sure to check out draft posts if I can find access.

DOMAIN: http://office.paper/

SOURCE CODE: view-source:http://office.paper/

WAB TECH:

  • CMS: WordPress 5.2.3 Blogs

  • WordPress 5.2.3 Font scripts

  • Font Awesome

  • Google Font API Miscellaneous

  • Popper

  • RSS Web servers

  • Apache HTTP Server 2.4.37 Programming languages

  • PHP 7.2.24 Operating systems

  • CentOS Web server extensions

  • OpenSSL 1.1.1k Databases

  • MySQL JavaScript libraries

  • jQuery 1.12.4

  • jQuery Migrate 1.4.1

  • OWL Carousel UI frameworks

  • Bootstrap 4.1.3

LOGIN: http://office.paper/wp-login.php

Blunder Tiffin Inc.

9tFE_KIt

http://office.htb/

Michael, you should remove the secret content from your drafts ASAP, as they are not that secure as you think! -Nick

http://office.paper/index.php/2021/06/19/hello-scranton/#comment

http://office.htb/?p=29#comment-3 http://www.creedthoughts.gov.www\creedthoughts

Hey-o, everyone out there in SyberWorld. It,s old Creed Bratton coming at your again, here from my perch as a Quality Assurance Manager at Blunder Tiffin paper. Just a few observations on the world around me.

What do you guys think is the best kind of car? To me, you can,t beat motorcycles. They’re small and dangerous. They just can’t be trusted.

wpscan

LogoWPScan CLI Scanner Install + User GuideWPScan

I’ll run wpscan to identify WordPress issues using wpscan --url http://office.paper --api-token $WPSCAN_API. To scan for vulnerabilities, I need to use an API token, which I got for free at the wpscan site. I store my API token in the Bash environment variable $WPSCAN_API with this line in my ~/.bashrc file:

wpscan finds the WP version is 5.2.3: There are 32 known vulnerabilities in this version, but one towards the top jumps out given the mention of drafts earlier:

chat.office.paper - TCP 80

This site is an instance of rocket.chat, and open source communications platform:

LogoRocket.Chat | Secure CommsOS™ for Mission-Critical Operationswww.rocket.chat

Under the login button there’s a custom bit of text that says the registration URL is hidden. I’ll try some basic credendial guessing, but nothing logs in. I don’t see any interesting vulnerabilities in rocket.chat.

Shell as dwight

Access rocket.chat

CVE-2019-17671 This post breaks down how vulnerable WordPress versions could be exploited via CVE-2019-17671 to view draft, password protected, and private posts. It’s a mistake in how WordPress handles displaying a mix of draft and published posts when viewed with ?static=1. The if the first post returned is public, then all the posts will be dumped to the page. There are ways to reorder the result, but here it just works without any additional tricks by visiting:

LogoProof of Concept for \0day.work

Secret Registration URL of new Employee chat system

http://chat.office.paper/register/8qozr226AhkCHZdyY

There is a private link to access rocket chat registration.

Register for Chat: At that link, it provides a registration form:

The next page asks me to pick a username:

And on clicking “Use this username” I’m in the chat:

recyclops: Discover The #general channel has a bunch of characters from the TV show, and some good jokes, but also a bit about Dwight programming a bot:

We can also send Direct Messages to recyclops!

The most interesting points:

  • recyclops help will show the commands

  • recyclops can get files and list files

  • this channel is read only

  • recyclops can be reached by DM (direct message).

Listing Files I’ll open a DM to recyclops, and try to list files:

It shows the contents of /sales/. If I give it a valid directory, it returns the contents of that directory. But if I give it an invalid path, it errors, and gives the full path:

It seems hardened against command injection:

Read Files: The bot can show file content:

The directory traversal vulnerability is present in this command as well. file ../../../etc/passwd shows the contents of that file:

I’ll note that dwight and rocketchat are the only users on the box not in the system/service range below 1000.

Leak Credentials: In ../hubot there’s a NodeJS project:

The .env file is immediately interesting, as those files tend to hold secrets for the project:

SSH: Given the access to files in /home/dwight, it makes sense that the bot is running as dwight. It’s worth checking if dwight shared their password across rocketchat and the system. crackmapexec shows it works:

Note: It’s important to put that password in single quotes and not double quotes, or Bash will interpret !23 as the command run 23 commands ago in the current sessions history.

SSH works to get a shell:

Shell as root

LinPEAS: In general, I like to enumeration manually before breaking out enumeration scripts because it provides good practice of knowing the things to look for. That said, on this one, after a looking around on my own, I didn’t see much of interest.

Build I could grab the latest release from the releases page, but there’s also a builder I can use. I’ll clone the repo onto my computer (git clone https://github.com/carlospolop/PEASS-ng), and then go into the PEASS-ng/linPEAS directory.

LogoReleases · peass-ng/PEASS-ngGitHub

From there, I’ll call the builder script with python3 -m builder.linpeas_builder. This is going to run linpeas_builder from the builder directory, which builds a .sh script:

Polkit CVE: CVE-2021-3650 is a vulnerability in polkit discovered by Keven Backhouse of the GitHub Security Lab. This attack is a timing attack against polkit, and by killing the process at the right time, it ends up skipping the authentication and allow actions such as creating an account with sudo privs and setting the password..

The author of Paper happens to have a script for this exploit on their GitHub. I’ll save a copy on my VM, and start a webserver in that directory (python3 -m http.server 80). Then I’ll fetch the script with wget to Paper:

LogoGitHub Security LabGitHub Security Lab
LogoGitHub - secnigma/CVE-2021-3560-Polkit-Privilege-EsclationGitHub
LogoCVE-2021-3560-Polkit-Privilege-Esclation/poc.sh at main · secnigma/CVE-2021-3560-Polkit-Privilege-EsclationGitHub

Now I just run it:

It might not work every time, but running it repeatedly will eventually work. I’ll change user to the secnigma user with the password secnigmaftw (from the README.md on GitHub):

Now this user is in the wheel group:

This group allows members to run sudo. I’ll need the password again, but it works:

LogoWhat is the significance of the "wheel" group?Unix & Linux Stack Exchange
PreviousDeliveryNextArmageddon

Last updated