HTB Paper WIP writeup

This write-up fill focus on the Easy machine Paper currently on HackTheBox. I will be using ParrotSec OS for these write-ups.

1. Add Paper to our /etc/hosts file:

2. Start with our nmap scan (I also created a HTB directory where all my box information will reside) with output (-oN) going to our current directory:

80 and 443 are open. Likely hosting a webpage.

2. We will also curl to see any additional information:

X-Backend-Server is office.paper

3. Add the X-Backend-Server to /etc/hosts:

4. Visit the office.paper website:

Typical landing page

5. Wappalyzer and see what technologies are being used:

Wordpress can be vulnerable

6. Find if any WordPress 5.2.3 vulnerabilities exist. Found this website which has quite a few listed. we’ll start at the bottom

No go for the vuln with copy and paste

If we move the &order=asc we get this

7. From here we can add chat.office.paper to our /etc/hosts file

8. Follow the link from Step 6 (registration URL) and create an account

Registered for an account

9. We can click around and see one chat mention a bot called Recyclops. We DM it and it see it can list files

We can try to abuse this ability

10. See where we are in the file structure

We’re in /home/dwight/sales

11. See if we can go back a directory

Success. Let’s look at hubot

12. Look at the hubot directory and we see a .env file

Plaintext user and password

13. Remember port 22 is open from our initial nmap scan. Try to ssh as recyclops

No go

14. Remember we were in /home/dwight (Step 10) who housed the .env file which had the creds. Let’s try to ssh as dwight (it works, I promise).

15. Find user.txt

Success

16. Privilege escalation. See if we can host a Python web server to transfer linpeas script

Can’t wget, no route

17. Try netcat file transfer

No route

18. ??? Need to figure out something else