An outdated WordPress website allows us to discover private posts on a blog. One of these hidden posts links to a chat application, for which we can register a new account. In the group chat, there is an automated chatbot, which can retrieve files for us. Since this bot’s security features are easily tricked, we can retrieve this bot’s config files and retrieve a password. Using this, we can log into the system via SSH and gain a foothold.
The system itself suffers from a vulnerability, which allows any user on the system to create a new user with high privileges. After a few tries, we can create this user and therefore get root level access on the system.
nmap -sC -sV 10.10.11.143 -p- -oN nmap.txtStarting Nmap 7.95 ( https://nmap.org ) at 2025-02-24 10:20 CETNmap scan report for 10.10.11.143Host is up (0.19s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.0 (protocol 2.0)| ssh-hostkey:| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28| http-methods:|_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9|_http-title: HTTP Server Test Page powered by CentOS443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9|_http-title: HTTP Server Test Page powered by CentOS|_ssl-date: TLS randomness does not represent time| http-methods:|_ Potentially risky methods: TRACE| tls-alpn:|_ http/1.1| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US| Subject Alternative Name: DNS:localhost.localdomain| Not valid before: 2021-07-03T08:52:34|_Not valid after: 2022-07-08T10:32:34
When we visit the website on either port 80 or 443, we can see a default Apache installation page.
After directory, DNS, and VHOST enumeration did not reveal any results, let’s manually check if we can detect any other resources on the system. If we use curl with its verbose output, we can see a header value with relevant information for us.
The header value X-Backend-Server: office.paper looks like a domain, meaning we should add it to our /etc/hosts file and visit it.
User Flag
The footer of this site informs us, that this is a WordPress site. We can enumerate this version with wpscan. In the scan’s result, we can detect, that this machine runs WordPress 5.2.3. After a little research, we can discover that this version can be tricked into revealing private user posts by appending ?static=1 to the URL. For more information, please refer to this excellent post about this vulnerability. If we enter http://office.paper/?static=1 in the search bar of our browser, we can see a reference to a different website: http://chat.office.paper/register/8qozr226AhkCHZdyY.
After adding this new domain to /etc/hosts, we can once again visit this site, which hosts a chat application over rocket.chat. Using the feature to register a new user, we get access to a group chat. As part of this group chat, there is a bot account, with which we can communicate in a private chat. The feature set allows us to retrieve and list files of the sales directory. However, after trying to retrieve different files, this command seems to be insecure. For example, we can use relative paths to retrieve files outside the intended directory, such as /etc/passwd by prompting the bot with file ../../../etc/passwd. The same goes for the command list.
Using our new access, we can dig through the files of the bot. In ../hubot/.env, we can find the following line.
PASSWORD = Queenofblad3s!23
A password is always a great opportunity to revisit the open SSH port. Due to the /etc/passwd file, we know that there are two users on the system: dwight and rocketchat. Using this password, we can get a foothold into the system as dwight and claim the user flag.
71c967a7fbf5a5902d620006c00e0154
Other Foothold Opportunity
If we request ../hubot/scripts/files.js from the bot, we can see an important comment
// Description:
// Runs a command on hubot
// TOTAL VIOLATION of any and all security!
//
// Commands:
// hubot run - runs a command on hubot host
We can execute any OS command by using the `run` feature, which allows us to also spawn a reverse shell for inital access over a [[Netcat]] listener.
Root Flag
Our compromised user account dwight does not have any unusual privileges. Basic enumeration also does not present a path for ordinary privilege escalation. However, after we transfer LinPEAS to the target by using a python http server, it detects a vulnerability.
CVE-2021-3560 refers to a vulnerability in polkit. There are some exploits out there, which use this vulnerability to create a new user account with high privileges. For this box, we will use this exploit, which automates this process. After transferring this file once again using the python http server, and giving the script execution permission by applying chmod +x poc.sh, we can exploit the target. In this case, the script will create the user test, which will be part of the wheelgroup. By default, this group is allowed to execute anything with root permissions. This exploit will take multiple tries. Once it was successful, we can switch to the newly created account.
Since this account has the same permissions as root, we can claim the root flag.
