> For the complete documentation index, see [llms.txt](https://angellm.gitbook.io/hacknotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angellm.gitbook.io/hacknotes/htb/2022/paper.md). # Paper **Date**: 21/05/2022 **Difficulty**: EASY **CTF**: *** First things first. let’s test the connection with the target machine:
The ttl value of 63 may indicate that the target machine is Linux. Let’s launch a nmap scan in order to discover the open tcp ports:
There are 3 ports open: 22 (ssh), 80 (http), 443 (https).
Let’s see what is hosted in the http and https ports:
Seems to be the same page.
Wappalizer confirms the versions of apache and openssl. I’m going to search if any of this services has a vulnerability I can use:
Not apparently… Let’s enumerate the directories using wfuzz: `wfuzz -c --hc 404,403 -L -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.11.143/FUZZ`
Looks like a standard page… Ok, no clues. Let’s go back and see what we found so far… Taking a look to the whatweb response, there is something that looks like a domain… `office.paper` let’s add it to the /etc/hosts file and take a look to it in the web browser:
Yeah, there is a website here!
This site is using Wordpress 5.2.3 Let’s take a look to the page content…
The post says that the only user in the blog is `Prisonmike`, but another user (`nick`) replied telling him that he has secret information in the blog drafts. If we gain access to the administration panel we should take a look to the drafts. There is nothing interesting in the other 2 post available, but we can find other 2 posts if we click on `Search` button:
A simple test post and another one of Nick reminding him to not write secrets in the drafts. We didn’t found anything that could be a password for Prisonmike user, so let’s try to login with default credentials:
`admin` is not a valid user, but `prisonmike` is. But we still don’t know the password.
Using searchsploit I found a exploit that seems capable of view unauthenticated posts…
Let’s try it!
So, yeah, we have access to the draft posts contents… There is one with a “secret” url that seems interesting… Let’s add `chat.office.paper` to /ect/hosts file and visit it with the web-browser
It is a register page, let’s register a new user:
Automatically I get invited to a chat:
Let’s take a look to the chat messages:
So, let’s open a private chat with Recyclops and see if we can enumerate something:
Let’s see if it’s vulnerable to path traversal:
Yep, it is… and we should have access to user flag this way:
Not that easy… yep, it is only readable by the owner… there will a ssh key?
Nope… but the .hubot\_history sounds interesting:
There is a connect command? I tried to use it, but it doesn’t seems to work.
woah, we found credentials: `recyclops:Queenofblad3s!23` Let’s see if we can login as recyclops in the chat:
Nope, we can’t… Recyclops is a bot made by Dwight… Will him be reusing credentials? Let’s check it via ssh:
Yeah!
Escalation i.sh
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://angellm.gitbook.io/hacknotes/htb/2022/paper.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.