![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/paper-1.png?w=1024)
As always, we run nmap to see which ports are open and which services are running on those ports.
-sC : run default nmap scripts
-sV : enumerate service versions
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-19.26.11.png?w=1024)
The result shows that three port are open.
- Port 22 is for SSH service
- Port 80 and 443 is for HTTP service
We visit the HTTP service in the browser. A default test page is welcoming us.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-19.27.37.png?w=1024)
We run nikto and get an uncommon header which contains “office.paper“.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-20.31.04.png?w=1024)
We add it into our hosts file.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-20.52.02.png?w=760)
Run a ffuf scan.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-20.52.16.png?w=1024)
Visit the page and start enumerating.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-20.52.54.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-16-at-20.54.46.png?w=1024)
Nick’s comment leads to a point. Need to research Michael account especially his drafts.
Let’s run wpscan to find more information.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.14.02.png?w=1024)
The version is 5.2.3.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-13.07.19.png?w=1024)
Let’s google it to find any related vulnerability we can exploit.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.21.16.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.22.00.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.22.37.png?w=1024)
According to the post, we can leak the content by adding “?static=1” to the URL.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.23.58.png?w=1024)
We try it and get some disclosure successfully.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.24.48.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.24.59.png?w=1024)
Add the subdomain into the hosts file before navigate.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.28.23.png?w=1024)
We create an account and login.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.29.27.png?w=1024)
So, there is a chatbot that we can interact and give specific commands.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.31.21.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.35.14.png?w=1024)
Start chatting in direct message.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.41.21.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.41.38.png?w=912)
Let’s mess things up a bit.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.42.14.png?w=962)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-11.42.22.png?w=910)
There is local file inclusion vulnerability. Need to surf around to find interesting stuff.
After enumerating the system, we get some credentials in .env file.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.08.05.png?w=1024)
Let’s ssh as user dwight.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.09.34.png?w=1024)
Perfect. We are in and get the user flag.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.09.50.png?w=1004)
Time to escalate our privileges to root user. To do so, we need to enumerate the box to get further information. Download linpeas.sh
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.12.09.png?w=926)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.12.29.png?w=1024)
Give the execution permission and run the script.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.13.04.png?w=1014)
The script reveals that the system is vulnerable to CVE-2021-3560.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.23.54.png?w=626)
In other words, the vulnerability exploits the flaw in PolKit (policy kit) that allows an attacker to create a new superadmin.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.24.50.png?w=1024)
We will use a script that automates the exploitation written by secnigma.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.42.02.png?w=1024)
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.27.30.png?w=1024)
Download the script.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.28.21.png?w=1012)
We can change the username and password. It is optional. So that, we leave it as default.
Run the script.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.29.28.png?w=1024)
We see that the execution is successful.
Switch the user to secnigma by using the Polkit exploit and run “sudo bash” which gives us a root shell.
Finally, get the root flag.
![](https://atalaysblog.wordpress.com/wp-content/uploads/2022/06/screenshot-2022-06-18-at-12.33.37.png?w=1024)
Thank you for your time.