Prelude
It was a usual morning for me. I’ve had my coffee and I was sitting in front of my computer, still recovering from my sleep. Usually it would be time for me to select a box from Hack The Box and spend my rest of the day understanding, taking notes, getting defeated, getting frustrated, and finally defeating the box.
From the first time I’ve watched an IppSec video, I’ve had this itch in my brain to just go ahead and create a box.
At first, I could’ve easily ignored it because I was a total beginner with no real experience with hacking. But it has been on and off more than 3 years, since I’ve begun and at the very least, I knew how to perform basic enumeration.
As the number of root owns were getting higher, that urge was just getting more and more annoying and I’ve got the last straw from reddit yesterday night.
I was thinking to myself for months that if I create a box, the root part should be a somewhat recent vulnerability, but it could be done with or without the script. And last night, I’ve got news from reddit that a vulnerability in Polkit has been discolsed and the author had released a PoC for the vulnerability. I’ve checked the blog and it was a simple, yet cool vulnerability.
So there’s no excuse for me to backoff now and I’ve got a rush of adrenaline in the middle of the night to go ahead and create this box.
I was always like this. I needed random motivation like this for me to keep working.
So I’ve decided to take a break on my CTF routine and began to start develop the box.
Part#1 Making an automated version of the exploit
The exploit I found was CVE-2021-3560 , a privilege escalation vulnerability in Polkit, which affected CentOS, Fedora and Ubuntu distros. This was before the pwnkit era and I was very excited about this vulnerability.
This vulnerability is a Race condition in the Polkit service, which can be exploited manually, without any script.
The original research article had a PoC to do that, but it required some timing calculations by hand. So, I’ve decided to create a script to automate the process.
So, I’ve spent some time to create the script and just I’m about to submit my exploit script to exploit-db, there was already an exploit script published in Exploit-DB.
Sure, I was a little sad. But, the exploit development was a great learning experience for me and I’ve enjoyed every bit of it! I would suggest fellow newbies like me to try and re-write an exploit script for a vulnerability of your choice.
Now, since there’s already an exploit script available in exploit-db, I’ve published my version of the exploit in github and decided to move on to creating the actual box.
Part#2 Choosing the Right distro
For me this was actually one of the most difficult parts in creating the VM.
At first, I’ve decided to go with Ubuntu, as I’m pretty comfortable working with debian based distros. However, that decision has cost me several wasted hours, which I’ll explain in a minute.
I’ve had two options to start with.
- Download a VM image from internet and modify accoding to my liking
- Start from the scratch and create a new VM using ISO
Ofcourse, I didn’t want to waste too much time on tinkering with VM settings. So, I’ve chose Method #1.
But, that’s not the right method to go with, when creating HTB machines.
OSBoxes image have maximum Storage size value set to > 10GB size and it is a pain to shrink the size of the Storage after it has been expanded. So, the better option is to create a VM with 10GB Storage size and Install an OS from ISO.
I’ve downloaded a pre-build VM image from osboxes.org.
Then I’ve tested the VM with the Polkit privesc scripts and it worked like a charm.
Being happy with the result, I’ve moved on with the user part and finished configuring everything. Once everything was configured, I’ve decided to test the privesc once again, just to be sure.
That’s where the trouble began. The privesc wasn’t working. At all!
I thought something had changed in the background while I was configuring the user part of the box or Ubuntu had updated in the background, thereby patching the vulnerability.
So, I’ve spawned another instance of the same OSbox image I’ve downloaded, disabled updates, tested the privesc script to make sure that everything was working and configured everything from scratch again.
After everything has carefully configured, I’ve tested the privesc once again and just like before, the privesc didn’t work!
I was losing my patience. This means that ubuntu had silently updated in the background, even after I’ve disabled automatic updates. Although it was great for security, this was a nightmare experience for me!
That’s the point where I’ve decided to go with CentOS and CentOS was a good boi, in every way!
I’ve created a new VM with 10GB size (HTB size limit for Linux machines), Installed Centos using ISO image and I’ve disabled automatic updates in CentOS.
And CentOS did just what I told him to do!
Then I’ve started configuring the User part of the box for hopefully the last time.
Part #3 The Idea behing the User part
My idea was simple (kinda)
There should be some sort of human like interaction element and there should be some interesting real life element, to teach the player. So, this machine could be a mixture of both real life and CTF elements.
There was also an Idea to bring in social engineering elements, but since it could take too much time and I was not entirely sure about the idea, I’ve dropped it for now. I might revisit this idea later.
To teach the player about a real life element, I’ve decided to include a specific header. X-Backend-Server, which is a custom server header from thee X- header family, which means that the header is a custom one.
Headers like X-Backend-Server is a real life aspect of bug hunting and it could potentially reveal the hidden backend systems.
Now for the interaction part, I’ve checked for Open source chat systems and found RocketChat. It was the perfect one for my use case and it was extensible and simple to use.
Once RocketChat was setup, I’ve noticed that the RocketChat menu looked dull. So, I’ve brainstormed about things that could spice it up a little and suddenly it clicked me.
What if I could see the chat transcript of some of my favourite characters?
And that’s how the Office theme came in!
Full Disclosure, I’ve worked way more in Office theming the machine than working on the actual part.
It was hard, but in the end I was satisfied!
Some pitfalls of the machine
The recyclops bot had an RCE vulnerability, overlooked by me. For listing files , I’ve used a wrapper scrip to execute code.
Path /home/dwight/hubot/scripts/run.js
I’ve tried my best to lockdown the code execution capabilities and just viewing the user.txt file.
And I was succesful in that. But, there was another vulnerability, where the person who enumerate the name of the wrapper script could execute code on the machine, by calling the wrapper script’s name.
For example, a user could execute code by using the following command.
run <command>
I know at least one person who got user by this way.
Kudos to HTB user new2u for this find!
This was a pretty obvious vulnerability and I feel pretty happy that someone found this!
Another issue with the machine was that the HTB staff had made some changes to the root part to make the machine more stable. They’ve used a cleanup script that restores /etc/passwd every 2 minutes to make the machine exploitable for the users.
Though the intention was good, 2 minutes is way too less time for exploitation in my opinion. I’ve got many messages from people who are struggling to login to the machine as the newly created user.
The players would often find the newly user getting deleted, before they could even enter the password.
If you ask me, I’d say that the number should’ve been at least 5 minutes, which would give the player ample time to win the race condition and login as the new user.
Another small issue I’ve found was that, I’ve intended the drafts to reveal the registration code for Rocketchat, without revealing the full URL. Kind of like the following, so that the players need to find RocketChat by subdomain enumeration.
# Secret Registration URL of new Employee chat system
<Internal-chat-application-URL>/register/8qozr226AhkCHZdyYBut, HTB staff had changed it to the full URL to RocketChat.
Not a huge issue and I’m nitpicking here, but just wanted to let you know what the initial design of the user part was supposed to be.
Easter Egg Time!
Below are the easter eggs I’ve included in the machine.
1. Actual transcript of Creedblogs
2. Michael’s promotion picture and his famous quotes
3. Nick is the name of the 8th system admin of Dunder Mifflin
4. The usernames and DP of RocketChat users
5. DunMiff/Sys is the computer, who just became self aware
6. Identity theft is not a joke, guys!
7. A Hidden easter egg!
Postlude
And that was my whole thought process behind creating the Paper machine!
I’m really glad you guys liked the machine despite the initial mishap happened at the machine release.
I would like to personally thank each and every one of the guys who solved the box, the ones who appreciated me, the ones who criticized me, the ones who enjoyed solving the machine and the ones who left a review for the box!
I’ve never in my dreams would’ve expected such a response for my machine and I feel really happy reading all of your reponses.
I really hope I could continue being a part of such an amazing Infosec community by more and more contributions greater than this.
Peace out! ✌️
SecNigma 