HackTheBox had released machine paper. Firstly, in this machine we can find open port by doing port scanning nmap —top-ports 20 10.10.11.143 and we see ssh, http, and https ports are open.

Untitled

On port 80 we see a static HTTP Server Test Page

Untitled

We did inspection and we can see a running X-Backend-Server: office.paper. We can assume that office.paper is the possible hidden IP.

Untitled

office.paper

We add the hidden hostname into sudo nano /etc/hosts to navigate to the website

Untitled

As we go through to the entries we found that Nick commented on “Feeling Alone” entry that secret is kept in draft.

Untitled

Based on wappalyzer, we are noticed that this page is using Wordpress 5.2.3

Untitled

We search for any possibility vuln about viewing draft post from wordpress and we found

Untitled

Based on the poc, we need to add ?static=1 into the url

Untitled