HackTheBox had released machine paper. Firstly, in this machine we can find open port by doing port scanning nmap —top-ports 20 10.10.11.143 and we see ssh, http, and https ports are open.
On port 80 we see a static HTTP Server Test Page
We did inspection and we can see a running X-Backend-Server: office.paper. We can assume that office.paper is the possible hidden IP.
We add the hidden hostname into sudo nano /etc/hosts to navigate to the website
As we go through to the entries we found that Nick commented on “Feeling Alone” entry that secret is kept in draft.
Based on wappalyzer, we are noticed that this page is using Wordpress 5.2.3
We search for any possibility vuln about viewing draft post from wordpress and we found
Based on the poc, we need to add ?static=1
into the url