HTB: MetaTwo
We have are box here which is MetaTwo, lets find out what vulnerabilities we can utilize to root this box.
As our rule of thumb, lets do a port scan on the box to find and open ports that we can use to get low level access over the machine.
While doing a port scan, I tried to check the website to see what's in there.
We can see that it is made in wordpress and using PHP & C language. Seems like the website has a booking system being used to set appointment for the events.
So I tried to do a test booking and intercept it via BurpSuite and lets see what we can find.
I did some wpscan aswell on the background while checking things around.
Found some robot.txt which maybe can be useful for us to get at least low level access over the machine.
So I’ve been googling around and found out that Bookingpress is vulnerable to unauthenticated sql injection. Reference: https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -' -x http://127.0.0.1:8080Will use the above payload first in the terminal while burp suite is running then will adjust accordingly the payload afterwards.
Now we’ll have to save this POST request into a file name “admin.req” and use it to dump the database of the server.
> sqlmap -r admin.req -p total_service — dbs
Now lets check the tables under blog
$ sqlmap -r admin.req -p total_service -D blog — tables
Lastly, will dump the wp_users
$ sqlmap -r admin.req -p total_service -D blog -T wp_users — dump
We can put this hashes into a file and crack it using john
Now we have a username and password that we can use to login on the w23ordpress admin page.
And we are login as manager with the password we got from the hash.
After some diving in google, found out that Wordpress 5.6.2 is vulnerabble to xxe via media library upload. Reference:https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
First we have to create our payload in form of wav file using the reference above.
Then we have to create the dtd file that will inject the command that we want.
And lastly we have to run our web server in php.
Afterwards we are going to upload our payload and get the encode data that we want to get.
We can see that there is a jnelson user in the /etc/passwd file. Now let edit our dtd file to view the nginx system file of the machine and we found out that the wp_config file is located at /var/www/metapress/blog. Now lets try to view the config file and see what we can get.
We found a ftp user and password so lets try to login using it and see what we can get.
We found a send_email.php file inside the ftp. lets see the content of it.
We found the username and password for jnelson! Lets try to use it over ssh and check if we can have low level access.
And there we have it! we got the user.txt file. now our next stop is to get privilege escalation over the machine. Upon checking the home directory of jnelson, I found something interesting. There is a .passpie folder in the directory. Passpie is a command tool for password manager for linux.
So I copied the .keys content and the root.pass content in a text file from my attacker machine. Lets try to crack the file using john. I only copied the private PGP contact of the .keys file and start cracking it over john.
And we got a password, so let use it to reveal the password inside the passpie.
Awesome! we got the root password now. Lets use the su command and get the root.txt
