Metatwo

1. Initial recon

1.1. nmap

nmap -sC -sV 10.10.11.186

PORT   STATE SERVICE VERSION
21/tcp open  ftp?
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
|   256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
|_  256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2. nikto

nikto -host 10.10.11.186

1.3. website recon

We can see at the bottom of the page "Proudly powered by WordPress" so let's run wpscan

1.3.1. wpscan

wpscan --url metapress.htb -e u,vp --api-token API_TOKEN --plugins-detection mixed

2. user.txt

2.1. Exploiting WordPress

2.1.1. BookingPress SQLi

The first WordPress exploit is the SQL injection found in the plugin BookingPress.

Feel free to read the detailed proof of concept on WPScan for this vulnerability. From this PoC we can construct the following payload

by adding in the -x http://127.0.0.1:8080 we are able to capture this request using BurpSuite Intercept. From BurpSuite we are able to save the request to a file req.txt so that it can be used with sqlmap

2.1.1.1. SQLmap

First we'll use SQLmap to enumerate the databases: sqlmap -r req.txt -p total_service --dbs

next we'll use it to find the tables in those databases: sqlmap -r req.txt -p total_service -D blog --tables

and finally the information in those tables: sqlmap -r req.txt -p total_service -D blog -T wp_users --dump

Now we've got the hashes for the admin and manager passwords, so let's crack these.

2.1.1.2. johntheripper

Let's place the two hashes into a file called hash.txt

Then run johntheripper: john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

John is able to crack the manager's password hash as partylikearockstar so let's login at http://metapress.htb/wp-admin/

2.1.2. Authenticated XXE Within the Media Library

From our WPScan results we know there is another vulnerability within the media library. The detailed proof of concept for this vulnerability is available on WPScan to read.

Following the process on WPSec we will be able to construct our payloads.

Our evil.dtd will be

and we will use the following command to generate our payload.wav

We can use python3 -m http.server to host our evil.dtd

On the WordPress admin panel, navigate to the Media Library and upload your payload.wav, in the terminal where you have your http server running you will see some output. Decode this output using base64

The decoded output is the wp-config.php file that we specified in evil.dtd, in this file we will find credentials for the ftp server

let's use the command ftp [email protected] with the password.

in /mailer/send_email.php we can find some more credentails

now let's use these to ssh into the machine

user.txt can be found at /home/jnelson

3. root.txt

3.1. passpie

a simple ls -la in /home/jnelson reveals a .passpie directory. from there we can find /home/jnelson/.passpie/.keys

copy the PGP private key to a file on your system

then we can use johntheripper again to crack this key

3.2. gpg2john

Using the command gpg2john keys > pgphash, where keys is the pgp private key, we can convert the key to a hash that johntheripper can crack.

for johntheripper to crack the pgphash we use the command john pgphash --wordlist=/usr/share/wordlists/rockyou.txt which reveals the passphrase to be blink182

back in the ssh terminal run the commands

which will reveal the root password p7qfAZt4_A1xo_0x

simply use su root and enter the password for root!

root.txt can be found at /root