HTB: Metatwo

hackthebox 3 Minutes

Executive Summary

The purpose of this executive summary is to provide an overview of the security vulnerabilities identified in Metatwo, including the Booking Press plugin (version 1.0.10) and the WordPress core version 5.6.2. Additionally, the summary highlights the subsequent exploitation of these vulnerabilities, leading to unauthorized access and disclosure of sensitive information, including user credentials and root passwords.

  1. Booking Press Plugin (version 1.0.10) Unauthenticated SQL Injection Vulnerability (CVE-2022-0739): A critical security vulnerability, CVE-2022-0739, has been identified in the Booking Press plugin (version 1.0.10) for WordPress. This vulnerability allows attackers to execute SQL injection attacks without authentication, granting them unauthorized access to the system. Specifically, the attacker can exploit this vulnerability to exfiltrate sensitive data such as usernames and passwords from the wp_users table. In this instance, the attacker successfully cracked the password for the “manager” user account, subsequently using these credentials to gain access to the WordPress administrative page.
  2. WordPress Core version 5.6.2 XML External Entity (XXE) Vulnerability (CVE-2021-29447): An XML external entity vulnerability, CVE-2021-29447, has been discovered in WordPress core version 5.6.2. Exploiting this vulnerability, an attacker can craft a malicious payload within a fake WAV format file. By uploading and processing this file, sensitive information contained in the wp-config.php file can be exfiltrated. In this particular scenario, the attacker successfully extracted the credentials of the “jnelson” user account, subsequently utilizing these credentials to log in via SSH.
  3. Privilege Escalation: Exfiltration of Passpie Private Key and Root Password Disclosure: Using the compromised “jnelson” user account, the attacker was able to exfiltrate the Passpie private key. With the key in hand, the attacker employed a password cracking technique to decipher the passphrase associated with the key. This successful decryption exposed the root password for the Metatwo system.

Payloads used to obtain loots

Booking Press plugin version 1.0.10 has an unauthenticated SQL Injection Vulnerability in http://metapress.htb/wp-admin/admin-ajax.php in the total_service variable of the data. The following payload can exfiltrate the password hash of admin and manager, however only manager’s password hash can be cracked by our existing dictionary.

curl -i -s -k -X $'POST' \
    -H $'Host: metapress.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: application/json, text/plain, */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 196' -H $'Origin: http://metapress.htb' -H $'Connection: close' -H $'Referer: http://metapress.htb/events/' \
    -b $'PHPSESSID=em6lrfqsb9k6bmqn2j8lgfvhb6' \
    --data-binary $'action=bookingpress_front_get_category_services&category_id=1&total_service=1) union select sleep(5),@@version,user_login,null,user_pass,null,null,null,null from wp_users-- aaa&_wpnonce=668db70df1' \
    $'http://metapress.htb/wp-admin/admin-ajax.php'
The sql injection payload at the left pane, and the response at the right pane.
An easier to read json format which shows the two password hashes of admin and manager respectively.
Cracked password hash

WordPress version 5.6.2 has a XXE vulnerability which can be exploited to exfiltrate information. The payload generation can be found at https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/

This is the evil payload which after uploaded the payload.wav, my python http server will have a response of the wp-config.php contents in base64
Although there is an error, the information has already been exfiltrated.
The contents of wp-config.php in base64.
FTP credential is disclosed in wp-config.php

The send_email.php has “jnelson” credential which can be used to ssh to Metatwo.

/mailer/send_mail.php contains “jnelson” password which can be used to ssh to Metatwo.
The first loot – user.txt is found with jnelson’s ssh account.
Passpie password manager has a root password.

Passpie is a password manager which stores jnelson and root passwords, in order to see the password in plaintext I need to know the passphrase when I do an export passpie export ~/passfile.txt

I logon sftp with jnelson’s account, and because jnelson’s account is not jailed within certain directory, I am able to freely browse the directory and download the .keys file.

Browse to /home/jnelson/.passpie and get the .keys

The .keys file contains the public and private key pair, I need to extract only the private key block and use gpg2john to convert to a hash, then use John the ripper to crack the hash: gpg2john <original private key> <output hash filename>, in my case <output hash filename> is privatekeyhash.

The passpie passphrase is found – blink182
Root password is disclosed.
The second loot is found.

Published by cyruslab

Published

Leave a comment