MetaTwo

Enumeration

A quick nmap scan displays 3 open ports. I had to add the addresses metapress.htb to the /etc/hosts file for reachability.

Following the webpage, I arrived at an event registration page, registered and got below appointment page, from the address bar there was a Base64 encoded strings, I decoded it and it the figure "1". I tried different numbers (encoded in base64) for possible IDOR vulnerability but no luck.

Looking at the request in Burpsuite, I noticed there is specific Wordpress plugin in use that didn't get picked up by WPscan.

There were several PoC regarding Bookingpress version 1.0.10. I however found one with a Metasploit module.

Supplying the required option and running the exploit, I dumped the hashes of accounts on the website, user admin and manager

I tried cracking the password hashes with Hashcat but was only able to crack that of manager but not admin.

hashcat command:

Hashcat -m 400 -a 0 hashes wordlist

-m 400: hash type (Wordpress MD5 in this case)

-a 0: attack type, 0 indicating dictionary attack

With the manager password, I was able to login into the /wp-admin/admin.php login page.

On the Dashboard however, the manager is restricted to multimedia file upload only, no php reverseshell file accepted.

After Googling for possible exploitation, I found this article on Wpscan blog about CVE-2021-29447.

To exploit this XXE vulnerabilty, we have to create a wav which would contain the payload and a .dtd file which would locally be on the attacker's device, the .dtd file must be in the same location as the local php server we would be running to disclosed files.

Below are are the rogue .wav and .dtd files respectively.

As seen from the evil.dtd file, the resource we are tryin got get from the wordpress server is the /etc/passwd file.

to get this resource, we creat a PHP server locally using the command:

php -S 0.0.0.0:4000

once we upload the .wav in the worpress site, we automatically the /etc/passwd file base64 encoded

Decoding the string...as seen only users root and jnelson have shells

User

So, I have gotten the passwd file, tried getting jnelson ssh private key using the same method but it doesn't exist...hmm, the next best thing I sought after, yes wp-config.php file. I don't know where the file is located on the server though however, since nginx is the running server, I can check the nginx installation location for the server config files we can tell what location the worpdress site is installed locally.

Locally on my machine, the nginx file is located at /etc/nginx/sites-enabled/default as seen below

putting same location in the evil.dtd file, we got the location of the wordpress site hence the wp-config.php file

From the wp-config file we got login credential to the FTP server

on the FTP server, I found a file called send_email.php containing login credential for user jnelson

Logged in to SSH with the newly discovered credential and I got an SSH shell and got the user flag as well

Privilege Escalation

checking jnelson home directory, I found a hidden directory called .passpie a quick search and I found Marcwebbie.

so, according to the github page:

"Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more"

In the .passpie folder is a public and private PGP key.

Using pgp2john, I was able to extract the passphrase hash from the private key and use john to crack the hash

Now that I have the passpie passphrase, I can export the stored passwords which would be displayed in plaintext