In this post, I would like to share a walkthrough of the Metatwo Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Metatwo machine?

For the user flag, you will need to abuse the WordPress server which one of the plugins has been vulnerable to an unauthenticated SQL Injection. The attack will give us the credentials that we can use on the wp-admin and manage to upload functionality to get the FTP credentials. We should be getting the user credentials as jnelson from the FTP download

As for the root flag, you need to take advantage of passpie to crack the PGP private key block

Information Gathering on Metatwo Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface on the Metatwo machine

Graphical user interface, application

Description automatically generated

The interface looks like a typical WordPress page. Therefore, let’s scan the interface by using the wpscan tool

From the result, we managed to obtain two users that have been identified such as “admin” and “manager”

Analyze more on the /events/ directory

After enumerating manually on the website, I managed to detect a new directory which is /events/


Description automatically generated

Therefore, let’s analyze the source code and found the version of the bookingpress


Description automatically generated

On the /events/ source code, I managed to notice that there’s wponce code that will be different for other people

The page is a booking on the service or appointment for the event

As a result, let’s enter some information on the “Basic Details” so that we can proceed

The final page of “Summary” will be something as shown in the screenshot above.

The appointment has been booked successfully as shown above.

We can also execute the SQL Injection (Union Type) by using the command above.

We can also retrieve the user’s information by running the command above.

As a result, we managed to obtain a hash that might be the password for a user.

Graphical user interface, text, application

Description automatically generated

Finally, we get the hash cracked by giving us the password “partylikearockstar”

WordPress 5.6.2 Exploitation on Metatwo machine

Therefore, let’s enter the credentials that we found earlier over here.

From the source code on the website, we can verify that it’s WordPress 5.6.2 version.

After roaming inside WordPress, we can add a new file under Media Section

Let’s create the file “any_name.dtd” that contains the code as shown above.

The Python server is needed to start so that we can transfer to the victim’s machine.

We also need to create a video file that contains the code that will trigger the process to transfer the file.

At last, the file has been uploaded to the WordPress media location

As a result, the file is successfully being transferred

Another process that is required is to retrieve some traffic that contains the hash.

Getting information on Machine

The output will look something like the above.

We can decode the base64 hashes and we got the /etc/passwd file as shown above.

As we already know that this website is using WordPress, we can investigate a configuration that uses the name “wp-config.php

We will be getting a similar response which contains base64 hashes

As a result, we have successfully obtained the wp-config.php file in plaintext

At last, the database for the FTP service appears within the wp-config.php file.

Access the machine via the FTP service

Uwu! We successfully login into the FTP service using the credentials that we obtained earlier.

There are two directories that have been stored which are “blog” and “mailer”

Let’s download the PHP file into our attacker’s machine

Inside the PHP file, we notice there’s some information such as Username and Password

Let’s access the machine via jnelson via SSH service

We can read the user flag by typing the command “cat user.txt

Escalate to Root Privileges Access

Sadly, we cannot see the SUID Binary because the user cannot run sudo on meta2

However, we found a directory such as passpie

There’s some file that the .pass extension inside the SSH directory

Graphical user interface, text

Description automatically generated

Therefore, let’s open the root.pass which will look like something as above

Also, we can open the .keys file and paste it into our attacker’s machine

Let’s convert the key into a hash format

Finally, we got the password from the hash we found earlier.

We can run the command of passpie which can be found on the GitHub that I shared earlier.

Next, we can export the pass for the passpie by entering the Password that we found earlier as our Passphrase.

Graphical user interface, text, chat or text message

Description automatically generated

Finally, we managed to obtain the password that can be used to access Root.

However, don’t give up easily because it will take some time to obtain the password. 6

Let’s enter the password to change our user to Root

We can read the root flag by typing the “cat root.txt” command

Extra Information

Graphical user interface, website

Description automatically generated

Leave a Reply

Your email address will not be published. Required fields are marked *