In this post, I would like to share a walkthrough of the Metatwo Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Metatwo machine?
For the user flag, you will need to abuse the WordPress server which one of the plugins has been vulnerable to an unauthenticated SQL Injection. The attack will give us the credentials that we can use on the wp-admin and manage to upload functionality to get the FTP credentials. We should be getting the user credentials as jnelson from the FTP download
As for the root flag, you need to take advantage of passpie to crack the PGP private key block
Information Gathering on Metatwo Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface on the Metatwo machine
The interface looks like a typical WordPress page. Therefore, let’s scan the interface by using the wpscan tool
From the result, we managed to obtain two users that have been identified such as “admin” and “manager”
Analyze more on the /events/ directory
After enumerating manually on the website, I managed to detect a new directory which is /events/
Therefore, let’s analyze the source code and found the version of the bookingpress
On the /events/ source code, I managed to notice that there’s wponce code that will be different for other people
The page is a booking on the service or appointment for the event
As a result, let’s enter some information on the “Basic Details” so that we can proceed
The final page of “Summary” will be something as shown in the screenshot above.
The appointment has been booked successfully as shown above.
Getting the information using wpnonce cookie
We can also execute the SQL Injection (Union Type) by using the command above.
We can also retrieve the user’s information by running the command above.
As a result, we managed to obtain a hash that might be the password for a user.
Finally, we get the hash cracked by giving us the password “partylikearockstar”
WordPress 5.6.2 Exploitation on Metatwo machine
Therefore, let’s enter the credentials that we found earlier over here.
From the source code on the website, we can verify that it’s WordPress 5.6.2 version.
After roaming inside WordPress, we can add a new file under Media Section
Let’s create the file “any_name.dtd” that contains the code as shown above.
The Python server is needed to start so that we can transfer to the victim’s machine.
We also need to create a video file that contains the code that will trigger the process to transfer the file.
At last, the file has been uploaded to the WordPress media location
As a result, the file is successfully being transferred
Another process that is required is to retrieve some traffic that contains the hash.
Getting information on Machine
The output will look something like the above.
We can decode the base64 hashes and we got the /etc/passwd file as shown above.
As we already know that this website is using WordPress, we can investigate a configuration that uses the name “wp-config.php”
We will be getting a similar response which contains base64 hashes
As a result, we have successfully obtained the wp-config.php file in plaintext
At last, the database for the FTP service appears within the wp-config.php file.
Access the machine via the FTP service
Uwu! We successfully login into the FTP service using the credentials that we obtained earlier.
There are two directories that have been stored which are “blog” and “mailer”
Let’s download the PHP file into our attacker’s machine
Inside the PHP file, we notice there’s some information such as Username and Password
Let’s access the machine via jnelson via SSH service
We can read the user flag by typing the command “cat user.txt”
Escalate to Root Privileges Access
Sadly, we cannot see the SUID Binary because the user cannot run sudo on meta2
However, we found a directory such as passpie
There’s some file that the .pass extension inside the SSH directory
Therefore, let’s open the root.pass which will look like something as above
Also, we can open the .keys file and paste it into our attacker’s machine
Let’s convert the key into a hash format
Finally, we got the password from the hash we found earlier.
We can run the command of passpie which can be found on the GitHub that I shared earlier.
Next, we can export the pass for the passpie by entering the Password that we found earlier as our Passphrase.
Finally, we managed to obtain the password that can be used to access Root.
However, don’t give up easily because it will take some time to obtain the password. 6
Let’s enter the password to change our user to Root
We can read the root flag by typing the “cat root.txt” command