HackTheBox - MetaTwo

00:00 - Introduction 01:00 - Start of nmap, attempting to login with FTP then going to the website 02:45 - Running WPScan with enumerate all plugins in aggressive mode 04:00 - Taking a look at the site while WPScan runs and finding a plugin (BookingPress-Appointment-Booking) and finding an exploit 06:15 - Replacing the NONCE in the exploit to get it working 09:00 - Using SQLMap to dump everything, while we attempt to get only the data we think we are interested in. 11:00 - Manually dumping the WP_USERS table with the SQL Injection 13:25 - Cracking the wordpress hashes to get a user credential 16:57 - EDIT: Playing with SQLMap to get it to dump this database 23:30 - Searching for Wordpress 5.6.2 exploits, discovering an XXE in WAV Files 25:20 - Using the XXE to exfil files off the webserver 30:20 - Discovering FTP Credentials in the WP Config, logging into the FTP Server and finding SSH Credentials 32:40 - Logging in as JNelson and seeing PassPie, which is a CLI Password Manager that uses PGP/GPG Keys 34:30 - Cracking to PGP/GPG Key with John and getting root