HA : Wordy Vulnhub Walkthrough

This is our Walkthrough for HA: Wordy” and this CTF is designed by Hacking Articles Team 😊, hope you will enjoy.

The lab is designed for Beginners for WordPress Penetration Testing Practices. This lab is designed as a Capture the flag and not as a boot to root, but it contains multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete this CTF Challenge. This helps the CTF player to understand all the ways in which a WordPress machine can be vulnerable.

Level: Easy

You can download this lab from here.

Penetration Testing Methodology

Network Scanning

  • Host IP (Netdiscover)
  • Open Port & Services (Nmap)

Enumeration

  • Web Directory Brute force (Dirb)
  • Scanning WordPress (Wpscan)

Exploiting Reflex Gallery (1st Method: file Upload)

  • Spawning Shell (Metasploit)
  • Capture the 1st flag

Privilege Escalation

  • Abusing SUID Binaries
  • Capture 2nd Flag

Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)

  • LFI
  • CSRF
  • Capture the flag
  • Inject PHP malicious code
  • Spawning Shell (Netcat)

Exploiting WP_Symposium (3rd Method: SQL Injection)

  • Web Directory Enumeration (Dirb)
  • Obtaining Database Info (Metasploit)

Exploit Gwolle Guestbook (4th Method: RFI)

  • Inject PHP malicious code
  • Spawning Shell (Netcat)

Exploit Slideshow Gallery (5th Method: Authenticated File_Upload)

  • Spawning Shell (Metasploit)

Walkthrough

Network Scanning

Starting with netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s now go for advance network scanning using nmap aggressive scan.

We saw from the scan result that the port 80 open which is hosting Apache httpd service.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser but found nothing.

Further, we move for directory enumeration and use dirb for brute-forcing.

This gave us a directory called “wordpress” as shown in the given image.

Upon finding the directory, we opened the URL in our browser.

Now that we have the wordpress site, it’s logical to perform a wpscan on our lab.

Now we move further down in the wpscan result and found the reflex gallery plugin. It is vulnerable to the File Upload. As you can observe that it has shown Metasploit module for exploiting reflex gallery.

Exploiting Reflex Gallery (1st Method: file Upload )

Thus, we use the following module and set the argument such as rhosts and targeturi and then run the exploit to get the meterpreter session.

Boom!! Here we have our meterpreter session which you can observe in the given below image.

Privilege Escalation

As soon as we gained the proper shell, we enumerated the machine for flags. We found flag1.txt in the /home/raj/ directory

Now for privilege escalation, It is a regular practice to check for any file having SUID permissions with the help of “Find” command. We used the following command to enumerate all binaries having SUID permissions:

Find command shown that wget and cp command has the SUID permissions. This could be possible for escalating root privilege.

SUID Binaries command gave us all the sensitive files that can be read/write and hence with the help of wget command we can overwrite the /etc/passwd.  

“To know more how to edit /etc/passwd file read Full-Article from article1 & article2”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following command as mentioned in the screenshot below:

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This is going to help us create an entry of our user in the /etc/passwd file of the target machine. Now we have copied the entire content of /etc/passwd file as shown in the below image in our local machine.

After pasting above copied content, we will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.

Now we want to overwrite passwd file inside /etc folder to replace the original passwd file. We can use wget with -O to download the passwd file from our machine inside a /etc directory which will overwrite the existing passwd file.

Now when you check, you will see that the / etc / passwd file has been updated as shown in the image below.

Now let’s try to access root shell and we have to switch user as ignite for escalating privileges.

Awesome!! We found the final flag along with root privileges. Let’s go for the 2nd method……..

Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)

We can solve the lab using another method as well. Earlier our Wpscan showed us the Mail Masta plugin which is vulnerable to LFI (Local File Inclusion). On exploring the following link, we got proof-of-concept would be to load passwd file.

So, we framed our URL to exploit the LFI It turned out to be like this:

Now we browsed the URL in our browser to find the output of cat command on /etc/passwd file.

Now after some enumeration, we found that there are some credentials stored inside the /etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.

We were successful in obtaining a hash. It seemed like Base64 Encryption. We used the base64 command with -d parameter to decode this hash as shown in the image.

It turned out to be aarti:[email protected] This must be login details but there is no password.

Aarti is a member of WordPress and server user account. We can confirm this from our previous assessment of wpscan result. It shows 2 users admin and aarti.

CSRF: WP Support Plus Responsive Ticket

When we scanned WordPress with wpscan for vulnerable plugins, we found many of them and here, one by one we can exploit them to our desire. To do so, we will use searchsploit in order to find exploits for wp support as this was hinted to us during the said scan. Therefore, type the following for this:

Once the above commands are executed, we will now copy the highlighted content and modify it (as shown in the image below) to change username value to “aarti” and email value to “[email protected]” :

As we execute the above script, the webpage will be directed to the log in the screen; asking us the username, which we have already found.

Here, as soon as we click on the login button, we will be logged in as a user without entering a password because of incorrect usage of wp_set_auth_cookie() due to CSRF vulnerability.

While traversing the website we found a second flag and a root password in biographical info.

The password we found was encoded using the base64 algorithm. To decrypt the password, we used the following command :

Upon decryption, we found the root password is [email protected] This is the password for the admin user in WordPress.

Now, to proceed further we used the PHP reverse shell. We changed the IP Address to our current IP Address and give any port you want and start netcat listener for obtaining a reverse connection.

And then we copied the above php-reverse-shell and paste it in 404.php template of wordpress as shown in the image below :

Then after saving the 404.php file we will run the file through URL in a browser as shown in the image below :

Simultaneously, when you run netcat, you will have your session upon execution of 404.php file. Access netcat using the following command :

Exploiting WP_Symposium (3rd Method: SQL Injection)

Enumeration

To further enumerate, we performed a Directory Bruteforce. There are a lot of situations where we need to extract the directories with a specific extension over the target server, and for this, we can use the -X parameter in dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine. For instance, here we need to find text files, so we will use the following command for it :

Among all the text files the message in notes.txt stood out. It said, “you need to zip your way out” and this message is obviously a hint to look for a zip file.

Now, again we will use dirb -X extension to find zip.

Upon finding a zip file and then we download the file using the following wget and then unzip the command:

To unzip the file successfully, you will need a password because it was a password protected zip file, but as we don’t know the said password, we will try to exploit a plugin.

We will use WordPress plugin wp-symposium version 15.5.1 which allows retrieving all the database content, which includes users’ details and password.

Luckily, we found exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command

Nice!!! Here we found the relevant username and email id as user: admin and aarti respectively.

Now will unzip the file we found earlier that is secret.zip with hash we found in wp-symposium exploit.

As soon as we unzip the file, we found that this lab can be solved with multiple ways with the list of exploits.

Exploit Gwolle Guestbook (4th Method: RFI)

Now again we will run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We will follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We will copy it to desktop and rename it to wp-load.php. To execute our PHP shell using RFI we will start our python HTTP server to exploit RFI on the target machine.

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell.

Exploit Slideshow Gallery (5th Method: Authenticated File_Upload)

Now we will exploit another vulnerable plugin that we found in secret.zip. The WordPress Slideshow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it’s possible to upload any file type.

Metasploit

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contachere

5 Comments HA : Wordy Vulnhub Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *