# Such popular, much wow
Category: Web
Difficulty: Medium
Author: 0x4d5a
https://nx1765.your-storageshare.de/s/zcooKARjm5cWnso
I heard you like web challenges with sourcecode provided. Lets find a simple 0-day in an old and vulnerable plugin.
Take a look at the entry-point.sh script. You'll find helpful credentials in there.
Challenge Files:such-popular-much-wow.zip
## Flag
The flag is found inside the docker container under /var/www/flag.txt. In wordpress you can install plugins to get a shell to cat this flag.
## first inspection
When downloading the file, we see that we have a wordpress application with a mysql backend:
```
.
├── docker-compose.yaml
├── mysql
│ └── Dockerfile
└── wordpress
├── 000-default.conf
├── Dockerfile
├── entry-point.sh
├── firefox-script.py
└── flag.txt
3 directories, 7 files
```
Just enter the directory and use `docker compose up`.
We can see, that one blog post is online and can comment that one.
Lets start with wpscan
```bash
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Scan Aborted: The url supplied 'https://localhost:1024/' seems to be down (SSL connect error)
w1ntermute@w1ntermute:~/git/RedNix$ wpscan --api-token GU4aChAb2RaEj6hgZjL92GkH4JQi6a3iuasiES0QEzc --url http://localhost:1024
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://localhost:1024/ [::1]
[+] Started: Thu Aug 17 11:57:56 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.57 (Debian)
| - X-Powered-By: PHP/8.1.22
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://localhost:1024/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://localhost:1024/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite
[+] The external WP-Cron seems to be enabled: http://localhost:1024/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.3 identified (Latest, released on 2023-08-08).
| Found By: Rss Generator (Passive Detection)
| - http://localhost:1024/?feed=rss2, <generator>https://wordpress.org/?v=6.3</generator>
| - http://localhost:1024/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.3</generator>
[+] WordPress theme in use: twentytwentytwo
| Location: http://localhost:1024/wp-content/themes/twentytwentytwo/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://localhost:1024/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.4
| Style URL: http://localhost:1024/wp-content/themes/twentytwentytwo/style.css?ver=1.1
| Style Name: Twenty Twenty-Two
| Style URI: https://wordpress.org/themes/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://localhost:1024/wp-content/themes/twentytwentytwo/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wordpress-popular-posts
| Location: http://localhost:1024/wp-content/plugins/wordpress-popular-posts/
| Last Updated: 2023-07-24T22:33:00.000Z
| [!] The version is out of date, the latest version is 6.2.1
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: WordPress Popular Posts < 5.3.3 - Authenticated Code Injection
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42362
| - https://www.exploit-db.com/exploits/50129/
| - https://plugins.trac.wordpress.org/changeset/2542638
| - https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
|
| [!] Title: WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 5.3.3
| References:
| - https://wpscan.com/vulnerability/86cc93c1-daf5-43e7-8afb-66362d784ce9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20746
| - https://plugins.trac.wordpress.org/changeset/2542638
| - https://jvn.jp/en/jp/JVN63066062/
|
| [!] Title: WordPress Popular Posts < 5.3.4 - Admin+ Stored Cross-Site Scripting
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/f1569584-e829-4d09-9535-bd5b11331339
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36872
|
| [!] Title: WordPress Popular Posts < 6.0.0 - Reflected Cross-Site Scripting
| Fixed in: 6.0.0
| Reference: https://wpscan.com/vulnerability/a1113cf4-29ab-4dbd-841d-4e00f24b0b01
|
| [!] Title: WordPress Popular Posts < 6.1.0 - Unauthenticated Views Manipulation
| Fixed in: 6.1.0
| References:
| - https://wpscan.com/vulnerability/9e497a16-67dc-47f7-b509-63bf11888f56
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43468
| - https://jvn.jp/en/jp/JVN13927745/
|
| Version: 4.2.2 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/public/css/wpp.css?ver=4.2.2
| - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/public/js/wpp-4.2.0.min.js?ver=4.2.2
| Confirmed By: Readme - Stable Tag (Aggressive Detection)
| - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] Config Backup(s) Identified:
[!] http://localhost:1024/wp-config.php
| Found By: Direct Access (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 22
[+] Finished: Thu Aug 17 11:58:02 2023
[+] Requests Done: 177
[+] Cached Requests: 5
[+] Data Sent: 36.91 KB
[+] Data Received: 226.557 KB
[+] Memory used: 248.578 MB
[+] Elapsed time: 00:00:06
```
We have some vulnerabilities.
This script is the admin, that reviews posted comments and accepts every of them.
```python
#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
FROM php:8.1-apache
RUN docker-php-ext-install mysqli && docker-php-ext-enable mysqli
RUN apt-get update && apt-get upgrade -y
RUN cp /usr/local/etc/php/php.ini-production /usr/local/etc/php.ini && \
sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" /usr/local/etc/php.ini && \
sed -i 's/Listen 80/Listen 1024/' /etc/apache2/ports.conf && \
a2enmod rewrite && a2enmod headers
RUN apt-get update && apt-get install default-mysql-client firefox-esr python3 python3-pip wget tar -y
RUN pip3 install selenium requests --break-system-packages
WORKDIR /tmp
RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.33.0/geckodriver-v0.33.0-linux64.tar.gz
RUN tar -xvzf geckodriver-v0.33.0-linux64.tar.gz && rm geckodriver-v0.33.0-linux64.tar.gz && chmod +x geckodriver && cp geckodriver /usr/local/bin/
COPY 000-default.conf /etc/apache2/sites-enabled/000-default.conf
COPY entry-point.sh /usr/bin/entry-point.sh
RUN chmod 777 /usr/bin/entry-point.sh
COPY firefox-script.py /usr/bin/firefox-script.py
RUN chmod 777 /usr/bin/firefox-script.py
RUn mkdir -p /var/www/.cache /var/www/.mozilla && chmod 777 /var/www/.cache /var/www/.mozilla
USER www-data
WORKDIR /var/www/html
COPY flag.txt /var/www/flag.txt
RUN curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar > /var/www/html/wp-cli.phar
RUN ls -al
ENTRYPOINT [ "/usr/bin/entry-point.sh" ]
```
As we can see, the admin is opening every comment inside a browser.
So possibly XSS inside the thumbnail or comment.
In the entry-point.sh file we have credentials hardcoded.
```bash=25
php wp-cli.phar --allow-root user create bob-the-author bob@cscg.live --role=author --user_pass=s3cur3PW
```
So we can use these to exploit the mentioned vulns.
Sign in with Wallet
Connect another wallet