# Such popular, much wow Category: Web Difficulty: Medium Author: 0x4d5a https://nx1765.your-storageshare.de/s/zcooKARjm5cWnso I heard you like web challenges with sourcecode provided. Lets find a simple 0-day in an old and vulnerable plugin. Take a look at the entry-point.sh script. You'll find helpful credentials in there. Challenge Files:such-popular-much-wow.zip ## Flag The flag is found inside the docker container under /var/www/flag.txt. In wordpress you can install plugins to get a shell to cat this flag. ## first inspection When downloading the file, we see that we have a wordpress application with a mysql backend: ``` . ├── docker-compose.yaml ├── mysql │   └── Dockerfile └── wordpress ├── 000-default.conf ├── Dockerfile ├── entry-point.sh ├── firefox-script.py └── flag.txt 3 directories, 7 files ``` Just enter the directory and use `docker compose up`.  We can see, that one blog post is online and can comment that one. Lets start with wpscan ```bash _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.24 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ Scan Aborted: The url supplied 'https://localhost:1024/' seems to be down (SSL connect error) w1ntermute@w1ntermute:~/git/RedNix$ wpscan --api-token GU4aChAb2RaEj6hgZjL92GkH4JQi6a3iuasiES0QEzc --url http://localhost:1024 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.24 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://localhost:1024/ [::1] [+] Started: Thu Aug 17 11:57:56 2023 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.57 (Debian) | - X-Powered-By: PHP/8.1.22 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://localhost:1024/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://localhost:1024/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] This site seems to be a multisite | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | Reference: http://codex.wordpress.org/Glossary#Multisite [+] The external WP-Cron seems to be enabled: http://localhost:1024/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.3 identified (Latest, released on 2023-08-08). | Found By: Rss Generator (Passive Detection) | - http://localhost:1024/?feed=rss2, <generator>https://wordpress.org/?v=6.3</generator> | - http://localhost:1024/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.3</generator> [+] WordPress theme in use: twentytwentytwo | Location: http://localhost:1024/wp-content/themes/twentytwentytwo/ | Last Updated: 2023-03-29T00:00:00.000Z | Readme: http://localhost:1024/wp-content/themes/twentytwentytwo/readme.txt | [!] The version is out of date, the latest version is 1.4 | Style URL: http://localhost:1024/wp-content/themes/twentytwentytwo/style.css?ver=1.1 | Style Name: Twenty Twenty-Two | Style URI: https://wordpress.org/themes/twentytwentytwo/ | Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://localhost:1024/wp-content/themes/twentytwentytwo/style.css?ver=1.1, Match: 'Version: 1.1' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] wordpress-popular-posts | Location: http://localhost:1024/wp-content/plugins/wordpress-popular-posts/ | Last Updated: 2023-07-24T22:33:00.000Z | [!] The version is out of date, the latest version is 6.2.1 | | Found By: Urls In Homepage (Passive Detection) | | [!] 5 vulnerabilities identified: | | [!] Title: WordPress Popular Posts < 5.3.3 - Authenticated Code Injection | Fixed in: 5.3.3 | References: | - https://wpscan.com/vulnerability/bd4f157c-a3d7-4535-a587-0102ba4e3009 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42362 | - https://www.exploit-db.com/exploits/50129/ | - https://plugins.trac.wordpress.org/changeset/2542638 | - https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/ | | [!] Title: WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS) | Fixed in: 5.3.3 | References: | - https://wpscan.com/vulnerability/86cc93c1-daf5-43e7-8afb-66362d784ce9 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20746 | - https://plugins.trac.wordpress.org/changeset/2542638 | - https://jvn.jp/en/jp/JVN63066062/ | | [!] Title: WordPress Popular Posts < 5.3.4 - Admin+ Stored Cross-Site Scripting | Fixed in: 5.3.4 | References: | - https://wpscan.com/vulnerability/f1569584-e829-4d09-9535-bd5b11331339 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36872 | | [!] Title: WordPress Popular Posts < 6.0.0 - Reflected Cross-Site Scripting | Fixed in: 6.0.0 | Reference: https://wpscan.com/vulnerability/a1113cf4-29ab-4dbd-841d-4e00f24b0b01 | | [!] Title: WordPress Popular Posts < 6.1.0 - Unauthenticated Views Manipulation | Fixed in: 6.1.0 | References: | - https://wpscan.com/vulnerability/9e497a16-67dc-47f7-b509-63bf11888f56 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43468 | - https://jvn.jp/en/jp/JVN13927745/ | | Version: 4.2.2 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/public/css/wpp.css?ver=4.2.2 | - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/public/js/wpp-4.2.0.min.js?ver=4.2.2 | Confirmed By: Readme - Stable Tag (Aggressive Detection) | - http://localhost:1024/wp-content/plugins/wordpress-popular-posts/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00 [i] Config Backup(s) Identified: [!] http://localhost:1024/wp-config.php | Found By: Direct Access (Aggressive Detection) [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 22 [+] Finished: Thu Aug 17 11:58:02 2023 [+] Requests Done: 177 [+] Cached Requests: 5 [+] Data Sent: 36.91 KB [+] Data Received: 226.557 KB [+] Memory used: 248.578 MB [+] Elapsed time: 00:00:06 ``` We have some vulnerabilities. This script is the admin, that reviews posted comments and accepts every of them. ```python # # NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" # # PLEASE DO NOT EDIT IT DIRECTLY. # FROM php:8.1-apache RUN docker-php-ext-install mysqli && docker-php-ext-enable mysqli RUN apt-get update && apt-get upgrade -y RUN cp /usr/local/etc/php/php.ini-production /usr/local/etc/php.ini && \ sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" /usr/local/etc/php.ini && \ sed -i 's/Listen 80/Listen 1024/' /etc/apache2/ports.conf && \ a2enmod rewrite && a2enmod headers RUN apt-get update && apt-get install default-mysql-client firefox-esr python3 python3-pip wget tar -y RUN pip3 install selenium requests --break-system-packages WORKDIR /tmp RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.33.0/geckodriver-v0.33.0-linux64.tar.gz RUN tar -xvzf geckodriver-v0.33.0-linux64.tar.gz && rm geckodriver-v0.33.0-linux64.tar.gz && chmod +x geckodriver && cp geckodriver /usr/local/bin/ COPY 000-default.conf /etc/apache2/sites-enabled/000-default.conf COPY entry-point.sh /usr/bin/entry-point.sh RUN chmod 777 /usr/bin/entry-point.sh COPY firefox-script.py /usr/bin/firefox-script.py RUN chmod 777 /usr/bin/firefox-script.py RUn mkdir -p /var/www/.cache /var/www/.mozilla && chmod 777 /var/www/.cache /var/www/.mozilla USER www-data WORKDIR /var/www/html COPY flag.txt /var/www/flag.txt RUN curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar > /var/www/html/wp-cli.phar RUN ls -al ENTRYPOINT [ "/usr/bin/entry-point.sh" ] ``` As we can see, the admin is opening every comment inside a browser. So possibly XSS inside the thumbnail or comment. In the entry-point.sh file we have credentials hardcoded. ```bash=25 php wp-cli.phar --allow-root user create bob-the-author bob@cscg.live --role=author --user_pass=s3cur3PW ``` So we can use these to exploit the mentioned vulns.