HTB Academy - Hacking wordpress, Skills Assessment

Hi,

I’ve got a problem with one task in Hacking Wordpress - Skills Assessment.

I got everything but “Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”.

Do you have any tips which file includes a flag, because i can’t get it? Reverse shell actually obtained.

Hint LFI:
You can find the solution on the topic “Exploiting a Vulnerable Plugin”. Also you can check manually all plugins on Exploit-DB.

My Shell Problem:
I have some problems with the shell. I have the passwords an login, it works. But i cant upload the shell with metasploit i got the follow message:

[+] Authenticated with WordPress
[] Preparing payload…
[
] Uploading payload…
[] Executing the payload at /wp-content/plugins/pWwazjprXa/obGHIQqZmr.php…
[!] This exploit may require manual cleanup of ‘obGHIQqZmr.php’ on the target
[!] This exploit may require manual cleanup of ‘pWwazjprXa.php’ on the target
[!] This exploit may require manual cleanup of ‘…/pWwazjprXa’ on the target
[
] Exploit completed, but no session was created.

or

[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.

You also use msf? Maybe you have a hint?

solved: i upload the shell manually…

regards

2 Likes

Type your comment> @DufterTyp said:

Hint LFI:
You can find the solution on the topic “Exploiting a Vulnerable Plugin”. Also you can check manually all plugins on Exploit-DB.

I was able to find and use LFI but how do i know which file contains flag?

You should search for “unauthenticated file download” not LFI for this question…
Check all plugins again on exploit DB…

3 Likes

I can’t find the answer to the question:

“Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”

Things I’ve done:

  • Solved all other questions. Found the 2 other flags.
  • Got a reverse shell.
  • Searched the whole filesystem for other flag files. Nothing.
  • Grep searched the whole filesystem for files containing ‘HTB’. Nothing.
  • Manually went through /plugins/ folder hoping to find that file that contains the flag. Nothing.

Can anyone point to the right direction? What does the question need? ?
Thanks!

The report you generate has vulnerabilities. Check them all. Shouldn’t take long.

Hello!

I have some issues with this module aswell.
I have managed to get shell connection and i can do cmd=id and i will get a resault.

But when i try to navigate or find the files in the directory that we are given it wont work.

I have tried like cmd=ls /home/erika, cmd=“ls /home/erika” and so on.

When i try to google some commands so that i can send space i just get a bunch of scripts. I think i managed to do this in an earlier module.

So i dont know if i missed something or if there is a “safty” thing that just wont allow it and im barking up the wrong tree.

Solved. After a few houers of doing the same thing it just worked! :smiley:

hi, how to you solve the last question of the skill assessment?

Obtain a shell on the system and submit the contents of the flag in the /home/erika directory.

it is seems like working with the “404.php?cmd=ls /home/erika” OR msfconsole wp admin shell (uisng erika credential). But none of them work for me

Hey!

What errors are you getting? As long as everything is setup correctly, that should hit pretty close. Although you have to take care where you have spaces. So instead of 404.php?cmd=ls / it should be 404.php?cmd=ls+/.

DM me with what you are sending and I will see if I can push you along.
-onthesauce

2 Likes

You need encrypt the commands via URL encode.

1 Like

I have logged in to the admin site and want to insert a shell-parameter, like in the section RCE via the Theme Editor. But every time i click on Update File it loads endless until i get an error. Anyone with the same problem? Or can someone confirm that this is the (un-)intentional behavior of the theme-editor in the Skill Assessment?

EDIT: Solved it with the help of @onthesauce . Make sure you are editing the right theme.

1 Like

I guess it depends on what you are putting in the theme editor. I didn’t have an issue with it 2 weeks ago. Feel free to DM me the line you are using in the theme editor.

Thanks! It helps a lot!
The question as it is stated in some way confused me.

Quick question - for the shell:

Do you use the SQLi vulnerability or do you crack the password of admin to gain initial access? Any hints on which password list to use? as I tried a lot of them with no luck.

Also - a HINT using WPSCAN register for the API as wpscan it will then tell you the vulnerabilities in plugin you can use to solve some of the questions.

Ahhh Found it haha

1 Like

I have the same doubt in the shell…

It turns out that one of the plugin is vulnerable and leads directly to the flag. So WPScan is your friend.

1 Like

I’ve got it! Thanks a lot! :slight_smile:

1 Like

Feel free to reach out in PM if you get stuck with others. I am doing the bug bounty track so this is my life right now lol. But always good to share ideas.

1 Like

Thank you, feel free to reach out aswell in PM. I’ve reached now the final module “Bug bounty hunting process”. Cheers

1 Like

Nice. I probably will as this is new to me - I am a blue teamer.

1 Like