HTB Academy - Hacking wordpress, Skills Assessment

Hi guys i completed the all questions except “Submit the contents of the flag file in the directory with directory listing enabled.” I checked on the system as user but coudn’t find flag.txt. Please help me where is the quention’s answer?

I’m having issues right at the beginning of this assessment where my WPscan is not working because it says the target machine is not running wordpress when it clearly is. Has anyone else had this issue? I have checked the IP I am using and regenerated new target machines but nothing is working.

Look at the source code.

Hey There!

I’m having some trouble regarding the task where you need to download a file via a vulnerable plugin. I’ve solved all other challenges, and I believe I have found the correct plugin to exploit as well, however when i attempt to do the various PoC’s found online they don’t seem to work. Can anybody help?

You’re not the only one. I ran used nikto to find info about the site and i see it is running bootstrap and not wordpress.

nikito

Or am i wrong in my finding?

I am confused about what you mean. I am looking at the sourcecode. There is no mention of WP or Wordpress

This is what I am finding as well. I am confused by what the first step should be. I tried the other links on the page to see if another page had a different source code. I tried the blog page first because WP is often used for blogs, and I tried all the other links I could find on the page. Many of them are broken links and the others dont show much. I also tried adding /admin to the end of the ip because often wp will send you to the admin login page if you do this, so I was hoping it would give me a better foothold to start checking the layout, but I got a 404. Its almost like this VM was not made for this assessment.

Exactly, that’s what I mean. So you need to find a site that really runs on wordpress

Ok, I was able to get all the way to the last item. I am in the wordpress editor. I have been unable to get from there to a shell. I tried the method from the lesson where you add php lines to the 404 page (or other pages) but I am unable to save. There is an error saying that it cannot communicate with server and will not save the code. I have tried installing a vulnerable plugin but Metasploit fails to login with the valid credentials which I used to log in, I know they work but for some reason MS doesnt think they do. I am pretty much out of ideas. Is there some kind of setting or line I could change from this side to make Wordpress not check the php for errors before it saves. That seems to be the cause according to some stuff I found online. Wordpress wants to check the php for errors but cant reach out to some server to do that. Therefore it doesnt save. I tried disabling all the sites plugins to see if one of them was the cause for not being able to reach said server, but it did not fix the problem. I am out of ideas. Someone got a clue?

Hey. I also had the same issue. Try to think what can you edit besides themes and also read warnings

Honestly I have been at this too long and Im starting to overthink it. I wish the course actually covered what I should be looking for because I am completely lost at this point.

finally :slight_smile:

  1. at starting i was stuck at finding wordpress site so read source codes very carefull and edit /etc/hosts file
  2. you will find many vulns but i found a user
  3. edit plugins
    i am not sure this works for you but this is my way to revshell

you need to add two sites
echo ' <ip> blog.inlanefreight.local inlanefreight.local' > /etc/hosts

one of the domains uses wordpress other doesn’t.

Thanks to feroxbuster for helping me find the xxxx_flag.txt :smiling_face_with_tear:

I’m stuck on the same part. At first I didn’t realize I don’t get as much from wpscan unless I use the API. But I still can’t figure out this question…:
“Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”

I searched all the vulnerabilities found in the plugins but none match ‘unauthenticated file download’… any other hints you guys can give?

Thanks in advance.

Okay I just needed a day… I got it. I needed to use the exact payload from exploit db.

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

I can’t edit the 404.php file because of the above error and also i can’t visit the url that leads to 404.php
These type of skills assessments waste a lot of time and have nothing to do in real life scenarios, instead of wasting a lot of time here, I should’ve invested in earning bounties !!!

Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.

I can’t edit the 404.php file because of the above error and also i can’t visit the url that leads to 404.php
These type of skills assessments waste a lot of time and have nothing to do in real life scenarios, instead of wasting a lot of time here, I should’ve invested in earning bounties !!!

I found the plugin as well as the exploit but don’t know how to use it to get to the flag. Any help would be appreciated.

Look into your wp report and go through the “references”.
There is an example how you can exploit that vulnerability to “download” some data.
Perhaps that data will contain the flag …
It is much simpler than overthinking what to download.

1 Like

Hint: unauthenticated file download!!!
Always validate “news” from external reference…