The WordPress site has a list of the typical methods offered via this API. The general vulnerabilities are either patched or in the denial of service area, not something useful to HackTheBox / UHC use-cases. While this may sound promising for me as I’m trying to hack this box, it actually doesn’t amount to much. Googling for “WordPress XML-RPC” returns tons of posts about how to disable it, and why it’s a security vulnerability. The XMLRPC interface for WordPress is an API for interacting with WordPress outside of the typical GUI. With valid creds but no access to the admin login, I’ll turn to the XML-RPC interface. Now there’s a 2FA prompt, and I don’t have the seed. I’ll try “uhc-jan-finals-2022”, and it work, kind of: ![]() I’ll note that the password ends in 2021, and it’s now 2022. ![]() I’ll jump over to /wp-login.php and see if the DB creds work for the admin user: Webshell as www-data Verifying Admin Creds The only really interesting part is the creds to the database connection. */ define ( 'DB_CHARSET', 'utf8mb4' ) /** The database collate type. ** Database settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define ( 'DB_NAME', 'wordpress' ) /** Database username */ define ( 'DB_USER', 'admin' ) /** Database password */ define ( 'DB_PASSWORD', 'uhc-jan-finals-2021' ) /** Database hostname */ define ( 'DB_HOST', 'localhost' ) /** Database charset to use in creating database tables. I’ll grab the config with wget, and check it out: However, if I find a case where I have creds to login but can’t get into the GUI, it could come in handy. It can be brute forced more easily than the web admin login to try to find creds, but this typically isn’t something done on HTB machines. Typically this is something I gloss over. | Found By: Direct Access (Aggressive Detection) I’ll give it my API which I got for free from the WPScan website, and let it wpscan -url -api-token $WPSCAN_API. There could be value in it, but typically there’s more value in the scan specific to the framework. Given the use of WordPress, I’ll tend to look at things like wpscan over a directory brute force. Looking in Burp at my request history, it’s pretty clear this site is running on WordPress: Script and image tags seem to be stripped out. But it doesn’t rule out a moderate seeing it. That’s a good indicator that none of the other players will see it. I’ll add that to my hosts file, and then the comment posts to the site, but says it’s awaiting moderation: If I leave something, it ends up redirecting to pressed.htb and failing there. There’s also a comment section at the bottom. The page itself is presenting a list of User Agent strings, and seem to be updating periodically as I hit the site: There’s a single post, and clicking on it leads to, which is an interesting URL because having folders after the. Like all the UHC boxes, the theme for the site is about the UHC event: Nmap done: 1 IP address (1 host up) scanned in 15.76 secondsīased on the and Apache versions, the host is likely running Ubuntu 20.04 focal. |_http-title: UHC Jan Finals – New Month, New Boxes ![]() |_http-server-header: Apache/2.4.41 (Ubuntu) Stats: 0:00:00 elapsed 0 hosts completed (0 up), 0 undergoing Script Pre-ScanĨ0/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Nmap done: 1 IP address (1 host up) scanned in 13.60 nmap -p 80 -sCV -oA scans/nmap-tcpscripts 10.10.11.142
0 Comments
Leave a Reply. |