Wordpress Challenge

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Wordpress Challenge

Post by aumatclo on Thu May 24, 2018 9:35 am
([msg=95745]see Wordpress Challenge[/msg])

Hi there,

I created myself a challenge (a friend actually gave it to me).
He created his own lab and created a website with wordpress and told me to hack it.
I am a not a pro with website but I managed to get the challenge half done.

He hide a .git broken that I manage to reconstruct (more or less) and therefore I got access to all the previous versions of the website. It has only php, from wp-content to all the plugins and the login pages. After long hours of looking inside and trying to analyze the code I didn't find any breach...
I tried all the different plugins to find vulnerabilities.. nothing
Not a single log hidden, not a single custom php, but only php automatically created from wordpress.
Because the .git is broken I cannot modify the php and upload it again to create a backdoor (at least I think haha)

I am looking for a small help, like if someone could give me a new idea to look for so I can gain access.

If any of you can give me a hand I would be very grateful

Thank you in advance
aumatclo
New User
New User
 
Posts: 2
Joined: Thu May 24, 2018 9:27 am
Blog: View Blog (0)


Re: Wordpress Challenge

Post by pretentious on Mon May 28, 2018 2:03 am
([msg=95757]see Re: Wordpress Challenge[/msg])

There’s safety in numbers. 80% of the world is running WordPress. With a boilerplate set up, it is very unlikely there are vulnerabilies(that you will find)

Care to elaborate on the whole .git thing and how you could use that as an attack surface?
Limited experience but you could probably manually repair it if that gives you an in

Otherwise, challenge your friend to build custom functionality into the system
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
Can you say brainwashing It's a non stop disco
User avatar
pretentious
Addict
Addict
 
Posts: 1202
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests