Write-Up > LetsDefend Challenge: Malicious WordPress Plugin

Praj Shete
5 min readOct 14, 2024

--

Scenario: Our WordPress website has been hacked; however, it’s yet unclear how exactly. The most likely explanation is that a plugin that was installed on the website had a remote code execution vulnerability. By taking advantage of this flaw, the attacker gained illegal access to the server’s operating system.
Challenge URL: https://app.letsdefend.io/challenge/malicious-wordpress-plugin

Q1. What is the IP address of the WordPress server?

Q2. Two attackers were attempting to compromise our environment. What is the IP address of the first attacker based on time?\

Looking at the web traffic we can figure out which is the web-server and which is the attacker as the attacker is enumerating web-server files starting from robots.txt

Q3. What are the versions of the Apache and PHP servers deployed in our environment?

If we check any packet details we can get the web server version and name. Another alternative to this is viewing the HTTP stream

Q4. During enumeration, the attacker tried to identify users on the site. How many users got enumerated?

If we scroll down the traffic we will observe some GET requests made to the endpoint /wordpress/author/a1l4m this is one of the user, similarly we can find other users too. There are 3 of them.

Q5. After enumeration, a brute force attack was launched against all users. What is the name of the page used for the brute force attack?

Brute force attack means tonnes of request having the same packet content but different attributes, if we scroll down we will observe a large number of POST request made using a specific PHP file.

The PHP file basically contains the username and password of the attempted user in XML format.

Q6. The attacker successfully gained access to one of the accounts. What are the username and password for that account?
This is an interesting one, if we see the response for each attempt, we will observe a specific pattern first, it has same frame length, secondly the contents are same for each failed attempt.

To get a successful attempt we need to find one different packet length
For this I used a filter:

http && frame contains "xml" && frame.len!=674

This will give us the packet we are looking for

If we see the HTTP stream for this packet, we will have our answer:

Q7. There was a vulnerable plugin that the attacker exploited. What is the name of the plugin?

For this I used a filter:

http && frame contains "plugin"

Q8. What is the CVE number associated with that plugin?
A simple google search!

Q9. What is the C2 server IP address of the attacker?

Attacker requested content from the C2 server, the request was made to a different endpoint other than Wordpress and originating from the web-server, which means attacker is downloading some content from the C2

Q10. What is the name of the function that the attacker tested the exploit with?
For this I viewed the response packet against the admin.php request, I could see a function called phpinfo(), this sends the attacker the version of PHP installed on the webserver so as to check the compatibility with the exploit.

Q11. What is the name and version of the attacker’s server?

HTTP stream of the above packet

Q12. What is the username that was logged on during the attack, including the domain?

It was my intuition that attacker must have used whoami as the command on the reverse webshell to get this information , hence I used this filter to get the required packet.

frame contains "whoami"

if we follow the HTTP stream, we can get the command response

Q13. The attacker attempted to upload a reverse shell. What is the IP address and port number?

For this I analyzed the admin.php code, it had details of the listener.

Q14. What command posed an obstacle during the process of the reverse shell?

Since we know that listener is on port 1234, lets analyze the egress traffic to this port filter : tcp.port==1234

Here, we can see the error received after using uname

--

--

Praj Shete
Praj Shete

Written by Praj Shete

Passionate Cybersecurity enthusiast, curious about protecting digital assets!

No responses yet