swiss hacking challenge 2024 - office-press

Difficulty: easy

Category: web

Author: xNULL

Hello, is this IT?

This is the chef of the communication departement. We are hosting a Wordpress site without your knowledge and now want it to have backups

Please install a proper backup solution so we can test in production

This challenge has more of an HTB challenge character, I’d really like some feedback on this :)

Files

We get a hosted instance and a Dockerfile + entrypoint.sh.

Exploitation

One could follow the unintended solution and just visit /flag.txt, but that’s lame.

The following part of the entrypoint.sh is the issue:

PLUGIN_SLUG="backup-backup"
PLUGIN_VERSION="1.3.7"
wp --allow-root --path=/var/www/html plugin install $PLUGIN_SLUG --version=$PLUGIN_VERSION --activate

This version of the plugin is vulnerable to CVE-2023-6553, essentially allowing for RCE.

After running the exploit using python exploit.py -u <challenge url>, we get a shell where we can get the flag:

$ cat /var/www/html/flag.txt

Flag

Conclusion

Regarding to the request for feedback:

For new players, especially for those who have solved HTB boxes before, this seems like a great challenge! I just missed the usual privilege escapation part a bit ^^