Cheers! - Remote Vulnerability Analysis in WordPress

In this lab, you will explore an apparently harmless WordPress site and discover if there is a critical vulnerability that allows remote control of the system. This lab is based on a realistic configuration with a vulnerable component: the TimThumb script.

In this lab, you will learn:

• Recognizing suspicious paths and files in WordPress
• Identifying vulnerable scripts in outdated themes
• Analyzing the behavior of the TimThumb script
• Formulating attack hypotheses based on the analysis

📄 Instructions

You are facing the website of a fictional beer brand called Cheers! Brewery, developed with WordPress 4.2.2. Your task is to analyze the structure of the site and discover if there is any exploitable vulnerability.

1. Discover the IP address of the CHEERS! machine

   • The machine is connected to the same network as you, but its IP has not been provided.
   • Use tools like nmap, netdiscover, or arp-scan to scan the network.

2. Access the website hosted on the server.

   • Open your browser and visit the assigned IP:

     http://<IP>/myblog/
     

   • Observe the available content. No authentication is required.

3. Search for suspicious paths or files.

   • Explore paths such as:
     • /wp-content/themes/
     • /wp-content/plugins/
   • Try accessing directly:

     http://<IP>/myblog/wp-content/themes/cheers/timthumb.php
     

4. Analyze the script's behavior.

   • If the browser responds with "No image specified," the script is active.
   • Investigate what timthumb.php does and why it might be risky.

5. Formulate an attack hypothesis.

   • Could this file allow remote code execution?
   • What kind of tools could you use to exploit it?
   • What would be the impact of a successful exploitation?

6. Verify your findings. If the lab allows, you can attempt a proof of concept using tools like Metasploit to exploit the vulnerability. If your hypothesis is correct, you might compromise the system and access a flag located at /home/cheers/.

Privilege escalation is not required. The challenge is to identify and reason about the exposed vulnerability.

Remember: not all attacks require brute force. Sometimes, it is enough to observe, analyze, and understand how the system works to find a flaw.

Happy hacking!