Want to run this Docker container locally?

docker run -d -p 9039:80 --restart always --name flag-w joshbeck2024/ctf-wordpress-wpspritz-rfi-flagw

IP Address: 172.25.200.200

Port: 9039

In this lab, we have one of the most common and widely exploited CMS frameworks on the planet: WordPress. Why is WordPress so darn vulnerable, you ask?

• The source code is Open Source. Everyone can see it and figure out new ways to exploit it.
  • Once an exploit is discovered, WordPress will come out with a patch
  • Most people don’t patch it. Once it's deployed, it’s —really— easy to just leave it alone because it is working, and if it ain’t broke, don’t fix it! (Wrong!)
• There are thousands of themes and plugins that can be easily integrated into WordPress.
  • The same thing applies here. The plugins will be open source.
  • Vulnerabilities are discovered weekly within these plugins
  • Again, patching plugins is not something most people bother with once everything is working.

Summary: Vulnerable WordPress sites are everywhere.

• Most malicious users will use a search indexer like Shodan to find these easily.

There are a couple of different ways we can analyze WordPress sites. One of the first tools to reach for is wpscan. On Kali type:

wpscan --url http://IP_ADDRESS_OF_TARGET:9039

WPScan is a great tool. Be sure you trust, but verify!

• In my case it discovered the wp-with-spritz plugin straight away.

We can verify this by checking the front page.

• At the bottom of the page source, you’ll see this:

Whenever you target a WordPress site, you want to manually investigate every installed plugin and theme after automatic detection. In this case, it is indeed wp-with-spritz version 1.0

There is a tool on Kali called searchsploit That is tied to the exploit-db.com database, which can be helpful.