Incident Summary
This report outlines the compromise of a WordPress server exploited through a vulnerable plugin by a threat actor. The attack, simulated in HackTheBox's Sherlock: Ultimatum challenge, targeted a known vulnerability in the Ultimate Member plugin, enabling the attacker to create a backdoor admin account and gain full control over the server. This detailed report examines the attack timeline, indicators of compromise (IoCs), and post-exploitation activities.
1. Objective
The objective of this investigation was to analyze the compromise of a WordPress server suspected of being attacked via a vulnerable plugin. The aim was to identify the exploit, document the attacker's methods, and gather actionable intelligence for remediation.
2. Attack Vector and Initial Access
- Vulnerability Exploited: The attacker exploited CVE-2023-3460, a flaw in the Ultimate Member plugin (v2.6.7). This vulnerability allowed the attacker to bypass authentication and create unauthorized admin accounts, facilitating privilege escalation and control over the WordPress CMS. The plugin failed to enforce adequate validation for user roles, permitting arbitrary account creation with administrative privileges.
3. Attack Timeline and Techniques Used
- Reconnaissance and Initial Scanning: The attacker utilized WPScan v3.8.24, a widely used WordPress scanner, to fingerprint the server and identify vulnerabilities. This activity was logged in the Apache access logs located at
/var/log/apache2/access.log, indicating:- Scanner User-Agent: WPScan/3.8.24
- Attacker IP: 23.106.60.163
4. Exploitation
-
Privilege Escalation via Plugin: Following reconnaissance, the attacker sent a specially crafted HTTP GET request targeting the vulnerable plugin endpoint, allowing for the creation of an unauthorized admin user. This user, with elevated privileges, was subsequently used to access the WordPress dashboard.
-
Web Shell Upload: The attacker uploaded a PHP reverse shell disguised as a theme pattern file, named hidden-comments.php, into the
/wp-content/themes/twentytwentythree/patterns/directory. This reverse shell provided the attacker with remote code execution (RCE) capabilities and persistent access to the server. -
Indicators of Compromise (IoCs):
- Web shell path:
/var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php - Web shell size: 2592 bytes
- Web shell path:
-
Attacker Command Execution: Upon gaining access, the attacker executed the following commands through the reverse shell:
uname -a; w; id; /bin/bash -i- These commands supplied the attacker with system information, active user sessions, and current user privileges. The command
/bin/bash -iinitiated an interactive bash shell session.
-
Process ID: The process enabling the attacker's shell was identified as PID 234521.
5. Post-Exploitation Activities
-
IP Change: To evade detection, the attacker switched IP addresses following the initial exploitation phase. The second IP address, 198.16.74.45, was recorded in the Apache logs during post-exploitation activities.
-
Command-and-Control (C2) Infrastructure: Persistent access to the server was maintained via the reverse shell, which connected to the attacker's C2 infrastructure located at 43.204.24.76:6969.
6. Tools and Techniques for Internal Enumeration
After gaining access, the attacker ran LinEnum.sh, a commonly used enumeration script that automates system reconnaissance and identifies privilege escalation opportunities within Linux environments. This tool assisted the attacker in discovering potential misconfigurations and vulnerabilities for further exploitation.
7. Detection and Forensic Analysis
The investigation utilized the Cat-Scale forensic triage tool to collect system artifacts, including logs and memory dumps from the compromised server. The logs from /var/log/apache2/ were parsed to identify key indicators, tracing the attacker’s movements and activities.
- Key Insights:
- Identified malicious requests targeting the vulnerable plugin.
- Located and analyzed the reverse shell file.
- Extracted process IDs and attacker IPs during both exploitation and post-exploitation phases.
8. Detailed Walkthrough of Investigation
This section provides a step-by-step walkthrough of the investigative process utilized to analyze the compromise of the WordPress server. The investigation focused on various logs and files to extract pertinent information about the attack.
-
Identifying the Security Scanning Tool
- Command:
cat /var/log/apache2/access.log | head -n 30 - Output:
23.106.60.163 – – [08/Aug/2023:08:21:33 +0000] “GET /index.php/register/ HTTP/1.1” 200 11312 “http://3.110.136.25/” “WPScan v3.8.24 (https://wpscan.com/wordpress-security-scanner)” ... - The attacker utilized WPScan v3.8.24 to fingerprint the blog website.
- Command:
-
Identifying the CVE Exploited
- The CVE exploited by the attacker was CVE-2023-3460.
-
Determining the Attacker's IP Address
- The IP address utilized by the attacker during the exploitation was 23.106.60.163.
-
Identifying the Backdoor User Added
- Command:
cat /var/log/apache2/access.log | grep "23.106.60.163" | tail -n 10
- Output:
secragon - The backdoor user added to the blog was secragon.
- Command:
-
Identifying the IP Address Used After Logging In
- The second IP address observed after the attacker logged in was 198.16.74.45.
- Log Entry:
198.16.74.45 – – [08/Aug/2023:09:01:53 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 576 “http://3.110.136.25/wp-admin/theme-editor.php?file=patterns%2Fhidden-comments.php&theme=twentytwentythree” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0”
-
Confirming the Full Path of the Web Shell
- The path of the web shell added by the attacker was:
/var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php
- The path of the web shell added by the attacker was:
-
Finding the Value of the
$shellVariable- The value of the
$shellvariable can be extracted from the web shell code.
- The value of the
-
Determining the Size of the Web Shell
- Command:
ls -lh /var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php
- Output:
2592 bytes - The size of the web shell is 2592 bytes.
- Command:
-
Identifying the C2 IP and Port
- The Command-and-Control (C2) IP and port used by the attacker were:
43.204.24.76:6969
- The Command-and-Control (C2) IP and port used by the attacker were:
-
Identifying the Process ID of the Reverse Shell
- The process ID (PID) used for the reverse shell was 234521.
-
Identifying the Tool Used for Internal Enumeration
- The tool used by the attacker for internal enumeration was identified as LinEnum.sh.
9. Indicators of Compromise (IoCs)
| Indicator | Details |
|---|---|
| Vulnerable Plugin | Ultimate Member v2.6.7 |
| CVE | CVE-2023-3460 |
| Initial Attacker IP | 23.106.60.163 |
| Post-Exploitation Attacker IP | 198.16.74.45 |
| Web Shell Path | /var/www/html/wp-content/themes/twentytwentythree/patterns/hidden-comments.php |
| Web Shell Size | 2592 bytes |
| C2 IP and Port | 43.204.24.76:6969 |
| Malicious Process ID | 234521 |
| Enumeration Tool | LinEnum.sh |
10. Recommendations for Remediation
-
Patch Management: Ensure that all WordPress plugins, particularly Ultimate Member, are regularly updated to their latest versions to mitigate known vulnerabilities.
-
Access Control: Implement Role-Based Access Control (RBAC) to restrict unauthorized account creation and validate user roles properly.
-
File Upload Restrictions: Strengthen file upload validation to prevent the execution of malicious scripts, including reverse shells.
-
Log Monitoring and Anomaly Detection: Enable detailed logging for web server activities and deploy intrusion detection systems (IDS) to detect abnormal behavior, such as unauthorized logins or unusual file uploads.
-
Incident Response: Establish an Incident Response Plan (IRP) to quickly identify, isolate, and remediate compromised systems in the event of future attacks.
11. Conclusion
This investigation highlights the dangers posed by vulnerable WordPress plugins, particularly when exploited in conjunction with weak security configurations. The use of known vulnerabilities such as CVE-2023-3460, combined with readily available tools like WPScan and LinEnum, allowed the threat actors to gain unauthorized access to the WordPress server, elevate their privileges, and maintain persistence through a reverse shell and command-and-control infrastructure.
The attacker’s ability to exploit the Ultimate Member plugin illustrates the importance of proactive vulnerability management and patching routines. Additionally, the attacker’s post-exploitation activities, including the deployment of a PHP reverse shell, underscore the necessity for robust access control, file validation mechanisms, and continuous monitoring for potential threats.
Through the systematic collection of forensic data, analysis of logs, and identification of Indicators of Compromise (IoCs), this investigation not only provided a clear picture of the attack chain but also informed specific recommendations to strengthen defenses against similar attacks in the future.
The following key points summarize the findings:
- The attacker exploited a well-known vulnerability in the Ultimate Member plugin to gain administrative privileges.
- A reverse shell was uploaded to the server, allowing the attacker to execute commands remotely.
- Post-exploitation activities included internal enumeration using LinEnum.sh and connection to an external command-and-control server.
- The compromise was facilitated by outdated software and the absence of effective monitoring and file upload restrictions.
Final Recommendations: To safeguard against future attacks, it is essential to:
- Apply patches and updates promptly.
- Employ proper user role validation and access control.
- Implement robust monitoring and logging mechanisms.
- Conduct regular security audits of WordPress installations and plugins.
This report has provided a comprehensive overview of the investigation into the compromise of a WordPress server. The detailed analysis of the attack vectors, tools, and IoCs offers insight into the methods employed by the threat actors and forms the foundation for the recommended remediation steps.