{"id":883,"date":"2020-05-09T04:10:47","date_gmt":"2020-05-09T03:10:47","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=883"},"modified":"2020-09-28T18:06:24","modified_gmt":"2020-09-28T17:06:24","slug":"privilege-escalation-hello-admin","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/privilege-escalation-hello-admin\/","title":{"rendered":"Privilege Escalation – Hello Admin"},"content":{"rendered":"

Summary :<\/strong><\/p>\n

Hello everyone, today I\u2019m going to show you how I found a\u00a0Privilege Escalation<\/em><\/strong>\u00a0in WordPress website that was using a vulnerable plugin. I was using wappalyzer and was able to detect that the website was using WordPress CMS (Content Management System), so the first thing I tried was \u201cwpscan\u201d<\/em><\/strong>\u00a0and got so many vulnerable plugins and some default credentials so I exploited the vulnerability using one exploit available on exploit-db.<\/p>\n

What is Privilege Escalation ?<\/strong><\/p>\n

Privilege escalation, in simple words, means getting privileges to access something that should not be accessible. Attackers use various privilege escalation techniques to access unauthorized resources.<\/p>\n

Privilege escalation was possible because the plugin was using a vulnerable function called \u201cwp_set_auth_cookie()\u201d<\/strong><\/p>\n

What is\u00a0wp_set_auth_cookie()<\/em>\u00a0function ?<\/strong><\/p>\n

This function filters the duration of the authentication cookie expiration period and also checks if the connection is secure or not. It is also used to secure a login cookie and fires immediately before the authentication cookie is set.<\/p>\n

Syntax :<\/strong><\/p>\n

wp_set_auth_cookie( int $user_id, bool $remember = false, bool|string $secure =\u2019 \u2019, string $token = \u2018 \u2018)<\/p>\n

It sets the authentication cookies based on user ID.<\/p>\n

Description :<\/strong><\/p>\n

The $remember parameter increases the time that the cookie will be kept. The default the cookie is kept without remembering is two days. When $remember is set, the cookies will be kept for 14 days or two weeks.<\/p>\n

Parameters :<\/strong><\/p>\n

$user_id<\/em><\/p>\n

(int) (Required) User ID.<\/p>\n

$remember<\/em><\/p>\n

(bool) (Optional) Whether to remember the user.<\/p>\n

Default value: false<\/p>\n

$secure<\/em><\/p>\n

(bool|string) (Optional) Whether the auth cookie should only be sent over HTTPS. Default is an empty string which means the value of\u00a0is_ssl()<\/strong>\u00a0will be used.<\/p>\n

Default value: \u2018 \u2019<\/p>\n

$token<\/em><\/p>\n

(string) (Optional) User\u2019s session token to use for this cookie.<\/p>\n

Default value: \u2018 \u2019<\/p>\n

Vulnerable Code :<\/strong><\/p>\n

\n
\n
\n
\n
\n
<\/div>\n

<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

Vulnerable Code<\/figcaption><\/figure>\n

How to find this vulnerability ?<\/strong><\/p>\n

    \n
  1. Go to your target website that is using WordPress CMS<\/li>\n
  2. Use the wpscan tool to check for the out-dated plugins, themes, default credentials etc.<\/li>\n<\/ol>\n

    My command : wpscan –url\u00a0https:\/\/target.com<\/a>\u00a0–disable-tls-check –enumerate u<\/p>\n