Last weekend, I participated in the Patchstack WCUS CTF and solved all the WordPress challenges. Here's my write-up for each challenge from the Patchstack WCUS CTF 2024.

Dynasty

Description

My area have some kind of dynasty where its using related and known component, which is a very bad practice. Proof me that this dynasty is very bad.

NOTE: This is a fully white box challenge, almost no heavy brute force is needed.

Bad Dynasty

attachment.zip

How to Solve

To solve this challenge, we need to identify the relevant CVEs included. The challenge contains multiple vulnerabilities, which are listed below:

These four vulnerabilities are crucial for gaining RCE (Remote Code Execution) via PHP Object Injection. Next, we'll discuss how to exploit these vulnerabilities to our advantage.

Plan for the Vulnerability Chain:

  1. LearnPress - Unauthenticated Bypass to User Registration:

    This allows us to register as a subscriber without authentication.

  2. Ninja Forms - Subscriber+ Arbitrary Shortcode Execution:

    As a subscriber, we can execute any shortcode available in WordPress.

  3. Participants Database - PHP Object Injection:

    This vulnerability can only be exploited if the shortcode exposing the vulnerable form is accessible.

  4. Rollbar Plugin - PHP Object Injection Gadget:

    This gadget can be used to trigger Remote Code Execution (RCE) once the object injection in Participants Database is accessible.

Exploitation Flow: