tenten

edited August 14 in Machines
Yet another box where things don't really work anymore as expected / intended.

wpscan doesn't recognize the jobmanager plugin as it seems to have when the box was released, not even with the 30min long deep-scan. This tool has undergone some major changes in "management" afaik in the last 2 years, not sure if that's the cause.

I also built myself a list of all wordpress plugins and ran wfuzz on the plugins dir, like
wfuzz ... /wp-content/plugins/FUZZ/index.php

Akismet was detected but not jobmanager.*

One more problem, wpscan reports 50(!) vulns for this box and prints them all out.

Yes, you can still see jobmanager in the source of the website, but searchsploit doesn't list the CVE.

All of that tripped me over pretty hard so I referred to some writeups, interesting enough some of them don't even show how to find the CVE.

Happy for thoughts and leaving this for the next man from google.

EDIT: * I found why, I built my list from the wordpress plugin registry and this plugin has been deleted a while ago. Anyone has a more complete list of wordpress themes and plugins?

Hack The Box

Comments

  • edited August 15
    wpvulndb.com?

    Here's a list:
    https://wpvulndb.com/search?text=Job+manager

    If you are looking to reduce a long list of potentials to only the vulnerable ones, then this might help:
    https://github.com/gnothiseautonlw/vulnfetcher
  • Have you actually tried the box recently or even read what I wrote?

    The point was that you could find the "jobmanager" thingy easily while the box was new, using a standard wpscan.

    Now it was a lot harder to find it.

    Of course there are ways, there's always some way. If we humans can't find it anymore, some AI will find an obscure way. I already said how another way potentially could look like, reading the page source and googling for plugins.

    But that kinda misses the point: The box was designed in a traditional fashion:
    - Find wordpress
    - Use wpscan, get and exploit suggestion for jobmanager
    - ???
    - Profit

    In the review mirror things look always easy (well except for some BF sql injections) and clear, when you sit in front of a blinking cursor with no clear path, it's a different story.

    Hack The Box

  • edited August 16
    Type your comment> @sparkla said:
    > Have you actually tried the box recently?

    About a month ago.
    I see my notes are filled with 'nope, dead end!' and I had to look at a walkthrough to make it through.
    I didn't know that things could be hidden in the way I needed here. Never heard about it. Would have never found it without help.

    > Have you even read what I wrote?

    I read the question: "I have a long list of plugins, how do I narrow them down?"

    The tool I referred to was born from the frustration from a privesc situation where a debian box had about 210 modules installed and one was supposedly vulnerable.

    When I asked around how found that one vulnerable, nearly everyone said "oh, yeah, but that one right there, that's the vulnerable one"...which makes me scratch my head:
    no way that anyone could have 'happened to pick that right one' out of a list that long and no way anyone was patient enough to type them one by one into searchsploit, as the videos and writeups suggested you could find the vulnerability with searchsploit.

    At that point, anyone has essentially 3 choices: root the box, and make yourself believe in hindsight that 'you just magically knew', or you complain about it... or you can actually do something about it and give yourself a real fighting chance against those situations.

    Reducing a fairly long list isn't necessarily a hard task, it's just a very boring, repetitive and time-consuming one, but only for a human, not for machines...
    As you say:

    > I already said how another way potentially could look like, reading the page source and googling for plugins.

    Great. Write a tool for it... or shave off half a day and use the one I suggested by tweaking it a bit. That's why I referred to that site. Not for the list, but for the fact it could produce any list and provide extra information to narrow down your search (and their api is nice, so need webscraping to do it in an automated way).
    However you go about it, in a day or two you can have a pretty solid solution for any time in the future you run into this situation.

    > In the review mirror things look always easy (well except for some BF sql injections) and clear, when you sit in front of a blinking cursor with no clear path, it's a different story.

    I know the feeling. But then again: challenges are meant to be challenging, are they not?
    If I run into points where I don't know what I need to do, I just recognized I'm not smart enough, regardless of the level of the box. I don't mind.

    I'm 'script kiddy' on this site: I refuse to take any credit for anything I didn't do 100% on my own. The level reflects pretty well how I feel daily when working on these machines, so I'm happy with that. I like the truth in it.

    > The point was that you could find the "jobmanager" thingy easily while the box was new, using a standard wpscan.

    Two ways to think about that I guess: either complain and cry a river, or you look at it as an opportunity: if things are more challenging now, then we have the chance to grow more than those guys had back then.

    If they had to sift to only 5 vulnerabilities and you can find it between 50, then more power to you.

    Just keep in mind the opposite is true as well: today we have tools and resources they didn't have back then.
    I guess the grass can always greener on the other side if you want it to be.

    I agree that things has increased in difficulty, but if you don't measure yourself to other people and live for your own growth, I don't see why that would matter.
Sign In to comment.