 Hey there Okay Yeah, like I got really nice introduced. I'm Matt. I'm from butt crowd, but that doesn't matter here I'm here for WordPress And what I'm going to do is I'm going to try to hack WordPress. So WordPress website So who's gonna somebody here is going to get hacked And I already know who so because I asked around so not too surprising, but first of all Let's talk a little bit about why it's important to get hacked or first of all Let's talk about what not to expect from this talk. So heavily paraphrased success is 10% inspiration and 90% preparation Like I said heavily paraphrased from Thomas Edison, but actually I say this talk is 10% preparation and 90% improvisation What does that mean? I don't know shit about what's gonna happen to be honest Because I don't know the target that I'm going to attack and I don't know the outcome And I don't know the security issues that this target might have so everything you see here It's gonna be done live and gonna be done in comparison to other stuff that I did before and of course in Together with you if you have any questions Let's wait and keep them until the end so this is kind of an agenda Intro and what to expect we already did yay, and now I'm going to talk a little bit about why it's important to hack yourself Then we're gonna hack some stuff and if we find stuff and we still have time we're gonna hack some more stuff Sounds like a good plan to everyone. Okay, cool And of course we got FAQ, but who cares So first of all, why do you want to hack yourself? Why will you even cure first of all to get more secure? Wow, what does it even mean getting more secure? Let me tell you a little bit a small story Raise your hands Who here has locked themselves out of their front door at One time in their life Yeah, right It sucks So I of course I Want one time I of course locked myself out to what's happening here? Okay, my new keyboard is acting up, but Just an FY this is not my actual door. So but I locked myself out When I first moved into my new home And I panicked because I'm like, okay, it's raining because I'm from Germany. It's always raining in Germany So I locked myself out and I need to get back in because I'm cold. I'm freezing. I'm young and I'm unprepared great, so I started basically to Get into everything that I could and get somehow find a way to get in and Believe it or not. I did I did it without a locksmith. I was able to jam a window open Get into my house and open the door So I was really really excited and really really happy about that, right? So as you can see here Really happy. Yay doors open But then I started to wonder if I can get in that so easily Who else right because okay, this was pretty easy I just jammed here a window open got in and all my stuff is there. I was sleeping there Other people may be sleeping there. Ah, that's not really great So I started to think about how I can secure everything how I can make my door more sturdy for example How I can secure the way that my window opens and stuff like that that is basically the comparison to Why you should hack yourself because if you know that there are vulnerabilities at some point you can fix them You don't know what you don't know Pretty easy, right? So That's one part. This is actually not my door, but it's a more secure door So the key takeaway of this one is you only know what you know The other reason why you should hack yourself To understand your website better It's not only about knowing where the vulnerabilities is, but maybe where other stuff lies how your website functions It may it will make you a better code. It will make you a better entrepreneur and we will make your website better on its own So ask yourself the following question first of all, what is your main goal of your website, right? For example selling products Publishing information Collecting for a course everything yet you can do with WordPress because basically with WordPress you can do everything but ask yourself What can I do with my website? What's the main goal and how can people accomplish that and you figure it out? Okay, I'm selling a product. I'm selling these lovely t-shirts for example people can go in click on store select their size put it in the cart Buy it We ship it perfect. Everyone is happy. Everyone has a nice shirt So but how would you not want people to accomplish that? You want them to pay, right? You don't want people not to pay for your shit and you ship it out and they get it for free so for example if it's possible to manipulate your checkout process and Entering a zero instead of a I don't know 1299 for the shirt and They still get it checked out and you ship it. That's the loss on your business So then go in and check. What is the security mechanism behind it for example in your checkout card? If it's not possible to manipulate The amount that the people are paying for it It's great, but maybe it's possible to circumvent that and basically go in and check out different ways To do that really play around with it So you can keep your shirt or get the money, right? and if you're trying and if you succeed with it great But if you basically succeed with it and can Circumvent it it's personally my opinion even better. I know the slides say otherwise, but my personal opinion is that if you can circumvent Your own security mechanisms you have a way better understanding of your website of your product and how hackers think and That's the main goal of the whole exercise So the key takeaway here is think like a hacker to secure your business So and it's this is my favorite part So who here is a coder? show of hands Okay, who here is a project manager. Oh There we go, and who here is a C level or runs a business or Some another higher level manager Okay, perfect these people these three four five people that answered the last question Can you tell me one thing would you believe that security is the opposite of speed? Okay, I see I see some people nodding. I see some people shaking their heads. Okay Let me ask around. What is the opposite or what is the purpose of? Breaks on a car when you drive a car, right? You have brakes You should have or you have Flintstone's car, but I don't care. So even that has breaks So what is the purpose of a break on the car? Just shout it out loud? Just stop that To make the car go slower, right? Well, actually No, so it's the opposite It's allowing you to go much faster The reason is if your car did not have breaks You would need to be very very careful what driving because you need to anticipate every single thing that happens in front of you besides you behind you But if you have breaks you have somehow have the ability To an unforeseen circumstances you can break you can stop your car You can exit the car everything without breaks that won't be possible. So Breaks don't slow down your journey. They make everything go faster so Let's come take this comparison a little bit For breaks in the car and security and software development. Okay, breaks on the car. They help prevent accident great security and software development does the same it Provide safety for everyone involved of course, right? Horrible things can happen if any of these things fail because of your brakes fell. Yeah, okay if security and software development fails Your t-shirt goes out for free Not a great thing So it can be operated by a feed nap not really for security and development And it does not come as a factory default. Of course, we got frameworks. We got WordPress perfect There's a lot of security testing ongoing in WordPress So we have a kind of secure environment, but each minor major release has Security fixes same goes for plugins same goes for hosting single for themes everything however These stuff happens especially in custom environments. So it's really really important to understand that Once a thing fails it can break down your whole business It can break down the your whole operation and it can really slow you down in a matter where your Team cannot work because it's basically fixing everything or let's let's take the example ransomware If you don't have a proper backup system or your backup skipped encrypted to Your business will be down for time unless you pay or you find it a description key So we will lose money you will lose time and effort and also People will get really really really annoyed with other people because ransomware is a bitch to to fix Okay, that's a lot of lot of talk So the key takeaway speed up but not slowing down your overall process So all three three key takeaways together would be you only know what you know and only what is known can be fixed Of course, you should think like a hacker be one step ahead and secure business and speed up by not slowing down your overall process Okay, great. So Let's hack some stuff. Who's excited to hack some stuff. Come on. Come on people Okay, don't get too excited The reason is I don't know what's gonna happen So I went outside and asked random people. Hey, you have a word prep site most of them said of course Yes, I said and you know, cool. Do you want to get hacked? And they said no, I said, okay, but But then I found this guy Ludwig Ludwig is somewhere here. Yeah. Hi Ludwig He said yeah, of course. Yeah try hack me and they're like, okay, let's that's gonna be fun So I don't know what's gonna happen I did three things in preparation. I don't want to attack his live website. So I'm created a copy put it on my own server and created subdomain and Everything was moved over. I did not touch a thing. I did the same server config I did the same word for the same database same version same plug-in version. Everything is the same Well, look, we felt also very confident that we don't find anything so I do this stuff a lot I do the stuff daily and I usually find things So Ludwig, you're very confident about security. Let's check out your website first I already loaded some stuff that I Used to hack for websites because the reason is We don't have that much time So what you can see here is called burp suit Burp suit is basically something where you can see all the requests that's happening in an application or a browser And it collects all the information and you can manipulate you can repeat that information You can do all kinds of stuff with it So I'm using this to first analyze the website So prior to me doing that there's one great tool out there that I will use in a second It's called WP scan. WP scan was recently that I think about two years acquired by automatic It's a great tool to basically scan your own website or other people's website. Don't do that Scan your own website or for security issues and vulnerabilities and plug-in themes and everything So I will run that Why we are doing our other reconnaissance on that so just give me a second need to open a terminal here also I Apologize for the clunky this hacky development thing here, but my keyboard broke. So That was fun So this is The URL we got from where I basically put in The website from Ludwig, let's just check if it starts running. Oh Oh Okay, okay, perfect. It's it's running During that time we would just see What Ludwig's business is all about Okay banking that's That's nice Ludwig is sure about this Ludwig is gone Ludwig this is your website, right? Let's just make sure Because okay, it is it. Oh that that's Ludwig if you see him pull him back in please so It seems like basically they are provider For banking solutions, okay Okay, got it so but there is no actual banking going on here I'm really happy about that. Okay, we can see it's already multi-lingual. Okay, it's Using I think I know what plug-in they are using Let's check further I'm just clicking around all those website to get an information or basically get a feeling What are they all about and what they do and What's important for their business, right? Uh-huh Okay, they are also They are also issuing credit cards great And this will be okay contact contact phones always fun. Oh, yeah, perfect. You've got a contact phone Okay, but other than that, it's pretty static from what I can see Okay To be bummer, but that might be boring, but let's check out what W Wp scan Put out so as you can see we run the scan and it also Give us some yeah interesting stuff. So we know it runs on engine X Robot txt there's nothing in there XML RPC is enabled which is great for me Because with XML RPC you can do stuff Easier When there's another vulnerability, so Decided must use plug-ins great External WPC run. Yeah. Oh, it's the newest WordPress version good for you It's not the newest theme version That's good. So I would just check if there are any vulnerabilities known with this version basically Contact forms and wow, this is an old one. It's five point one point one So and there's a lot. There's a lot of going on on contact form. Okay, what we've got here WordPress SEO So we got the Yost any Yost people here Okay, we'll shut up You also pretty secure actually so that's good. There are no conflict backups Okay, good. So we found some out-of-date plug-ins and themes so what I can do with this information is Basically, I can check and roam around the internet and try basically to find out if it's possible that there are any vulnerabilities on that But prior to that, let me just take a step back for a second and explain what we just did so I run the WP Scan scanner which gives me out some information that I can later use in addition. I let burpsuit basically monitor every connection that I have that I made and With the get and with the response So if I find something interesting, I can try to manipulate that and just see hey Is it possible to create something that should not happen on this side, right? so But that's of course a lot because we clicked a lot around but we can later on filter But right now what we did is reconnaissance and I need to do a little bit more reconnaissance So what I want to know from Ludwig website is if he has secured his WP admin panel Yeah, he did. Okay. That's that's pretty neat So this is good because on a Most script kiddies script kiddies are people that just run scripts Instead of doing real hacking. So they download stuff they find on the internet and run it and Of course a lot of these script kiddies will Basically, they can crash your site because they will fire thousands request per second basically a DDoS or DDoS attack and they will do it on the WP admin with Basically credential stuffing infos So what that means is they will try to find a way into your work with back-end Because if they get away into be in the word of back-end because you use admin as a user and password as a password They don't need to do any hacking, right? So On that point There is something else because What most people forget even with securing the WP admin is that you need two things at least two things To get access to the WP admin, right? First of all, you need the username second of all, you need the password the password might be Hard to guess but what about the username? So there's an API endpoint in WordPress and WP JSON basically Excuse me. Oh Yeah, that is Thank you This is good info. Why did I what did ah? Yeah, if that happens That would not be fun at least not for Ludwig This is an endpoint WP JSON slash WP slash version two of v2 slash users Which is most of the time not secured and yep bingo, we can find basically the name and This very nice name or the lock in depends on why or we can just use the name is also fine of the Admin or of other people that used to lock in or every one that is basically registered on this side Yeah, and also we found me because Ludwig created an account for me so When I got this information as a script key or as an attacker I have 50% of what I need right to do Basically an attack on WordPress because I already got the name now. I only have to guess the password which might be a little bit hard Granted, but 50% complete so to speak Thank you very much. Okay, so WP scan has finished we found some stuff I will come back to that in a second. However, I created something I created some tools To make everything much more easy for me, right? we don't need the WP user finder because I can basically just use this route, but the WP user finder uses additional methods because for example Even if you lock this one down here You still might have comments or you still might have block posts that have names in there From which I can then go ahead and try to guess or try to get the admin panel user, right? So we don't need that WP config finder. This is this is also a great one Okay, I'm bragging because I wrote this one, but The thing is people if they create a backup of their site or they want to change stuff and they read somewhere Hey, you need to put this in a WP config What do they always do because everyone tells them to create a backup, right? And most of the times this is WP config Dot PHP dot backup, but not always. So what I did I created this small tool Which basically just checks for a lot of stuff and endpoints that Let me check That basically checks all kind of endpoints Of WP config, right? So it goes in don't mind the double slash it doesn't matter and checks if these PHP files are actually there because since the PHP files are usually not named PHP in the end They get rendered So and that's bad because if your PHWP config is exposed Doesn't matter how secure we were press is the otherwise if I get access to the database if I get access to to The souls it doesn't matter. Okay. Why are these runs? I Also have another tool so I've been doing this for a long time. So I create I kind of know Where the usual suspects are, right? However, that should never ever stop anyone if you who tries to go into business in doing these kind of things This is of course a demonstration And I'm pressed for time. So I'm doing everything very very fast So if you want to talk about this further, I'm always happy to chat by water, beer, whatever be here all weekend So let me know but that being said first of all We did not find any WP config backups. This is good. Thank you Ludwig. You're kind of secure. He did not come back okay, so and let's check about my Vulnerable config finder. So basically what this does It has a lot of lot of domains and a lot of lot of endpoints Which it basically goes through and tries to exploit stuff And always Uncached right so that's why I always add a nonce there. This is basically it. It does not do anything else, but The reason why I needed to do this is It's basically because I Didn't want to do it all by myself by hand So Here we go. Now it runs. So it just runs way full Okay So this is interesting because WP scan, of course, I'm using the free version to show you how it is and not using the paid version Of WP scan so it might not get the results that that's that I expected. However Okay Contact form 7. Oh Unrestricted file upload. Oh Yeah, that's bad however in my info Because I get this one a lot is I need to check if on that page actually is The contact from actually basically has some some file upload I can see it does not so we can't exploit that. However, Ludwig, you nearly really need to update your plug And so let's just check what this vulnerability is all about. So I put always put my sources in here Okay, so Yeah as I remember when there are for example many sites that use an upload form with contact from 7 had the possibility to not only upload one file but multiple files and you could It filtered it filtered out basically if some file names that it didn't want because for example They don't want to execute PHP, right? So it did put a filter in there makes sense. However, you can circumvent that As far as I remember I am remembering, right? This is good if you use special characters and Use Unicode characters. It's still got Executed and then you could do upload a file would basically gave you a web shell or Anything that you wanted and basically go in and do whatever you wanted on that site So Ludwig, you're kind of vulnerable to that But not really because you don't have an upload form, but it's still pretty pretty bad Okay, the other one was with that backup buddy Okay, backup buddy is great the tools actually really good and Usually you don't find these things unless you really know where to look Because backup buddy only works on the back end of WordPress. So you can't really just go in on the front and and see hey Is there anything that? backup buddy might might not to so however this one is Multiple reflected cross-site scripting stuff. Okay, let's check this out So which version was it 8 8 1? Okay This plug-in done a sanitize and escape some parameters before outputting them back in various places That's the usual stuff that happens with cross-site scripting. So To everyone who's not that familiar. What is cross-site scripting? cross-site scripting basically means that As an attacker I can create a URL With your domain But with some strings in the url format if you click it for example JavaScript get executed Which is fucking great for an attacker because I can send you stuff like hey Click this link and I got your word procession I can get it back because the JavaScript sends it to my control server for example or click this really link and you Can you will download something and execute it? So that is basically cross-site scripting So what we can see here that there are multiple Then or there are not multiple ways to do that, but there are multiple versions of it Okay, since we got 8.81 Okay, but it's on the admin side, which is also great because I Mean it's not that great that we can't really exploit it from an attacker perspective without being authenticated But we can still try to authenticate ourselves, right? So let me just go in here So loot we created an account for me the good one so Let me just log in here Funny enough now, of course, I did not get off Got the off password because I seem not to have copied it correctly. Okay, that's great Let me just check my username and password that look it created for me. Oh dear That might take a while in the meantime feel free to roam around Okay, hopefully this works Bingo, we're in. Okay, cool so Also, hey, man, there are six updates Ludwig. He told me you're secure Let's check out the updates Just while we're here in the meantime, let me just check out what this was since we are above 8.81 We can create we could use this. Okay Got it. So as we can see in this example here that WRP scan actually provided basically This is all we need. We need this string to execute the ladder. So let me just show you how this would look like So as you can see here is a character Which is basically a double quote which makes sure that basically the URL ends here, right and the script part begins here. So everything I put afterwards gets executed hopefully Because we're not that I look like an idiot. Okay, that's right We should see a pop-up. We got it Perfect. So what does this mean right now? It just says XXX Which is fine, but I can put in Whatever I want here want here, right? Yeah So everything that I put in here Should be should get executed. It does not Okay, because it still Needs to be escaped here bingo This is good. This is good stuff. So But what's the harm in that right? It's just just a pop-up However, this pop-up is only for demonstrational Stuff so what I'm going to do here. I'm going to show you What you could Get as an attack it will of course use in a look in the backup as you can see here We got the document cookie if I take this and this is the browser cookie that I as Matt Taster, I'm locked in right now This is my cookie for WordPress if I take this cookie and send it over with a script To my server. I receive it locally and then I Guess the attacker Can lock into WordPress. That's the problem with cross-site scripting anyone get me so far It's totally fine if you don't get it raise your hand if I should explain more. I'm totally confident Yeah, okay, perfect. Thanks Okay But this should this is just one example of cross-site scripting. Yes Yes, I have some some other stuff that makes it maybe a little bit more clear For example, I got this one right so This renders a whole new Granted pretty ugly. All right a whole new log in form. So I Can use this one for fishing easily. I can put all the HTML I want in that I can even include additional Scripts I can include a stripe script. I can include a pay Paul script I can include everything a whole website and I could even include the WordPress login So the WP admin I can render it again. Put it in the middle make it beautiful in CSS center in CSS however that goes and People will log in because they think oh I got locked out again. My session is done and they will input everything and As an attacker, I will have username and password as well So Ludwig wherever you may roam right now You should secure that. Let's see if we have everything else. Yeah, are we on time currently? I'm good. Ah perfect. Nice. Okay so We got backup body. We got pla. Okay. This is great so Let's check what burp suit has to say for us like I said it captures every request I make in that in that browser, right? and there is a lot of stuff for example if we go to Yeah, I'm just gonna filter by script flash Got jQuery we got the DV scripts men. Okay, that's fine as well, but we could also see in the request attributes if there's anything That we can alter That might give us some more. Yeah access right This is all get there is of course no post because we did not post something to the site This was after I looked in No, this was this was Yeah, this was after I looked in but this is this is a great example as well so Basically, we have the value here from the cookie, right? This is the value that we also got from When we attack this one here, right? however, I Can't do anything with that right now But just to give you an example what I could do if this was a more vulnerable state of the WordPress website This cookie I could easily alter by sending it to the repeater and I have everything in here what I want, right? Including the request cookies Sometimes I need to go in and alter this cookie. I can input anything I want here, right? so and if I do that and I still being locked in or I still get a valid response and now that I can do cookie manipulation and Use that maybe to escalate my privileges for example Currently, I'm locked in as mad tester. Maybe mad tester wouldn't be an admin Maybe the only admin would be admin or Ludwig But I would be a contributor Right, I can then go in and check if that cookie has attributes in it Which defines the role that I'm in right for example contributor change that to admin if that works bingo, so Luckily WordPress is very secure that way other plugins for WordPress that Uses these kind of things might be not but in this case In this case, we're golden so Okay That's good. Let me just check something else here on the site. Where is it? So we got that we got the lock in we had the contact forum The WordPress was up to date if I recall, right? Let's just just was six one point one. Yeah, okay got it Okay so Overall Ludwig, I know you're not here anymore right now, but overall would say yeah your website is Okay ish secure so I Would need to do either one thing convince you to put an upload form on your contact form And that's not gonna happen or I can send you a phishing link, right a phishing link that I prepare to use the cross-site scripting method and Do whatever I want for example put in the WP lock-in form or I will input a cookie session stealer or Any kinds of things I could even put a key logger because JavaScript will lock every keystroke if I tell them to so and doing that it Might be a good idea for you to upgrade your plugins. So, okay before we move on to the next Target, I don't think we have actually time for the next target, but I have something else for you. So I've worked prior to my job. I've worked at the manager WordPress holster. I'm still head of security there We did a little round with about 40 50,000 WordPress website a year so What do you think is the most common way a WordPress website gets hacked? Just shout it out out Outdated plugins. Okay, we got outdated plugins anyone or themes. Okay anything else Brute force. What do you mean by that? Password brute forcing. Okay. What else we got? Excuse me Come on user names same as brute force, but yeah, what was here come on pass Excuse me what? Exact for example. Yeah, premium of themes are plugins that were downloaded not legally but from some sites So we get it for free. There's a raise of hand over there outdated PHP. Okay. Yeah Talk configuration of the server. Yeah. Oh shit. Yeah This is crap web host. Yeah. Okay and over there. Can you repeat that? Sorry? I Perfect. So all of them are great and all of them are true. What do you think is the most common one? Simple passwords is right simple admin password is right because I have seen people using so many security passwords Configuring everything right wrong and a right. Sorry Configure everything right doing a lot of stuff on their front end and then use admin password 123 I kid you not I kid you not so at one time we at my own company I went in and I created a script basically that went through everything Compared the hashes to most common passwords and then email that user. Hey, please change your standard password for everything Luckily wordpress already has some Great stuff to prevent that but yeah Okay, perfect. Okay Great That was basically a small demonstration. We didn't get thus far, but we had a little little fun with it I hope you enjoyed it. I know hacking is not all that glamorous as movies is trying to Tell us to with box blocks building out together, but I still still find a fun Love it. And if you have any questions, please feel free to ask them now And also if you want to chat a little bit more, I'm roaming all around here I'm the only one here. So I don't have any friends here. So make it. Let me make new ones Okay, thank you very much y'all