Challenge Description

Our website has been breached multiple times. Now we even found a backup.zip in a public path and still can not find the backdoor.

Flag format: ctf{sha256}

Flag Proof

CTF{87702788126237df9c4a915fea9441345dc6b3a0272b214b2c31e50a8f89c4b1}

Summary

Found the backdoor written in the ‘functions.php’ file of the current WordPress theme, then used it to get the flag.

Details

Basically, hackers write their backdoors in the “functions.php” file of the wordpress theme, as it is responsible for calling native PHP, WordPress, and other functions. So, it can be used to perform any kind of operation.

This little guy was hiding there (wp-content/themes/twentytwentytwo/functions.php):

https://note.thefewchosen.com/pad/uploads/058eea6d-6a7a-4816-83e9-17f11434fdb2.png

So, I used this backdoor to get the flag (notice the URL):

https://note.thefewchosen.com/pad/uploads/33a42200-699b-4f65-9fe1-b1be2855f976.png

More info about WordPress backdoors here: https://www.wpbeginner.com/wp-tutorials/how-to-find-a-backdoor-in-a-hacked-wordpress-site-and-fix-it/.