21 hours 43 minutes
So we're typically gonna realize we're dealing with the CMS after end map scan. Right.
So we've done on any maps can we can see port 80 is open. So we're dealing with a Apache server here with PHP and we already see Wordpress everywhere and Wordpress versions. Now you can of course google that version of Wordpress and see if there's some type of core vulnerability for it.
But I would probably wait for WP scan to get
Also, if you go to the site itself,
you can see this is just another Wordpress site. Well, that's a clue. Right, proudly powered by Wordpress.
You also look at the source of the page
and see where it says Wordpress.
If you know the directory structure WP includes. You know, you're dealing with WP content, you know, you're dealing with Wordpress.
So these are just the various ways you can look at it. You can also do Apple Isar, which is my favorite.
You can see it as wordpress and of course PHP my admin. Now if we know anything about that is if we have access to PHP My admin
we can see the underlying my sequel database of the website, my sequel.
So that could be important for later hint. So let's now run WP scan.
I'm not using the api token. You're gonna need the api token for the lab, I'm just saying.
And it will tell you, it will say you can get a free api token with 50 daily requests by registering and here it is.
It's free register for it.
So it will tell you from the top interesting findings,
headers, robots dot txt
xml Rpc seems to be unable. That's a great way to brute force passwords. Another hint.
And if we look at plug ins
we see Memphis document library. Well
We can also get a version 3.14.
So magically I have this page up here. Wordpress plug in. Memphis document library 3.1 point five.
But it also affects 3.1.4 is an arbitrary file download.
And for the proof of concept it's a curl request to download the WP
Config file. Why is that important? Why do they have that as their proof of concept? Well, I will show you
1st. I'll put this on one line.
And of course we don't. Example dot sight dot com. We need to put our site
And now we've downloaded the example
example WP Config file.
And that's good because we get information about
a database name,
the database user
and the database password.
So let's go back to WP uh to PHP My admin.
So not surprisingly, PHP my admin is the in the PHP My admin directory.
when we go here
we should get this page
without the user name. Sometimes the user names in there. He tried route
but we already have the
information here for the database user
and the database password.
Now that worked.
So if you have the pen 200 or P. W. K. Material they do some stuff in PHP my admin.
But let's take a look at Vietnam E. Wordpress and WP user. So we can see we have one user here.
My question is it easier to brute force the password
or is it easier to just insert a new user? I think it's easier to insert a new user.
Well name them admin.
Now we need to put the password in the same encrypted in the same way
that Wordpress likes.
So I've done my research
and I have the password for admin. This is this is admin. It's encrypted. Of course
I'm going to do my register date as today
and I'm gonna have my display name is admin. We're not done after we add insert this
so we'll tell you insert into it. Will tell you on the nice syntax here.
We can make sure that our admin users in here which they are now.
I needed to go to W. P. Underscore user meta
and make sure that use ready to is also administrator
so a copy
make it two.
And what that should do now is if we go to log in
as admin we can use password admin that we created
and now you can see we've logged into the dashboard. This should be good now because now all we need to do is figure out how to modify or add a PHP file to get our shell.
Now what you can do is you can go to appearance, theme editor
And what we're looking for is something that's 4:04.
So I'm going to go to theme 2020
and look for 404 years 44 dot PHP
now. How do I figure out what my PHP shell should look like? Well
we have some options that are already enabled here by default.
I can cat
web shell. We know it's in PHP
and we want to do well let's see what's in here.
PHP reverse show.
So I'm catching this file.
This is pen test monkeys, reverse shell.
I've used it a lot. It's great.
There's only two things we need to change
so I'm going to paste it
and I need to change
says change this. Right, that's helpful.
192168 is my I. P. Of my attacker box 228 on port 1234
So I need to do two things now.
I need to set up my listener net cat
An l v p 1234.
And also I need to figure out where this file is
that took some googling.
I'm going to hope and guess because this is theme 2020
that it is on our website. WP content themes 2024 oh four dot PHP.
And now I see here
that I'm a demon or Damon
And I am on the server. 192168177.
So you can see going from enumeration from n map to WP scanned, finding a vulnerable plug in.
We found the WP config file.
Got into the PHP. My admin database, added a user as an admin and then got into the dashboard to modify the PHP of the four oh four dot PHP page with our reverse shell and then going to it in our browser, we now have a nice shell
where we can interact with the server.