Content Management Systems Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
So we're typically gonna realize we're dealing with the CMS after end map scan. Right.
00:06
So we've done on any maps can we can see port 80 is open. So we're dealing with a Apache server here with PHP and we already see Wordpress everywhere and Wordpress versions. Now you can of course google that version of Wordpress and see if there's some type of core vulnerability for it.
00:23
But I would probably wait for WP scan to get
00:27
more information.
00:29
Also, if you go to the site itself,
00:32
you can see this is just another Wordpress site. Well, that's a clue. Right, proudly powered by Wordpress.
00:38
You also look at the source of the page
00:41
and see where it says Wordpress.
00:44
If you know the directory structure WP includes. You know, you're dealing with WP content, you know, you're dealing with Wordpress.
00:52
So these are just the various ways you can look at it. You can also do Apple Isar, which is my favorite.
00:57
You can see it as wordpress and of course PHP my admin. Now if we know anything about that is if we have access to PHP My admin
01:04
we can see the underlying my sequel database of the website, my sequel.
01:10
So that could be important for later hint. So let's now run WP scan.
01:18
I'm not using the api token. You're gonna need the api token for the lab, I'm just saying.
01:26
And it will tell you, it will say you can get a free api token with 50 daily requests by registering and here it is.
01:34
It's free register for it.
01:37
So it will tell you from the top interesting findings,
01:42
headers, robots dot txt
01:45
xml Rpc seems to be unable. That's a great way to brute force passwords. Another hint.
01:53
And if we look at plug ins
01:56
we see Memphis document library. Well
01:59
We can also get a version 3.14.
02:01
So magically I have this page up here. Wordpress plug in. Memphis document library 3.1 point five.
02:09
But it also affects 3.1.4 is an arbitrary file download.
02:16
And for the proof of concept it's a curl request to download the WP
02:22
Config file. Why is that important? Why do they have that as their proof of concept? Well, I will show you
02:29
1st. I'll put this on one line.
02:31
Yeah.
02:34
And of course we don't. Example dot sight dot com. We need to put our site
02:38
192168177.
02:42
And now we've downloaded the example
02:49
example WP Config file.
02:53
And that's good because we get information about
02:57
a database name,
02:59
the database user
03:00
and the database password.
03:04
So let's go back to WP uh to PHP My admin.
03:12
Mhm.
03:13
So not surprisingly, PHP my admin is the in the PHP My admin directory.
03:22
Now
03:23
when we go here
03:24
we should get this page
03:29
without the user name. Sometimes the user names in there. He tried route
03:32
but we already have the
03:37
information here for the database user
03:46
and the database password.
03:54
Now that worked.
03:58
So if you have the pen 200 or P. W. K. Material they do some stuff in PHP my admin.
04:03
But let's take a look at Vietnam E. Wordpress and WP user. So we can see we have one user here.
04:11
My question is it easier to brute force the password
04:15
or is it easier to just insert a new user? I think it's easier to insert a new user.
04:19
Well name them admin.
04:21
Now we need to put the password in the same encrypted in the same way
04:27
that Wordpress likes.
04:32
So I've done my research
04:34
and I have the password for admin. This is this is admin. It's encrypted. Of course
04:41
I'm going to do my register date as today
04:46
and I'm gonna have my display name is admin. We're not done after we add insert this
04:51
so we'll tell you insert into it. Will tell you on the nice syntax here.
04:56
We can make sure that our admin users in here which they are now.
05:01
I needed to go to W. P. Underscore user meta
05:05
and make sure that use ready to is also administrator
05:10
so a copy
05:14
make it two.
05:17
And what that should do now is if we go to log in
05:23
yeah
05:25
as admin we can use password admin that we created
05:29
and now you can see we've logged into the dashboard. This should be good now because now all we need to do is figure out how to modify or add a PHP file to get our shell.
05:42
Now what you can do is you can go to appearance, theme editor
05:46
And what we're looking for is something that's 4:04.
05:50
So I'm going to go to theme 2020
05:54
and look for 404 years 44 dot PHP
05:58
now. How do I figure out what my PHP shell should look like? Well
06:01
and Callie,
06:04
we have some options that are already enabled here by default.
06:09
I can cat
06:11
user share
06:14
web shell. We know it's in PHP
06:18
and we want to do well let's see what's in here.
06:21
PHP reverse show.
06:25
So I'm catching this file.
06:28
This is pen test monkeys, reverse shell.
06:30
I've used it a lot. It's great.
06:34
There's only two things we need to change
06:39
so I'm going to paste it
06:42
in here
06:43
and I need to change
06:46
says change this. Right, that's helpful.
06:49
192168 is my I. P. Of my attacker box 228 on port 1234
06:59
So I need to do two things now.
07:00
I need to set up my listener net cat
07:06
An l v p 1234.
07:12
And also I need to figure out where this file is
07:18
that took some googling.
07:19
I'm going to hope and guess because this is theme 2020
07:26
that it is on our website. WP content themes 2024 oh four dot PHP.
07:32
And now I see here
07:38
that I'm a demon or Damon
07:41
And I am on the server. 192168177.
07:47
So you can see going from enumeration from n map to WP scanned, finding a vulnerable plug in.
07:55
We found the WP config file.
07:59
Got into the PHP. My admin database, added a user as an admin and then got into the dashboard to modify the PHP of the four oh four dot PHP page with our reverse shell and then going to it in our browser, we now have a nice shell
08:18
where we can interact with the server.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By