Wpwn
Running curl
on port 80 simply shows a basic greeting for the machine by the creator.
With nothing else interesting we move onto directory enumeration with dirsearch.py
.
With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.
Moving over to the /wordpress directory we get the following page.
Other than this the WordPress site contains no interesting information. From here we can run WPScan
in order to try and identify further information.
WPScan
picks up the plugin ‘social-warfare’ as being installed and out of date.
Checking this against searchsploit
reveals a RCE against the running version.
The vulnerability has been assigned CVE-2019-9978.
Description:
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
The following GitHub shows a PoC for this exploit.
As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.
First I hosted a Python SimpleHTTPServer
on my attacking machine.
I then downloaded the associated Python script and executed as per below.
In the example above the command included for test.txt was 'id'
. From here I replaced the command with 'which nc'
to see if netcat
is on the target machine and then run the exploit again.
As netcat
is installed we can replace the command in the test.txt file with that of a netcat
reverse shell.
Contents of test.txt:
I then set a netcat
listener on my attacking machine:
Running the exploit again hangs the script as we receive a reverse shell.
We then upgrade the shell:
Moving back one directory in the shell we can then read the contents of wp-config for any MySQL
database credentials.
We have gathered the credentials: wp_user:R3&]vzhHmMn9,:-5
From here I logged into MySQL
and took the WordPress administrator’s hash. I was however, unable to crack. Looking on the box we have the user ‘takis’ I decided to see if password reuse was in play and SSH
in as takis.
Now we are in as takis I then run sudo -l
to check sudo
permissions.
Looks like we can run all commands as any users without a password. A simple sudo /bin/bash
will spawn us a root shell.
ā