curl on port 80 simply shows a basic greeting for the machine by the creator.
With nothing else interesting we move onto directory enumeration with
With the common.txt wordlists we hit robots.txt and /wordpress. Robots contains no interesting information.
Moving over to the /wordpress directory we get the following page.
Other than this the WordPress site contains no interesting information. From here we can run
WPScan in order to try and identify further information.
WPScan picks up the plugin ‘social-warfare’ as being installed and out of date.
Checking this against
searchsploit reveals a RCE against the running version.
The vulnerability has been assigned CVE-2019-9978.
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
The following GitHub shows a PoC for this exploit.
As per the GitHub description we need to create a text file that will be hosted on our attacking machine with the contents of what we want to execute.
First I hosted a
Python SimpleHTTPServer on my attacking machine.
I then downloaded the associated Python script and executed as per below.
In the example above the command included for test.txt was
'id'. From here I replaced the command with
'which nc' to see if
netcat is on the target machine and then run the exploit again.
netcat is installed we can replace the command in the test.txt file with that of a
netcat reverse shell.
Contents of test.txt:
I then set a
netcat listener on my attacking machine:
Running the exploit again hangs the script as we receive a reverse shell.
We then upgrade the shell:
Moving back one directory in the shell we can then read the contents of wp-config for any
MySQL database credentials.
We have gathered the credentials:
wp_user:R3&]vzhHmMn9,:-5 From here I logged into
MySQL and took the WordPress administrator’s hash. I was however, unable to crack. Looking on the box we have the user ‘takis’ I decided to see if password reuse was in play and
SSH in as takis.
Now we are in as takis I then run
sudo -l to check
Looks like we can run all commands as any users without a password. A simple
sudo /bin/bash will spawn us a root shell.