Exploitation
Now since we have valid credentials, let's log into the Wordpress page and explore some more
Let's try adding some malicious code into the php files to allow us to execute arbitary code
I added this line of code in the header.php file (Appearances/theme editor/theme header). Add it and save the file.
This allows us to execute commands into the target through the browser
Intercept and modify requests using Burp
Make the following configurations on burp-suite before you begin.
Also make sure to add the proxy address to your browser.
With the settings made, refresh the browser request with our code execution for it to be intercepted using burp
Now let's send the request to repeater. (Right-click on the capture and click 'send to repeater')
At the repeater, change the request method of our command from GET to post (Highlight the command + right click then select 'change request method') and hit send
The output of the request shows we have code execution into our target
Reverse shell
Next let's try establishing a reverse shell
A valuable resource I use to create reverse shell payloads is https://www.revshells.com/.
For this engagement, I used the nc mkfifo reverse shell. (Be sure to specify the IP address and Port number of your listener)
Next start your listener
With the listener waiting, let's add our reverse shell payload into the Burp request and URL-encode it.
To encode it, highlight the reverse shell payload and click CTRL+U. With the payload encoded, click 'Send'.
Our listener gets a hit
We have a shell into our target. But the shell is not interactive.
Let's make it pretty and interactive 😄.
To do that, we will need to spawn a TTY Shell. TTY Shell however uses python3. We thus need to confirm the python version our target is running.
Our target is running python3. Very nice!
Now let's spawn the TTY shell
And now we have an interactive shell
With the interactive shell now working, I combed through the directories in the machine but I was limited in what I could do since I did not have sufficient rights. My next objective was thus to elevate my priveleges.
Last updated