Premise

In this post walkthrough, we demonstrated how to move from local file inclusion into the remote shell on a WordPress website using one of the machines in cyberseclabs goes by CMS.

Machine Name: CMS

Difficulty: Easy

Skills Learned

  • WordPress Penetration Testing
  • Content Management Systems

Finding the Way In

My first step, as always, was to run an Nmap scan to see what services were running on the machine. The scan showed me that it was running a web server, and when I took a look, I found a WordPress site.

I immediately fired up WPScan, a tool specifically for finding vulnerabilities in WordPress. The scan quickly identified a plugin called “WP with Spritz” that had a known Remote File Inclusion (RFI) vulnerability. This is a serious flaw that allows an attacker to include files from a remote server, which can lead to code execution.

Getting a Foothold

Using the RFI vulnerability, I was able to read the /etc/passwd file on the server. This file contains a list of all the users on the system, and I found a user named “angel.”

My next thought was to see if I could find Angel’s private SSH key. I tried to access the id_rsa file in Angel’s home directory, and to my surprise, I was able to read it! This is a major security flaw, as this file should be private.

I copied the key, saved it to a file on my own machine, and then used it to log in as Angel via SSH. Just like that, I had user-level access to the machine.

Taking Over the System

Once I was logged in as Angel, I wanted to see what kind of privileges I had. I ran the sudo -l command, which lists the commands a user can run with sudo (which is like “run as administrator”).

I was shocked to see that Angel could run any command with sudo without even needing to enter a password! This is another huge security misconfiguration. All I had to do was run sudo -i, and I instantly had root access, giving me complete control over the machine.

In the end, it was a combination of the vulnerable plugin and the misconfigured permissions that allowed me to take over the system.

Commands I Used

Here are the technical commands I used in the terminal during the demonstration:

  • sudo nmap -sC -sV 31.1.8
  • sudo wpscan --url http://31.1.8 --enumerate p
  • chmod 600 id_rsa
  • ssh -i id_rsa angel@31.1.8
  • sudo -l
  • sudo -i

Video Walkthrough

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles