Content Management Systems Demo

00:01

So we're typically gonna realize we're dealing with the CMS after end map scan. Right.

00:06

So we've done on any maps can we can see port 80 is open. So we're dealing with a Apache server here with PHP and we already see Wordpress everywhere and Wordpress versions. Now you can of course google that version of Wordpress and see if there's some type of core vulnerability for it.

00:23

But I would probably wait for WP scan to get

00:27

more information.

00:29

Also, if you go to the site itself,

00:32

you can see this is just another Wordpress site. Well, that's a clue. Right, proudly powered by Wordpress.

00:38

You also look at the source of the page

00:41

and see where it says Wordpress.

00:44

If you know the directory structure WP includes. You know, you're dealing with WP content, you know, you're dealing with Wordpress.

00:52

So these are just the various ways you can look at it. You can also do Apple Isar, which is my favorite.

00:57

You can see it as wordpress and of course PHP my admin. Now if we know anything about that is if we have access to PHP My admin

01:04

we can see the underlying my sequel database of the website, my sequel.

01:10

So that could be important for later hint. So let's now run WP scan.

01:18

I'm not using the api token. You're gonna need the api token for the lab, I'm just saying.

01:26

And it will tell you, it will say you can get a free api token with 50 daily requests by registering and here it is.

01:34

It's free register for it.

01:37

So it will tell you from the top interesting findings,

01:42

headers, robots dot txt

01:45

xml Rpc seems to be unable. That's a great way to brute force passwords. Another hint.

01:53

And if we look at plug ins

01:56

we see Memphis document library. Well

01:59

We can also get a version 3.14.

02:01

So magically I have this page up here. Wordpress plug in. Memphis document library 3.1 point five.

02:09

But it also affects 3.1.4 is an arbitrary file download.

02:16

And for the proof of concept it's a curl request to download the WP

02:22

Config file. Why is that important? Why do they have that as their proof of concept? Well, I will show you

02:29

1st. I'll put this on one line.

02:31

Yeah.

02:34

And of course we don't. Example dot sight dot com. We need to put our site

02:38

192168177.

02:42

And now we've downloaded the example

02:49

example WP Config file.

02:53

And that's good because we get information about

02:57

a database name,

02:59

the database user

03:00

and the database password.

03:04

So let's go back to WP uh to PHP My admin.

03:12

Mhm.

03:13

So not surprisingly, PHP my admin is the in the PHP My admin directory.

03:22

Now

03:23

when we go here

03:24

we should get this page

03:29

without the user name. Sometimes the user names in there. He tried route

03:32

but we already have the

03:37

information here for the database user

03:46

and the database password.

03:54

Now that worked.

03:58

So if you have the pen 200 or P. W. K. Material they do some stuff in PHP my admin.

04:03

But let's take a look at Vietnam E. Wordpress and WP user. So we can see we have one user here.

04:11

My question is it easier to brute force the password

04:15

or is it easier to just insert a new user? I think it's easier to insert a new user.

04:19

Well name them admin.

04:21

Now we need to put the password in the same encrypted in the same way

04:27

that Wordpress likes.

04:32

So I've done my research

04:34

and I have the password for admin. This is this is admin. It's encrypted. Of course

04:41

I'm going to do my register date as today

04:46

and I'm gonna have my display name is admin. We're not done after we add insert this

04:51

so we'll tell you insert into it. Will tell you on the nice syntax here.

04:56

We can make sure that our admin users in here which they are now.

05:01

I needed to go to W. P. Underscore user meta

05:05

and make sure that use ready to is also administrator

05:10

so a copy

05:14

make it two.

05:17

And what that should do now is if we go to log in

05:23

yeah

05:25

as admin we can use password admin that we created

05:29

and now you can see we've logged into the dashboard. This should be good now because now all we need to do is figure out how to modify or add a PHP file to get our shell.

05:42

Now what you can do is you can go to appearance, theme editor

05:46

And what we're looking for is something that's 4:04.

05:50

So I'm going to go to theme 2020

05:54

and look for 404 years 44 dot PHP

05:58

now. How do I figure out what my PHP shell should look like? Well

06:01

and Callie,

06:04

we have some options that are already enabled here by default.

06:09

I can cat

06:11

user share

06:14

web shell. We know it's in PHP

06:18

and we want to do well let's see what's in here.

06:21

PHP reverse show.

06:25

So I'm catching this file.

06:28

This is pen test monkeys, reverse shell.

06:30

I've used it a lot. It's great.

06:34

There's only two things we need to change

06:39

so I'm going to paste it

06:42

in here

06:43

and I need to change

06:46

says change this. Right, that's helpful.

06:49

192168 is my I. P. Of my attacker box 228 on port 1234

06:59

So I need to do two things now.

07:00

I need to set up my listener net cat

07:06

An l v p 1234.

07:12

And also I need to figure out where this file is

07:18

that took some googling.

07:19

I'm going to hope and guess because this is theme 2020

07:26

that it is on our website. WP content themes 2024 oh four dot PHP.

07:32

And now I see here

07:38

that I'm a demon or Damon

07:41

And I am on the server. 192168177.

07:47

So you can see going from enumeration from n map to WP scanned, finding a vulnerable plug in.

07:55

We found the WP config file.

07:59

Got into the PHP. My admin database, added a user as an admin and then got into the dashboard to modify the PHP of the four oh four dot PHP page with our reverse shell and then going to it in our browser, we now have a nice shell