HA-Wordy Walkthrough

8 min readAug 8, 2020

Hello everyone,HA-Wordy is a wordpress CMS.Let’s hack this wordpress.Basically wordpress is a Open Source Content Management System written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system.For this kind of CMS,Plugins are very important.If it have any outdated Plugins we can easily Hack this CMS.We’ll Discuss more in practice.

For this i’m using my MacBook Pro as attacker machine.It comes with bridged network adapter. i’m connected to a wifi.So This machine will be in my Network.If u r using Kali,Make sure u’ve changed it to Bridged.

Let’s start with a network scan.Here i’m using Mac So,i don’t find any network scanner like netdiscover.I’m using nmap to scan my network.Let’s goo….

If u r using linux Go ahead with “netdiscover” Or u can also use this nmap method but it takes some time.

By The way “192.168.43.83” is my local address.

“nmap -oG — 192.168.43.1/24 | grep Up | awk ‘{print $2}’ > scan.txt”

Now we’ll use this text file to scan the hosts and find our Victim.Now i’ll show u what this text file contains.

This contains only IP addresses.Now let’s scan them all at once by using namp.

“nmap -iL scan.txt -A -vv”

Now,we have an ip that running a server on port 80.So this must be my victim.Now let’s see what’s inside this open port.Its running an Apache server.

Now Quickly Fireup our Browser i’m using chrome for this.Let’s go

I can’t find anything here.so i’ve decided to bruteforce the directory.

Here i’m using another dirbuster which i’ve downloaded from github.If u r using kali u can use dirb or dirbuster.

So this says,it is wordpress site.So.let’s open this directory and this what is inisde.

This site belongs to ignite technologies.Ok Now let’s see if we can find any Sql injection or command injection. Nothing found.So let’s scan this wordpress site using WPscan.

“wpscan — url http://192.168.43.198/wordpress — enumerate ap ,at” This command gives u “all plugins and themes” that are used in this site.

Ok i got some vulnerable plugin.Now let’s go with one by one.

U can see it is updated.But mail-masta is vulnerable to Local File Inclusion.Now let’s see another

OK we have another plugin,It is outdated and it is vulnerable.Now let’s go another.

OK we have another three plugins are outdated and vulnerabl.so let’s begin with reflex gallery(second plugin).

Method 1:

We use reflex gallery,Now let’s quickly fireup metasploit and search reflex gallery.

Now we’ll use “exploit/unix/webapp/wp_reflexgallery_file_upload”

Now let’s convert this meterpreter session into shell. And from shell to a Dedicated bash shell.

But now Clear Command will not work Untill we export the term variable.

Now let’s go and find some interesting things.

This text is base64 Encoded.so let’s decode.

It says nothing now let’s abuse the sudo rights.OK ,Now let’s find some files that Raj can run them as root.

Type “find / -perm -u=s -type f 2>/dev/null” this gives us the bin files that raj can run as root.Let’s go..

So,From the above screenshot,we can observe that raj can run “wget” and “cp” as root.now,let’s try to edit the passwd file.Now we’ll add a user and password to the file.First let’s copy the passwd file into our /var/www/html folder.

Now let’s download this file using wget in our machine…

For that type the following in the terminal:

“wget http://192.168.43.198/passwd”

Now we have to create a password salt using openssl.then we’ll add the user and password to the passwd file..

“openssl passwd -1 -salt sam Leetmehackyou”

Now let’s copy this salt and let’s quickly call our vim to edit..

“vim passwd” and add our user and the salt.here the User id is set to 0 and also group is set to 0.the user is root and home directory is /root and uses “/bin/bash” shell. and save it.

Now we have successfully edited the passwd.Now its time send her back.Now let’s turn on our server to send it.i’m using so i’m using a python package “http-here” to start a server .If u r using Kali linux “service apache2 start”.And them move this passwd into /var/www/html folder.

Before that let’s change our directory to temp in the victim machine.

Now let’s use “wget” to download the file.after that we’ll copy this file into the /etc/ folder.

So,i’ve successfully started my server.Now let’s get into the victim’s machine and Let’s Try our magic..

Now let’s copy our modified passwd to the /etc/ folder..Now i’ve successfully copied it.Now let’s login as sam which we have created.

Ok we’ve successfully logged in as root.Now let’s capture the flag.

We’ve got the flag.we’re done with the method-1.Now let’s try another method.

Method-2:

Now when i’ve searched for vulnerabilities i found this..

So this statement says mail-masta is vulnerable to LFI(Local File Inclusion).So now let’s find some valuable information using this.OK ,i’ve found some exploits in exploitDB..

So we have two exploits here.now let’s try the first one..Let’s download it to our working directory..For that Type “searchsploit -m 40290” This will get that exploit to our working directory.

Now let’s open it and read the CVE to know about the exploit and to find the correct url for our injection.

So the highlighted text shows the file where we can inject.Now let’s try to extract some information using this LFI.So,i’ve tried to look at “passwd”, “shadow” and some other stuff but failed.so,i’ve to think out of my limit.But i’ve failed.Then i’ve started searching.Then i came up with this,There is folder named “Apache” in /etc.There we can see the .htaccess file and .htpasswd file.Now let’s try to look at those files.

As you can see,i’ve tried to look at the passwd file and it’s showing.Now let’s look at the .htpasswd file.

So its an base64 text.let’s decode it byt using our terminal.

Ok,we have a name and a email.Now let’s see how can we go forward.Now let’s go to the another plug-in “Wp-support-plus-responsive-ticket-system”.I’ve found a privilage escalation exploit for this plug-in.

Let’s open it.

Now we have our exploit saying that “we can log-in as admin by using this form.” .Let’s create a form.

So,i’ve created a form.we have a name and email already from .htpasswd file.Now i’m using those here.Now let’s run this file and see what will happen.

And then .

We are the admin now.Let’s find a way into the system.

i’ve found this.this is an base64 text.

ok we have a Password.Now we’ll find a way to get a shell.Nothing here on the aarti profile.Then i’ve searched for any input field’s to upload but nothing found here.So i’ve decided to login as admin.I’ve decided to use that password shown in the above screen.So i’ve logged out.