In this tutorial I demonstrate how to exploit WordPress without Metasploit as this is a practice for many who are wondering how to study for the OSCP certification exam which permits just one use of Metasploit (besides /exploit/multi/handler to receive staged shell connections).
- How to Ace Your Junior Penetration Tester Interview and Land the Job
- Another PowerView Tutorial: How To Use PowerView In A Penetration Test
- The HackMyVM Keys Walkthrough
- OSCP Prep: M87 Vulnhub Walkthrough
- The Hacker Kid Vulnhub Walkthrough
If you really want practice to get really good at exploit WordPress without using Metasploit there are some vulnerable virtual machines you can play with, for instance there is Mr.Robot and HackInOS.
Table of Contents
Here’s What You Need
- Kali Linux virtual machine
- Vulnerable WordPress container or virtual machine
Put Shell in Site’s PHP
WordPress runs PHP correct? Then it can execute the PHP that you want it to. By placing the code found in a web shell from /usr/share/webshells/php-reverse-php. You can also use p0wny.
Once the PHP is now in the archive.php file you have to execute it by sending a web request to /wp-content/themes/twentyfifteen/archive.php and that gets a shell back to a netcat listener.
Call the Shell
You can also place the shell code into 404.php.
After you edit the 404.php file to now include the php reverse shell code there are two new steps to take. First setup a netcat listener on the port you changed the reverse shell code to use that you uploaded. Second call the script. I literally got a shell back by calling http://10.0.2.16/anything!
Now that I have those credentials. by going to http://10.0.2.16/wp-admin/theme-editor.php?file=404.php&theme=twentyfifteen and replacing the php with the shell, I get mine from pentestmonkey. Kali comes with suitable shells found in /usr/share/webshells/php however. Lost? You can also get to the editor page by going to appearance then editor.
Receive Shell, Escalate Privileges
After getting that shell back to a netcat listener it is time to progress and by that I mean escalate privileges at all costs. Enjoy!
Take It Further
There are also vulnerable WordPress Docker containers that allow for ever more practice to exploit WordPress without Metasploit, for instance look at vulhub’s Github page to see what I mean.
These are great for practice and extremely easy to setup using docker-compose. Remember to be in the same directory as the compose.yaml file in order to run the build correctly!
docker-compose buildThen to start the image which will most likely end up running as something as localhost:80 you just run another command.
docker-compose up