00:00 - Intro
01:07 - Running nmap, discovering wordpress
01:40 - Manually looking at the wordpress site, finding a post that has some dynamic content on it... This is weird
03:00 - Attempting to poison the browser table with php/ssti/etc user agents
06:00 - Starting wpscan with enumerating all plugins
08:20 - WPScan found a backup of the configuration file
10:00 - Changing the year on the password of the configuration file and discovering MFA
11:30 - Talking about the "Discover Backup" argument of gobuster, which does find another wp-config.php backup file
13:53 - Explaining what the XMLRPC Interface to wordpress
16:30 - Showing the system.listMethods function on the XMLRPC to list all the methods
18:50 - Switching over to the Python Wordpress XMLRPC Library to play with this interface, creating an object to login
21:35 - Showing how to dump users, then examine properties of a user
24:40 - Attempting to use this library to upload files, discover we can only upload images
28:15 - Dumping the posts, and discovering the table we found earlier was using the php-everywhere plugin on a post. Using the XMLRPC Interface to edit the post to host malicious PHP
33:40 - Creating a PHP File that will write another PHP Shell and lock it down to an IP Address
38:40 - Had an issue with my webshell, running it locally to discover what the issue was and re-uploading
42:45 - Got RCE! However, reverse shells aren't working enumerating the firewall
45:15 - Explaining why I am going to use my Forward Shell
46:45 - Grabbing my Forward Shell Skeleton code, modifying it and getting RCE
50:00 - Forward shell works! That took next to no time and I explained a lot of it
53:20 - The date on pkexec is old, it's probably vulnerable. Compiling a POC and uploading it through the XMLRPC, then running it to get root
58:00 - Another PwnKit method, if I didn't have a Forward Shell having pwnkit chmod /root/ to 777 would allow us to read the flag
1:03:10 - Going over the WPScan enumerate all plugins to show how beneficial this output would have been
Support the originator by clicking the read the rest link below.
