Exploitation

The site-editor plugin is vulnerable to lfi

[+] site-editor
 | Location: http://192.168.135.166/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.135.166/wp-content/plugins/site-editor/readme.txt

Possible ways to go about this

find config file for the wordpress site which could get us access to the site and uploading a malicious cred

get a hand of hte creds for redis and see what we can do from there

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
requirepass Ready4Redis?

So although I already tried to export a php file to the /var/www/html direcotry the user does not have write access there, so with the LFI we can find what files we have write acess to, upload the php code and then use lfi to execute the code.

Based on this I tried to get an interactive shell but was unable to for some reason however with this commands and navigating to them I was able to execute commands.

Created a shell that will get executed when I execute the curl command on redis and navigate to it with the lfi.

This is the payload that i used.

PreviousRedisNextPriv Escalation

Last updated