WordPress Smuggler

by Vince
in Blog
Hits: 859

When attacking WordPress, I will typically upload my WordPress Reverse Shell Plugin once I take control of the admin interface.  Upon getting a shell on the system, I will then move my tools over which got me to thinking -- can I incorporate my tools into the plugin and do it all at once? The answer is YES! 

If I'm attacking Linux, I want LinePeas and possibly some other privilege escalation scripts.  I probably want an ELF binary meterpreter reverse shell.  Beyond that, who knows but that's a good starting point for this post.

The basic outline for a plugin looks like this:

With our php file and our tools in the same directory, we zip it up:

We upload through the Admin UI:

When we view the plugin folder, we see that everything was moved over nicely and it's nested in the system a few levels which keeps it somewhat hidden:

Thinking holistically, we want to move quickly and efficiently.  While simultaneously smuggling tools and shelling the box, we've reduced the number of steps which saves us time.