WordPress WP-Cron Leads to Access of Hosting Server.
The WPScan tool is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. There are over 37,000 WordPress vulnerabilities. Here we will be exploiting WP-Cron.
PoC Video
Lab Setup
This lab is not my creation so no build scripts will be provided. However there is a plethora of WordPress machiness avaliable on Proving Grounds Play.
Walkthrough
Determine if the WordPress admin portal is open. Typically site/wp-admin Use the wpscan flag -e u to enumerate usernames.
Use the found users with a wordlist to bruteforce the password
Access the admin dashboard’s Theme Editor from the Apperance menu.
A tried and true method to gain a foothold to the hosting server is over writting a Theme File with a reverse PHP shell. Here we updates 404.php with php code pentestmonkey’s php-reverse-shell
Thank you pentestmonkey!
Start a netcat listener and the browse to https://thesite.com/wp-content/themes/themeversion/modifiedthemefile.php to get a foothold on the hosting server.
YES its that easy!
Remediation
Disable WP-CRON, disallow admin portal access from untrusted zones, and use two factor authentication.