Myles Nieman
← All writeups

Infosek

Overview

Infosek is a medium Windows box running a WordPress site behind IIS. A public post or profile exposes credentials for a WordPress user (ryder). Those credentials grant admin panel access, which allows uploading a PHP webshell. Reading the WordPress configuration through the shell yields database credentials. A Meterpreter session is then used to port-forward MySQL, completing the path to full compromise.

Path: exposed WordPress credentials → admin panel webshell upload → database config read → Meterpreter escalation.

Enumeration

The initial scan shows a web server. Browsing to port 80 returns the default IIS page, indicating a fresh or misconfigured installation:

Nmap results showing the web server

Default IIS page on port 80

Further enumeration uncovers the WordPress installation:

WordPress site discovered

A post or public profile on the site exposes credentials in plaintext — a helpful but critical mistake by the site’s owner:

Credentials exposed in a public post or profile

ryder : u&8lXTT2UjHxjU%Jom@p*OLy

Foothold — WordPress Admin Access

Checking WordPress users confirms that ryder is a registered WordPress account:

ryder confirmed as a WordPress user

The exposed password authenticates successfully to the WordPress admin panel:

Successful WordPress admin login as ryder

Webshell Upload and Database Credential Extraction

With admin access, uploading a PHP webshell through the WordPress theme or plugin editor gives command execution on the underlying server:

Webshell accessible through the WordPress installation

Reading the WordPress configuration file (wp-config.php) through the webshell reveals the database credentials:

wp-config.php read via webshell showing database credentials

DB_User:     ryder
DB_Password: d[@_@]b_inFosek=+

Privilege Escalation — MySQL via Meterpreter

With database credentials in hand but no direct external access to MySQL, upgrading to a Meterpreter session enables port-forwarding to tunnel MySQL traffic from the local host:

Setting up port forward for MySQL through Meterpreter

Connecting to the database through the tunnel:

Meterpreter session used for MySQL port forwarding

Enumerating the database via the Meterpreter session yields the path to full compromise:

Database enumeration and escalation via Meterpreter

Takeaways

  • Credentials exposed in public-facing content are trivially harvested. Even a single post or user bio containing a password collapses the entire authentication layer of a WordPress site.
  • WordPress admin access equals RCE. The theme/plugin editor is an unrestricted PHP execution environment — any authenticated admin can upload arbitrary code.