Infosek
Overview
Infosek is a medium Windows box running a WordPress site behind IIS. A
public post or profile exposes credentials for a WordPress user (ryder). Those
credentials grant admin panel access, which allows uploading a PHP webshell.
Reading the WordPress configuration through the shell yields database credentials.
A Meterpreter session is then used to port-forward MySQL, completing the path to
full compromise.
Path: exposed WordPress credentials → admin panel webshell upload → database config read → Meterpreter escalation.
Enumeration
The initial scan shows a web server. Browsing to port 80 returns the default IIS page, indicating a fresh or misconfigured installation:


Further enumeration uncovers the WordPress installation:

A post or public profile on the site exposes credentials in plaintext — a helpful but critical mistake by the site’s owner:

ryder : u&8lXTT2UjHxjU%Jom@p*OLy
Foothold — WordPress Admin Access
Checking WordPress users confirms that ryder is a registered WordPress account:

The exposed password authenticates successfully to the WordPress admin panel:

Webshell Upload and Database Credential Extraction
With admin access, uploading a PHP webshell through the WordPress theme or plugin editor gives command execution on the underlying server:

Reading the WordPress configuration file (wp-config.php) through the webshell
reveals the database credentials:

DB_User: ryder
DB_Password: d[@_@]b_inFosek=+
Privilege Escalation — MySQL via Meterpreter
With database credentials in hand but no direct external access to MySQL, upgrading to a Meterpreter session enables port-forwarding to tunnel MySQL traffic from the local host:

Connecting to the database through the tunnel:

Enumerating the database via the Meterpreter session yields the path to full compromise:

Takeaways
- Credentials exposed in public-facing content are trivially harvested. Even a single post or user bio containing a password collapses the entire authentication layer of a WordPress site.
- WordPress admin access equals RCE. The theme/plugin editor is an unrestricted PHP execution environment — any authenticated admin can upload arbitrary code.