UHC - Pressed

00:00 - Intro 01:07 - Running nmap, discovering wordpress 01:40 - Manually looking at the wordpress site, finding a post that has some dynamic content on it... This is weird 03:00 - Attempting to poison the browser table with php/ssti/etc user agents 06:00 - Starting wpscan with enumerating all plugins 08:20 - WPScan found a backup of the configuration file 10:00 - Changing the year on the password of the configuration file and discovering MFA 11:30 - Talking about the "Discover Backup" argument of gobuster, which does find another wp-config.php backup file 13:53 - Explaining what the XMLRPC Interface to wordpress 16:30 - Showing the system.listMethods function on the XMLRPC to list all the methods 18:50 - Switching over to the Python Wordpress XMLRPC Library to play with this interface, creating an object to login 21:35 - Showing how to dump users, then examine properties of a user 24:40 - Attempting to use this library to upload files, discover we can only upload images 28:15 - Dumping the posts, and discovering the table we found earlier was using the php-everywhere plugin on a post. Using the XMLRPC Interface to edit the post to host malicious PHP 33:40 - Creating a PHP File that will write another PHP Shell and lock it down to an IP Address 38:40 - Had an issue with my webshell, running it locally to discover what the issue was and re-uploading 42:45 - Got RCE! However, reverse shells aren't working enumerating the firewall 45:15 - Explaining why I am going to use my Forward Shell 46:45 - Grabbing my Forward Shell Skeleton code, modifying it and getting RCE 50:00 - Forward shell works! That took next to no time and I explained a lot of it 53:20 - The date on pkexec is old, it's probably vulnerable. Compiling a POC and uploading it through the XMLRPC, then running it to get root 58:00 - Another PwnKit method, if I didn't have a Forward Shell having pwnkit chmod /root/ to 777 would allow us to read the flag 1:03:10 - Going over the WPScan enumerate all plugins