0xma Cyber Security Articles

May 14, 2021


In this tutorial we will see how to upload a reverse shell and gain remote code execution on a Wordpress target. We will be using the wp_admin_shell_upload module of Metasploit to perform this demonstration. For this module to work, it is important to have the username and password of a user with admin privileges on the target box.

Once metasploit is launched, the first thing we have to do is select this module. The show options command shows the different options available for this module.

Metasploit's exploit/unix/webapp/wp_admin_shell_upload module.

Next we have to specify the remote host, the username and password by entering set RHOSTS, set USERNAME falaraki and set PASSWORD Transclisiation respectively. Once these options have been set, we can execute this module by entering exploit.

Meterpreter shell via the exploit/unix/webapp/wp_admin_shell_upload module.

If the module is successful in its execution then we can interact with our target using the command line and run whichever command we choose.

Run meterpreter commands.

You can follow me on Twitter mujtabareads.