The WordPress site looks interesting. WordPress always has a number of CVEs against it and some of them can be severe. Additionally, there’s always the possibility of being able to brute force the administrator login credentials. Lots of options here!
You begin enumeration of the WordPress site by directory brute forcing with Gobuster. You use a large wordlist and include
.html extensions. This might take a while, so you put some coffee on and wait for the scan to finish.
When the scan finishes, you review the results. Something catches your eye:
As far as you know, this is not standard for WordPress sites.
http://dmz.risottocorp.lan:8000/atsh.phpand examine the page
You examine the URL and find something very interesting:
“Hey, uh, team? You all might want to see this.”
You call a meeting and show the team what you’ve found.
“Fascinating! This looks like a commodity web shell that you’d find in the dark web. Can we save the code offline for analysis?” says one of your team members.
You all debate how to proceed. The web shell obviously means that the Wordpress site is exploitable in some way. However, this is a clear indicator of prior compromise and you’re not sure if this would be in violation of the scope of the engagement.
What do you do?
Use the existing webshell for code execution and access the server. I mean, it’s already here, so what’s the harm if we use it?
Call hold on the engagement and report this to our trusted agent. This is pretty serious and they should know about it now.