Pwned Date - 4th September 2022

Lesson Learnt

WPScan Plugins Detection with Aggressive -plugins-detection aggressive
Upload php file with GIF magic code without changing the file extension
WIP - tar wildcard injection

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)
|   256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)
|_  256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Blogger | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.87.217 -w /usr/share/wordlists/dirb/common.txt -t 200 -q 
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
**/assets               (Status: 301) [Size: 317] [--> <http://192.168.87.217/assets/>]**
/css                  (Status: 301) [Size: 314] [--> <http://192.168.87.217/css/>]   
/images               (Status: 301) [Size: 317] [--> <http://192.168.87.217/images/>]
/index.html           (Status: 200) [Size: 46199]                                  
/js                   (Status: 301) [Size: 313] [--> <http://192.168.87.217/js/>]    
/server-status        (Status: 403) [Size: 279]

Inside /assets/fonts there is a /blog/ folder

Untitled

When we clicked on the link, we are then redirected to

Untitled

Adding the IP and blogger.thm to /etc/hosts

192.168.87.217 blogger.thm

Also we know that blogger.thm is a WordPress site

Untitled

The actual WordPress site is under the following directory:

<http://blogger.thm/assets/fonts/blog/>

The default wpscan cannot detect anything so we have to use -plugins-detection aggressive

┌──(kali㉿kali)-[~]
└─$ wpscan --url <http://blogger.thm/assets/fonts/blog/> **--plugins-detection aggressive**

...

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 01:50:46 <==========================================================================================> (99414 / 99414) 100.00% Time: 01:50:46
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: <http://blogger.thm/assets/fonts/blog/wp-content/plugins/akismet/>
 | Last Updated: 2022-07-26T16:13:00.000Z
 | Readme: <http://blogger.thm/assets/fonts/blog/wp-content/plugins/akismet/readme.txt>
 | [!] The version is out of date, the latest version is 5.0
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - <http://blogger.thm/assets/fonts/blog/wp-content/plugins/akismet/>, status: 200
 |
 | Version: 4.0.8 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - <http://blogger.thm/assets/fonts/blog/wp-content/plugins/akismet/readme.txt>
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - <http://blogger.thm/assets/fonts/blog/wp-content/plugins/akismet/readme.txt>

[+] wpdiscuz
 | Location: <http://blogger.thm/assets/fonts/blog/wp-content/plugins/wpdiscuz/>
 | Last Updated: 2022-08-12T08:07:00.000Z
 | Readme: <http://blogger.thm/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt>
 | [!] The version is out of date, the latest version is 7.4.2
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - <http://blogger.thm/assets/fonts/blog/wp-content/plugins/wpdiscuz/>, status: 200
 |
 | Version: 7.0.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - <http://blogger.thm/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt>

......