PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Did not follow redirect to <http://dc-2/>
7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey:
| 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Visiting port 80 by IP does not work, adding dc-2 to /etc/hosts and visit http://dc-2/
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://dc-2/> -w /usr/share/wordlists/dirb/common.txt -q -t 200 /.htaccess (Status: 403) [Size: 288]
/.htpasswd (Status: 403) [Size: 288]
/.hta (Status: 403) [Size: 283]
/index.php (Status: 301) [Size: 0] [--> <http://dc-2/>]
/server-status (Status: 403) [Size: 292]
/wp-admin (Status: 301) [Size: 299] [--> <http://dc-2/wp-admin/>]
/wp-content (Status: 301) [Size: 301] [--> <http://dc-2/wp-content/>]
/wp-includes (Status: 301) [Size: 302] [--> <http://dc-2/wp-includes/>]
/xmlrpc.php (Status: 405) [Size: 42]
Since it is running Wordpress so let’s do a wpscan
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://dc-2/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://dc-2/> [192.168.81.194]
[+] Started: Fri Jul 8 10:33:27 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://dc-2/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://dc-2/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://dc-2/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - <http://dc-2/index.php/feed/>, <generator><https://wordpress.org/?v=4.7.10></generator>
| - <http://dc-2/index.php/comments/feed/>, <generator><https://wordpress.org/?v=4.7.10></generator>
[+] WordPress theme in use: twentyseventeen
| Location: <http://dc-2/wp-content/themes/twentyseventeen/>
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: <http://dc-2/wp-content/themes/twentyseventeen/README.txt>
| [!] The version is out of date, the latest version is 3.0
| Style URL: <http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10>
| Style Name: Twenty Seventeen
| Style URI: <https://wordpress.org/themes/twentyseventeen/>
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10>, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:09 <=======> (137 / 137) 100.00% Time: 00:00:09
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Fri Jul 8 10:33:51 2022
[+] Requests Done: 171
[+] Cached Requests: 5
[+] Data Sent: 82.692 KB
[+] Data Received: 356.66 KB
[+] Memory used: 227.43 MB
[+] Elapsed time: 00:00:23
This does not output anything as we wanted, so we will further specify enumerate
wpscan --url <http://dc-2/> --enumerate p --enumerate t --enumerate u
Now we get 3 users here
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - <http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - <http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
On the flag here, it shows hints that we could use cewl to brute force the password
https://github.com/digininja/CeWL
We can install cewl by running
gem install cewl
Anyway our kali has built in cewl so this doesn’t matter
To cewl everything from the website and make it our password list
cewl <http://dc-2/> > passwords.txt