Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.18 (Ubuntu)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ curl -I -X OPTIONS http://$IP/           
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 16:55:18 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 16:55:20 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sun, 17 Jan 2021 12:37:06 GMT
ETag: "b477-5b917dd00e270"
Accept-Ranges: bytes
Content-Length: 46199
Vary: Accept-Encoding
Content-Type: text/html

Webroot It appears to be a personal blog Possible username disclosure; james

Wappalyzer identified technologies involved

Registration / Authentication

It’s dummy

It’s also dummy

Testimonials

Possible username disclosure;

HARRY BAKER
GRETCHEN
ANNE MARC

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.217/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
assets                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 18ms]
css                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 18ms]
images                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 20ms]
index.html              [Status: 200, Size: 46199, Words: 21068, Lines: 986, Duration: 19ms]
js                      [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [81920/81920] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:46] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.217/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
images                  [Status: 200, Size: 4668, Words: 244, Lines: 36, Duration: 3399ms]
assets                  [Status: 200, Size: 1504, Words: 100, Lines: 20, Duration: 20ms]
css                     [Status: 200, Size: 2366, Words: 128, Lines: 24, Duration: 18ms]
js                      [Status: 200, Size: 2627, Words: 162, Lines: 25, Duration: 17ms]
:: Progress: [220546/220546] :: Job [1/1] :: 2222 req/sec :: Duration: [0:02:03] :: Errors: 0 ::

N/A

`/assets/fonts/blog/`

Found an interesting endpoint; /assets/fonts/blog/

This appears to be another blog.

CSS is not loaded as it attempts to fetch from a domain; blogger.pg

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

WordPress

Now loaded

Checking Wappalyzer again reveals that it’s a WordPress instance; 4.9.8

wpscan

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ wpscan --url http://blogger.pg/assets/fonts/blog/ --random-user-agent -e u,ap,at --plugins-detection aggressive -t 128
 
[+] URL: http://blogger.pg/assets/fonts/blog/ [192.168.239.217]
[+] Started: Tue Apr 29 19:27:22 2025
 
Interesting Finding(s):
 
[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
[+] XML-RPC seems to be enabled: http://blogger.pg/assets/fonts/blog/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 
[+] WordPress readme found: http://blogger.pg/assets/fonts/blog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] Upload directory has listing enabled: http://blogger.pg/assets/fonts/blog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] The external WP-Cron seems to be enabled: http://blogger.pg/assets/fonts/blog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299
 
[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/?feed=rss2, <generator>https://wordpress.org/?v=4.9.8</generator>
 |  - http://blogger.pg/assets/fonts/blog/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.9.8</generator>
 
[+] WordPress theme in use: poseidon
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/
 | Last Updated: 2025-01-04T00:00:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/readme.txt
 | [!] The version is out of date, the latest version is 2.4.1
 | Style URL: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1
 | Style Name: Poseidon
 | Style URI: https://themezee.com/themes/poseidon/
 | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The...
 | Author: ThemeZee
 | Author URI: https://themezee.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/style.css?ver=2.1.1, Match: 'Version: 2.1.1'
 
[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:01:34 <==================================================> (110234 / 110234) 100.00% Time: 00:01:34
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
 
[i] Plugin(s) Identified:
 
[+] akismet
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/
 | Last Updated: 2025-04-14T23:37:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.3.7
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.0.8 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/plugins/akismet/readme.txt
 
[+] wpdiscuz
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/
 | Last Updated: 2025-03-23T15:26:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt
 | [!] The version is out of date, the latest version is 7.6.29
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/, status: 200
 |
 | Version: 7.0.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/plugins/wpdiscuz/readme.txt
 
[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:28 <====================================================> (29475 / 29475) 100.00% Time: 00:00:28
[+] Checking Theme Versions (via Passive and Aggressive Methods)
 
[i] Theme(s) Identified:
 
[+] poseidon
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/
 | Last Updated: 2025-01-04T00:00:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/readme.txt
 | [!] The version is out of date, the latest version is 2.4.1
 | Style URL: http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/style.css
 | Style Name: Poseidon
 | Style URI: https://themezee.com/themes/poseidon/
 | Description: Poseidon is an elegant designed WordPress theme featuring a splendid fullscreen image slideshow. The...
 | Author: ThemeZee
 | Author URI: https://themezee.com
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/, status: 500
 |
 | Version: 2.1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/poseidon/style.css, Match: 'Version: 2.1.1'
 
[+] twentyfifteen
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyfifteen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 4.0
 | Style URL: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 2.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 2.0'
 
[+] twentyseventeen
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyseventeen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.9
 | Style URL: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.7'
 
[+] twentysixteen
 | Location: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentysixteen/
 | Last Updated: 2025-04-15T00:00:00.000Z
 | Readme: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://blogger.pg/assets/fonts/blog/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentysixteen/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://blogger.pg/assets/fonts/blog/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.5'
 
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================================> (10 / 10) 100.00% Time: 00:00:00
 
[i] User(s) Identified:
 
[+] j@m3s
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[+] jm3s
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 
[+] Finished: Tue Apr 29 19:29:46 2025
[+] Requests Done: 139784
[+] Cached Requests: 23
[+] Data Sent: 41.135 MB
[+] Data Received: 19.313 MB
[+] Memory used: 445.16 MB
[+] Elapsed time: 00:02:23

WordPress version 4.9.8 identified
wpdiscuz 7.0.4
Users Identified;
- j@m3s
- jm3s

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ searchsploit WordPress wpdiscuz          
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)            | php/webapps/49962.sh
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)            | php/webapps/49967.py
Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit) | php/webapps/49401.rb
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

wpdiscuz 7.0.4 is vulnerable to unauthenticated remote code execution; CVE-2020-24186

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/blogger]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/assets/fonts/blog/ -H 'Host: FUZZ.blogger.pg' -ic -mc all -fs 22579
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.217/assets/fonts/blog/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.blogger.pg
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response size: 22579
________________________________________________
dev                     [Status: 404, Size: 276, Words: 23, Lines: 10, Duration: 56ms]
www                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 230ms]
www.dev                 [Status: 404, Size: 280, Words: 23, Lines: 10, Duration: 19ms]
:: Progress: [114437/114437] :: Job [1/1] :: 77 req/sec :: Duration: [0:16:00] :: Errors: 0 ::

dev.blogger.pg identified

The /etc/hosts file on Kali has been updated

InfoSec LAB

Explorer

Blogger_Web

Web