Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.46 (Unix) PHP/7.4.10

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Mon, 10 Mar 2025 14:08:13 GMT
Server: Apache/2.4.46 (Unix) PHP/7.4.10
X-Powered-By: PHP/7.4.10
Link: <http://192.168.120.55/index.php/wp-json/>; rel="https://api.w.org/"
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Mon, 10 Mar 2025 14:08:15 GMT
Server: Apache/2.4.46 (Unix) PHP/7.4.10
X-Powered-By: PHP/7.4.10
Link: <http://192.168.120.55/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

Webroot It appears to be a blog powered by WordPress

wpscan

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nukem]
└─$ wpscan --url http://$IP/ -e u,ap,at
 
[+] URL: http://192.168.113.105/ [192.168.113.105]
[+] Started: Mon Mar 10 15:27:03 2025
 
Interesting Finding(s):
 
[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.46 (Unix) PHP/7.4.10
 |  - X-Powered-By: PHP/7.4.10
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
[+] XML-RPC seems to be enabled: http://192.168.113.105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 
[+] WordPress readme found: http://192.168.113.105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] Upload directory has listing enabled: http://192.168.113.105/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] The external WP-Cron seems to be enabled: http://192.168.113.105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299
 
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.113.105/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://192.168.113.105/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
[+] WordPress theme in use: news-vibrant
 | Location: http://192.168.113.105/wp-content/themes/news-vibrant/
 | Last Updated: 2024-06-25T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/news-vibrant/readme.txt
 | [!] The version is out of date, the latest version is 1.5.2
 | Style URL: http://192.168.113.105/wp-content/themes/news-vibrant/style.css?ver=1.0.1
 | Style Name: News Vibrant
 | Style URI: https://codevibrant.com/wpthemes/news-vibrant
 | Description: News Vibrant is a modern magazine theme with creative design and powerful features that lets you wri...
 | Author: CodeVibrant
 | Author URI: https://codevibrant.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.12 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/news-vibrant/style.css?ver=1.0.1, Match: 'Version:            1.0.12'
 
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
 
[i] Plugin(s) Identified:
 
[+] simple-file-list
 | Location: http://192.168.113.105/wp-content/plugins/simple-file-list/
 | Last Updated: 2024-11-18T20:14:00.000Z
 | [!] The version is out of date, the latest version is 6.1.13
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.2.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/plugins/simple-file-list/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/plugins/simple-file-list/readme.txt
 
[+] tutor
 | Location: http://192.168.113.105/wp-content/plugins/tutor/
 | Last Updated: 2025-03-05T11:24:00.000Z
 | [!] The version is out of date, the latest version is 3.3.1
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.5.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/plugins/tutor/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/plugins/tutor/readme.txt
 
[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:03:13 <====================================================> (29146 / 29146) 100.00% Time: 00:03:13
[+] Checking Theme Versions (via Passive and Aggressive Methods)
 
[i] Theme(s) Identified:
 
[+] gaming-mag
 | Location: http://192.168.113.105/wp-content/themes/gaming-mag/
 | Last Updated: 2021-12-29T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/gaming-mag/readme.txt
 | [!] The version is out of date, the latest version is 1.0.2
 | [!] Directory listing is enabled
 | Style URL: http://192.168.113.105/wp-content/themes/gaming-mag/style.css
 | Style Name: Gaming Mag
 | Style URI: https://codevibrant.com/wpthemes/gaming-mag
 | Description: Gaming Mag is a child theme of News Vibrant modern magazine WordPress theme, with creative design an...
 | Author: CodeVibrant
 | Author URI: https://codevibrant.com
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/gaming-mag/, status: 200
 |
 | Version: 1.0.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/gaming-mag/style.css, Match: 'Version:        1.0.1'
 
[+] news-vibrant
 | Location: http://192.168.113.105/wp-content/themes/news-vibrant/
 | Last Updated: 2024-06-25T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/news-vibrant/readme.txt
 | [!] The version is out of date, the latest version is 1.5.2
 | Style URL: http://192.168.113.105/wp-content/themes/news-vibrant/style.css
 | Style Name: News Vibrant
 | Style URI: https://codevibrant.com/wpthemes/news-vibrant
 | Description: News Vibrant is a modern magazine theme with creative design and powerful features that lets you wri...
 | Author: CodeVibrant
 | Author URI: https://codevibrant.com
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/news-vibrant/, status: 500
 |
 | Version: 1.0.12 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/news-vibrant/style.css, Match: 'Version:            1.0.12'
 
[+] tutor
 | Location: http://192.168.113.105/wp-content/themes/tutor/
 | Latest Version: 1.1.2
 | Last Updated: 2024-04-04T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/tutor/readme.txt
 | [!] Directory listing is enabled
 | Style URL: http://192.168.113.105/wp-content/themes/tutor/style.css
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/tutor/, status: 200
 |
 | The version could not be determined.
 
[+] twentynineteen
 | Location: http://192.168.113.105/wp-content/themes/twentynineteen/
 | Last Updated: 2024-11-12T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.113.105/wp-content/themes/twentynineteen/style.css
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentynineteen/, status: 500
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentynineteen/style.css, Match: 'Version: 1.7'
 
[+] twentyseventeen
 | Location: http://192.168.113.105/wp-content/themes/twentyseventeen/
 | Last Updated: 2024-11-12T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/twentyseventeen/readme.txt
 | [!] The version is out of date, the latest version is 3.8
 | Style URL: http://192.168.113.105/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 2.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.4'
 
[+] twentytwenty
 | Location: http://192.168.113.105/wp-content/themes/twentytwenty/
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://192.168.113.105/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://192.168.113.105/wp-content/themes/twentytwenty/style.css
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentytwenty/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.113.105/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.5'
 
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:04 <==========================================================> (10 / 10) 100.00% Time: 00:00:04
 
[i] User(s) Identified:
 
[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.113.105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 
[+] Finished: Mon Mar 10 15:27:44 2025
[+] Requests Done: 25
[+] Cached Requests: 39
[+] Data Sent: 6.587 KB
[+] Data Received: 73.381 KB
[+] Memory used: 265.297 MB
[+] Elapsed time: 00:00:40

The web application uses WordPress 5.5.1
It also uses the simple-file-list 4.2.2 plugin
There is a user, admin

Application

Accessing DASHBOARD requires signing in.

Registration

It also supports registration for both instructor and student

Instructor

Creating an instructor account results in pending status

Instructor’s Dashboard

Not much is present in the DASHBOARD

wp-admin

However the navigation bar at the top suggests that the registration is not just within the application, but to the whole WordPress framework.

Thus, I am able to access the wp-admin page, but the registered instructor account is not an administrator account, therefore all the administration features are stripped out

Student

Student registration on the other hand doesn’t show any pending status

While the DASHBOARD doesn’t have much, the account registration was made to the WordPress

Pretty much the same as the instructor account

Vulnerabilities

It has been confirmed that the target web application built on WordPress and uses the following plugins/themes;

tutor
- Interestingly, it’s installed as both plugin and theme
simple file list

Tutor LMS

The official name is Tutor LMS

Contrary to what wpscan has provided, the version is 1.5.3

┌──(kali㉿kali)-[~/…/results/192.168.113.105/scans/tcp80]
└─$ searchsploit 'WordPress Tutor 1.5.3'
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User) | php/webapps/48151.txt
WordPress Plugin Tutor.1.5.3 - Local File Inclusion                      | php/webapps/48058.txt
WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting           | php/webapps/48059.txt
------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Tutor 1.5.3 suffers from several vulnerabilities, including LFI

Simple File List

Confirmed the version information

┌──(kali㉿kali)-[~/…/results/192.168.113.105/scans/tcp80]
└─$ searchsploit 'WordPress Simple File List 4.2.2'
------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                           |  Path
------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload          | php/webapps/48979.py
WordPress Plugin Simple File List 4.2.2 - Remote Code Execution          | php/webapps/48449.py
------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Simple File List 4.2.2 suffers from Arbitrary File Upload and RCE

InfoSec LAB

Explorer

Nukem_Web_80

Web