Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.38 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 08:15:47 GMT
Server: Apache/2.4.38 (Debian)
Link: <http://192.168.154.166/index.php/wp-json/>; rel="https://api.w.org/"
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 08:15:50 GMT
Server: Apache/2.4.38 (Debian)
Link: <http://192.168.154.166/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8/Practice/Readys/2-Enumeration/attachments/{5BA41D67-36C2-4DA0-8FC5-F7D8867BA97E}.png)
Webroot
It’s a WordPress website
wpscan
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ wpscan --url http://$IP/ --random-user-agent -e u,ap,at --plugins-detection aggressive -t 128
_______________________________________________________________
[+] URL: http://192.168.154.166/ [192.168.154.166]
[+] Started: Mon Mar 31 10:18:23 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.154.166/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.154.166/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.154.166/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.154.166/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.154.166/index.php/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
| - http://192.168.154.166/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.7.2</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://192.168.154.166/wp-content/themes/twentytwentyone/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://192.168.154.166/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://192.168.154.166/wp-content/themes/twentytwentyone/style.css?ver=1.3
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.154.166/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:19 <==================================================> (109775 / 109775) 100.00% Time: 00:01:19
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.154.166/wp-content/plugins/akismet/
| Last Updated: 2025-02-14T18:49:00.000Z
| Readme: http://192.168.154.166/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.7
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.154.166/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.9 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.154.166/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.154.166/wp-content/plugins/akismet/readme.txt
[+] site-editor
| Location: http://192.168.154.166/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: http://192.168.154.166/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.154.166/wp-content/plugins/site-editor/, status: 200
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.154.166/wp-content/plugins/site-editor/readme.txt
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:19 <====================================================> (29292 / 29292) 100.00% Time: 00:00:19
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentynineteen
| Location: http://192.168.154.166/wp-content/themes/twentynineteen/
| Last Updated: 2024-11-12T00:00:00.000Z
| Readme: http://192.168.154.166/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://192.168.154.166/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.154.166/wp-content/themes/twentynineteen/, status: 500
|
| Version: 2.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.154.166/wp-content/themes/twentynineteen/style.css, Match: 'Version: 2.0'
[+] twentytwenty
| Location: http://192.168.154.166/wp-content/themes/twentytwenty/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://192.168.154.166/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://192.168.154.166/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.154.166/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.154.166/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.7'
[+] twentytwentyone
| Location: http://192.168.154.166/wp-content/themes/twentytwentyone/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://192.168.154.166/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://192.168.154.166/wp-content/themes/twentytwentyone/style.css
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://192.168.154.166/wp-content/themes/twentytwentyone/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.154.166/wp-content/themes/twentytwentyone/style.css, Match: 'Version: 1.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.154.166/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Mar 31 10:20:17 2025
[+] Requests Done: 139137
[+] Cached Requests: 21
[+] Data Sent: 43.068 MB
[+] Data Received: 19.354 MB
[+] Memory used: 441.051 MB
[+] Elapsed time: 00:01:53The target WordPress website has
site-editor 1.1.1pluginadminuser
site-editor Plugin
/Practice/Readys/2-Enumeration/attachments/Pasted-image-20250331102457.png)
Version information confirmed
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ searchsploit WordPress site-editor
--------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------- ---------------------------------
WordPress Plugin Site Editor 1.1.1 - Local File Inclusio | php/webapps/44340.txt
--------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThere is a LFI vulnerability for the site-editor 1.1.1 plugin; CVE-2018-7422
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .txt,.html,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.154.166/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .txt .html .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htaccess.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htaccess.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
index.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 43ms]
license.txt [Status: 200, Size: 19915, Words: 3331, Lines: 385, Duration: 19ms]
readme.html [Status: 200, Size: 7345, Words: 740, Lines: 98, Duration: 22ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
wp-admin [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 18ms]
wp-content [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 22ms]
wp-config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
wp-includes [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 23ms]
wp-login.php [Status: 200, Size: 8204, Words: 399, Lines: 104, Duration: 42ms]
wp-trackback.php [Status: 200, Size: 135, Words: 11, Lines: 5, Duration: 34ms]
xmlrpc.php [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 44ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1639 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.154.166/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 41ms]
icons [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 45ms]
wp-content [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
wp-includes [Status: 200, Size: 49699, Words: 2850, Lines: 240, Duration: 23ms]
wp-admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 61ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1869 req/sec :: Duration: [0:01:54] :: Errors: 0 ::N/A