Web
Nmap discovered a Web server on the port 80 of the 192.168.136.229 host.
The running service is nginx 1.24.0 (Ubuntu).
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 405 Not Allowed
Server: nginx/1.24.0 (Ubuntu)
Date: Fri, 27 Jun 2025 10:33:42 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Fri, 27 Jun 2025 10:33:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://workaholic.offsec/index.php?rest_route=/>; rel="https://api.w.org/"The Link attribute is set to a domain; workaholic.offsec.
Additionally, it would appear that REST API is enabled; ?rest_route=/
/Practice/workaholic/2-Enumeration/attachments/{88272BC3-8AF1-4E39-9B1D-BC806382D5DC}.png)
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution.
/Practice/workaholic/2-Enumeration/attachments/{27E62763-EE17-492D-83BF-54A4B3938AA1}.png)
Webroot
It’s a WordPress instance.
REST API
/Practice/workaholic/2-Enumeration/attachments/{02976C35-8031-481B-9E6E-14B0E50746A9}.png)
The target WordPress instance has an extensive REST API support enabled
/Practice/workaholic/2-Enumeration/attachments/{F4A817CE-16F0-47E6-A6F6-249840FB0F83}.png)
One of them is the /wp/v2/users API endpoint.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ curl -s http://workaholic.offsec/index.php?rest_route=/wp/v2/users | jq
[
{
"id": 1,
"name": "admin",
"url": "http://workaholic.offsec",
"description": "",
"link": "http://workaholic.offsec/?author=1",
"slug": "admin",
"avatar_urls": {
"24": "https://secure.gravatar.com/avatar/fc57296810978ce468e2722a26ba19cd?s=24&d=mm&r=g",
"48": "https://secure.gravatar.com/avatar/fc57296810978ce468e2722a26ba19cd?s=48&d=mm&r=g",
"96": "https://secure.gravatar.com/avatar/fc57296810978ce468e2722a26ba19cd?s=96&d=mm&r=g"
},
"meta": [],
"_links": {
"self": [
{
"href": "http://workaholic.offsec/index.php?rest_route=/wp/v2/users/1",
"targetHints": {
"allow": [
"GET"
]
}
}
],
"collection": [
{
"href": "http://workaholic.offsec/index.php?rest_route=/wp/v2/users"
}
]
}
}
]Sending a GET request to the /wp/v2/users API endpoint reveals a sole user; admin
wpscan
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ wpscan --url http://workaholic.offsec/ --random-user-agent -e u,ap,at --plugins-detection aggressive -t 128
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://workaholic.offsec/ [192.168.136.229]
[+] Started: Fri Jun 27 12:44:45 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.24.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://workaholic.offsec/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://workaholic.offsec/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://workaholic.offsec/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.7.2 identified (Outdated, released on 2025-02-11).
| Found By: Rss Generator (Passive Detection)
| - http://workaholic.offsec/?feed=rss2, <generator>https://wordpress.org/?v=6.7.2</generator>
| - http://workaholic.offsec/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.7.2</generator>
[+] WordPress theme in use: twentytwentyfive
| Location: http://workaholic.offsec/wp-content/themes/twentytwentyfive/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://workaholic.offsec/wp-content/themes/twentytwentyfive/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: http://workaholic.offsec/wp-content/themes/twentytwentyfive/style.css?ver=1.0
| Style Name: Twenty Twenty-Five
| Style URI: https://wordpress.org/themes/twentytwentyfive/
| Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentyfive/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 02:40:43 <==================================================> (111322 / 111322) 100.00% Time: 02:40:43
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://workaholic.offsec/wp-content/plugins/akismet/
| Last Updated: 2025-05-07T16:30:00.000Z
| Readme: http://workaholic.offsec/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.4
|
| Found By: Known Locations (Aggressive Detection)
| - http://workaholic.offsec/wp-content/plugins/akismet/, status: 200
|
| Version: 5.3.6 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://workaholic.offsec/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://workaholic.offsec/wp-content/plugins/akismet/readme.txt
[+] wp-advanced-search
| Location: http://workaholic.offsec/wp-content/plugins/wp-advanced-search/
| Last Updated: 2024-11-05T18:15:00.000Z
| Readme: http://workaholic.offsec/wp-content/plugins/wp-advanced-search/readme.txt
| [!] The version is out of date, the latest version is 3.3.9.3
|
| Found By: Known Locations (Aggressive Detection)
| - http://workaholic.offsec/wp-content/plugins/wp-advanced-search/, status: 403
|
| Version: 3.3.8 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://workaholic.offsec/wp-content/plugins/wp-advanced-search/readme.txt
[+] Enumerating All Themes (via Passive and Aggressive Methods)
. Checking Known Locations - Time: 00:01:03 <= > (920 / 29844) 3.08% ETA: 00:33:1. Checking Known Locations - Time: 00:01:04 <= > (932 / 29844) 3.12% ETA: 00:33:16 Checking Known Locations - Time: 00:14:58 <====================== > (13110 / 29844) 43.92% ETA: 00:19:056 Checking Known Locations - Time: 00:14:59 <====================== > (13124 / 29844) 43.97% ETA: 00:19: Checking Known Locations - Time: 00:34:27 <====================================================> (29844 / 29844) 100.00% Time: 00:34:27
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentytwentyfive
| Location: http://workaholic.offsec/wp-content/themes/twentytwentyfive/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://workaholic.offsec/wp-content/themes/twentytwentyfive/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: http://workaholic.offsec/wp-content/themes/twentytwentyfive/style.css
| Style Name: Twenty Twenty-Five
| Style URI: https://wordpress.org/themes/twentytwentyfive/
| Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By:
| Urls In 404 Page (Passive Detection)
| Known Locations (Aggressive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentyfive/, status: 403
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentyfive/style.css, Match: 'Version: 1.0'
[+] twentytwentyfour
| Location: http://workaholic.offsec/wp-content/themes/twentytwentyfour/
| Latest Version: 1.3 (up to date)
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://workaholic.offsec/wp-content/themes/twentytwentyfour/readme.txt
| Style URL: http://workaholic.offsec/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Known Locations (Aggressive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentyfour/, status: 403
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.3'
[+] twentytwentythree
| Location: http://workaholic.offsec/wp-content/themes/twentytwentythree/
| Latest Version: 1.6 (up to date)
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://workaholic.offsec/wp-content/themes/twentytwentythree/readme.txt
| Style URL: http://workaholic.offsec/wp-content/themes/twentytwentythree/style.css
| Style Name: Twenty Twenty-Three
| Style URI: https://wordpress.org/themes/twentytwentythree
| Description: Twenty Twenty-Three is designed to take advantage of the new design tools introduced in WordPress 6....
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Known Locations (Aggressive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentythree/, status: 403
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://workaholic.offsec/wp-content/themes/twentytwentythree/style.css, Match: 'Version: 1.6'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] charlie
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] ted
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jun 27 16:00:26 2025
[+] Requests Done: 282365
[+] Cached Requests: 17
[+] Data Sent: 78.655 MB
[+] Data Received: 6.851 GB
[+] Memory used: 679.246 MB
[+] Elapsed time: 03:15:40- WordPress
6.7.2 - 3 Users identified:
adminchaarlieted
wp-advanced-searchplugin is being used;3.3.8
Vulnerability
/Practice/workaholic/2-Enumeration/attachments/{2D956C2E-B87F-4DF7-B0FC-55E41921B9AC}.png)
There is an unauthenticated SQL injection available for the wp-advanced-search plugin version below 3.3.9.2
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/workaholic]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.workaholic.offsec' -ic -mc all -fs 51576
________________________________________________
:: Method : GET
:: URL : http://192.168.136.229/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.workaholic.offsec
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 51576
________________________________________________
www [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 122ms]
:: Progress: [114438/114438] :: Job [1/1] :: 54 req/sec :: Duration: [0:35:24] :: Errors: 0 ::N/A