2 :80 wordpress

Lands at apache default page.

===============================================================
2021/04/29 18:00:28 Starting gobuster in directory enumeration mode
===============================================================
/users.txt            (Status: 200) [Size: 8]
/wordpress            (Status: 301) [Size: 316] [--> http://10.10.10.223/wordpress/]

Domain is tenet.htb, Updating /etc/hosts file
===============================================================
2021/04/29 18:21:05 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 301) [Size: 0] [--> http://tenet.htb/]
/wp-content           (Status: 301) [Size: 311] [--> http://tenet.htb/wp-content/]
/wp-login.php         (Status: 200) [Size: 6534]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 312] [--> http://tenet.htb/wp-includes/]
## Possible Users
protagonist
neil

Wordpress

$ wpscan --url tenet.htb  
[+] Upload directory has listing enabled: http://tenet.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] WordPress version 5.6 identified (Insecure, released on 2020-12-08).

[+] WordPress theme in use: twentytwentyone. Version: 1.0 
 [!] The version is out of date, the latest version is 1.2
 
[i] User(s) Identified:
[+] protagonist
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://tenet.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] neil
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

sator.php

http://10.10.10.223/sator.php
[+] Grabbing users from text file
[] Database updated 

http://10.10.10.223/sator.php.bak
<?php
class DatabaseExport
{
        public $user_file = 'users.txt';
        public $data = '';
        public function update_db()
        {
                echo '[+] Grabbing users from text file <br>';
                $this-> data = 'Success';
        }
        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated <br>';
        //      echo 'Gotta get this working properly...';
        }
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>

Last updated