2 :80 wordpress
Lands at apache default page.
===============================================================
2021/04/29 18:00:28 Starting gobuster in directory enumeration mode
===============================================================
/users.txt (Status: 200) [Size: 8]
/wordpress (Status: 301) [Size: 316] [--> http://10.10.10.223/wordpress/]
Domain is tenet.htb, Updating /etc/hosts file
===============================================================
2021/04/29 18:21:05 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 301) [Size: 0] [--> http://tenet.htb/]
/wp-content (Status: 301) [Size: 311] [--> http://tenet.htb/wp-content/]
/wp-login.php (Status: 200) [Size: 6534]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 312] [--> http://tenet.htb/wp-includes/]
## Possible Users
protagonist
neil
Wordpress
$ wpscan --url tenet.htb
[+] Upload directory has listing enabled: http://tenet.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 5.6 identified (Insecure, released on 2020-12-08).
[+] WordPress theme in use: twentytwentyone. Version: 1.0
[!] The version is out of date, the latest version is 1.2
[i] User(s) Identified:
[+] protagonist
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://tenet.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] neil
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
sator.php
http://10.10.10.223/sator.php
[+] Grabbing users from text file
[] Database updated
http://10.10.10.223/sator.php.bak
<?php
class DatabaseExport
{
public $user_file = 'users.txt';
public $data = '';
public function update_db()
{
echo '[+] Grabbing users from text file <br>';
$this-> data = 'Success';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
echo '[] Database updated <br>';
// echo 'Gotta get this working properly...';
}
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>
Last updated