Internal | Nmap, Gobuster, wpscan

Penetration Testing Challenge

b

  1. nmap -A <ip>
  2. apache2 webserver on 80
  3. gobuster dir -u <ip> -w <wordlist>, using directory-list-2.3-small.txt
  4. /blog says wordpress site
  5. /javascript gives Apache/2.4.29 (Ubuntu)
  6. /phpmyadmin gives login screen
  7. scan wordpress site, wpscan --url <url> -e vp,u enumerate vulnerable plugins and users
  8. bruteforce username using wpscan --url <url> –usernames –passwords
  9. login as user
  10. edit theme to get shell
  11. find user creds
  12. ssh as user
  13. find service
  14. ssh link service
  15. brute force login
  16. run reverse shell from script console
atk: 10.10.9.2
trg: 10.10.192.94

# nmap -A <ip>
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
|   256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_  256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works


# gobuster
/blog (Status: 301)
/wordpress (Status: 301)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
Last modified 2023.11.05