## `ir.inlanefreight.local` ### enum - this is a wordpress page ![[images/Pasted image 20260628152303.png]] - `/wp-admin` ![[images/Pasted image 20260628152353.png]] - `admin:admin` doesnt work - forgot password could work with imap/pop3 ![[images/Pasted image 20260628152503.png]] ### `wpscan` - run `wpscan` enum with output file and aggressive detection mode ```bash sudo wpscan --url ir.inlanefreight.local -e -o ir.wpscan -v --detection-mode aggressive ``` - running version 6.0 ![[images/Pasted image 20260628200730.png]] - several users found ![[images/Pasted image 20260628200748.png]] - try brute force - we got a hit for `ilfreightwp` ```bash sudo wpscan --url ir.inlanefreight.local -e u --passwords /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt ``` ## access dashboard as `ilfreightwp` - we are in as an administrator ![[images/Pasted image 20260628212725.png]] - plugins ![[images/Pasted image 20260628212526.png]] - mail masta ver 1.0 is susceptible to: - CVE-2016-10956 - LFI - grab `wp-config.php` - CVE-2017-6095, CVE-2017-6097, CVE-2017-6572 - SQLi - themes ![[images/Pasted image 20260628212606.png]] - users ![[images/Pasted image 20260628212544.png]] ### `mail-masta` LFI - try to `curl [..] /etc/passwd` - only `root` has a login shell? ```bash curl -s http://ir.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd ``` ![[images/Pasted image 20260629204822.png]] - try to curl apache logs ![[images/Pasted image 20260629205317.png]] - try to curl `wp-config.php` ![[images/Pasted image 20260629210326.png]] ### edit themes - edit inactive twenty-twenty theme ![[images/Pasted image 20260629210049.png]] - we have RCE as `www-data` ![[images/Pasted image 20260629210143.png]] - another flag ![[images/Pasted image 20260629210224.png]] - confirmed that the vhost uis running in a docker container ![[images/Pasted image 20260629212828.png]] - `env` > password for wordpress_db ![[images/Pasted image 20260629212748.png]]