Enumeration

First things first. let’s test the connection with the target machine:

The ttl value of 63 may indicate that the target machine is Linux.

Let’s launch a nmap scan in order to discover the open tcp ports:

There are 3 ports open: 22 (ssh), 80 (http), 443 (https).

Let’s see what is hosted in the http and https ports:

Seems to be the same page.

Wappalizer confirms the versions of apache and openssl. I’m going to search if any of this services has a vulnerability I can use:

Not apparently… Let’s enumerate the directories using wfuzz:

wfuzz -c --hc 404,403 -L -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.11.143/FUZZ

Looks like a standard page…

Ok, no clues. Let’s go back and see what we found so far…

Taking a look to the whatweb response, there is something that looks like a domain… office.paper let’s add it to the /etc/hosts file and take a look to it in the web browser:

Yeah, there is a website here!

This site is using WordPress 5.2.3

Let’s take a look to the page content…

The post says that the only user in the blog is Prisonmike, but another user (nick) replied telling him that he has secret information in the blog drafts. If we gain access to the administration panel we should take a look to the drafts.

There is nothing interesting in the other 2 post available, but we can find other 2 posts if we click on Search button:

A simple test post and another one of Nick reminding him to not write secrets in the drafts.

We didn’t found anything that could be a password for Prisonmike user, so let’s try to login with default credentials:

admin is not a valid user, but prisonmike is. But we still don’t know the password.

Using searchsploit I found a exploit that seems capable of view unauthenticated posts…

Let’s try it!

So, yeah, we have access to the draft posts contents… There is one with a “secret” url that seems interesting… Let’s add chat.office.paper to /ect/hosts file and visit it with the web-browser