gistfile1.txt - Opengist

gistfile1.txt · 32 KiB · Text Raw

Trilocor Robotics Ltd. (“Trilocor” herein) invited you to a private assessment to perform a targeted Web Application Penetration Test of Trilocor’s externally facing web applications to identify high-risk security weaknesses, determine the impact to Trilocor, document all findings in a clear and repeatable manner, and provide remediation recommendations. The following types of findings are in-scope for this assessment: * Sensitive or personally identifiable information disclosure * Cross-Site Scripting (XSS) * Remote Code Execution (RCE) * Arbitrary file upload * All forms of session attacks * All forms of server-side attacks (excluding DoS ones) * Authentication or authorization flaws, such as insecure direct object references (IDOR) and authentication bypasses * All forms of injection vulnerabilities * Directory traversal * Local file read * Significant security misconfigurations and business logic flaws * Exposed credentials that could be leveraged to gain further access The following types of activities are considered out-of-scope for this assessment: * Scanning and assessing any other IP in the Entry Point's network * Physical attacks against Trilocor properties * Unverified scanner output * Man-in-the-Middle attacks * Any vulnerabilities identified through DDoS or spam attacks * Self-XSS * Login/logout CSRF * Issues with SSL certificates, open ports, TLS versions, or missing HTTP response headers * Vulnerabilities in third-party libraries unless they can be leveraged to significantly impact the target * Any theoretical attacks or attacks that require significant user interaction or low risk Scope The scope of this assessment is as follows: * www.trilocor.local, any identified *.trilocor.local subdomain and any open web server ports discovered on the "Entry Point" IP address that will become visible upon pressing "SPAWN INSTANCE" (Step 2 below). * Scanning any other IP in the Entry Point's network is NOT allowed! * Five (5) different applications exist, as well as simulated users in certain application locations that you can attack. URL Description www.trilocor.local Main Trilocor website Discover the port PR website Discover the port Jobs portal Discover the port HR website Discover the port Online shop Connectivity Prerequisites If you are using Pwnbox to conduct your exam web application security assessment activities, please make sure that eu-academy-exams-X or us-academy-exams-X is visible when opening a terminal. Then and only then Pwnbox will be able to reach the exam lab's applications. If you see otherwise, you will need to terminate any spawned Pwnbox in a module and spawn a new one from inside the exam lab's page (Step 1 below). If you are using your own attacking virtual machine to connect to the exam lab's VPN, then you can test your connectivity by adding an entry regarding www.trilocor.local in your virtual machine's hosts file and browsing http://www.trilocor.local. Exam Objectives To be awarded the HTB Certified Web Exploitation Specialist (HTB CWES) certification you must: * Obtain a minimum of 80 points by successfully completing the tasks below AND * Compose and submit a commercial-grade report including all identified vulnerabilities, evidence of successful exploitation (in a step-by-step manner), and remediation advice, based on the provided report template. TASK1 Try to gain access to the admin dashboard of Trilocor's main website to read the flag. (10 points) TASK2 Try to gain remote code execution on Trilocor's main website to read the (.txt) flag in the '/' directory. (5 points) TASK3 Try to bypass the login screen on Trilocor's HR dashboard application to read the flag. (5 points) TASK4 Try to gain remote code execution on Trilocor's HR dashboard application to read the (.txt) flag in the '/' directory. (15 points) TASK5 Try to gain access to the admin panel of Trilocor's Jobs Portal to read the flag. (10 points) TASK6 Try to gain remote code execution on Trilocor's Jobs Portal to read the (.txt) flag in the '/' directory. (10 points) TASK7 Try to gain access to Trilocor's PR admin panel to read the flag. (5 points) TASK8 Try to gain remote code execution on Trilocor's PR admin panel to read the (.txt) flag in the '/' directory. (15 points) TASK9 Try to gain admin access on Trilocor's Shop to read the flag. (10 points) TASK10 Try to gain remote code execution on the Trilocor Shop application to read the (.txt) flag in the '/' directory. (15 points) vi /etc/hosts 10.129.205.208 www.trilocor.local trilocor.local nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000 nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000 Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:14 KST Nmap scan report for 10.129.205.208 Host is up (0.21s latency). Not shown: 65528 closed tcp ports (reset), 2 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 8009/tcp open ajp13 8080/tcp open http-proxy 8088/tcp open radan-http 9000/tcp open cslistener Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds [Jan 01, 2026 - 18:17:56 (KST)] exegol-pentest /workspace # nmap -sC -sV -Pn -n --open -p80,8009,8080,8088,9000 10.129.205.208 --min-rate 3000 -oA cwes_svc Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:18 KST Nmap scan report for 10.129.205.208 Host is up (0.21s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://www.trilocor.local/ |_http-server-header: Apache/2.4.41 (Ubuntu) 8009/tcp open http nginx | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Trilocor Public Relations |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open http Apache httpd 2.4.54 ((Unix)) |_http-open-proxy: Proxy might be redirecting requests | http-title: Trilocor - Job Portal |_Requested resource was /login.php |_http-server-header: Apache/2.4.54 (Unix) 8088/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Human Resources - Login 9000/tcp open http nginx |_http-title: TRILOCOR Shop | Home Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds [Jan 01, 2026 - 18:20:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/robots.txt HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:21:06 GMT Server: Apache/2.4.41 (Ubuntu) Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/" Vary: Accept-Encoding Content-Length: 118 Content-Type: text/plain; charset=utf-8 User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: http://www.trilocor.local/wp-sitemap.xml [Jan 01, 2026 - 18:29:50 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-login.php | sed -n '1,20p' HTTP/1.1 403 Forbidden Date: Thu, 01 Jan 2026 09:33:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 283 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address> </body></html> [Jan 01, 2026 - 18:28:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-json/wp/v2/users HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:29:03 GMT Server: Apache/2.4.41 (Ubuntu) X-Robots-Tag: noindex Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type X-WP-Total: 1 X-WP-TotalPages: 1 Allow: GET Vary: Origin Content-Length: 643 Content-Type: application/json; charset=UTF-8 [{"id":1,"name":"web-admin","url":"http:\/\/www.trilocor.local","description":"","link":"http:\/\/www.trilocor.local\/index.php\/author\/web-admin\/","slug":"web-admin","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users"}]}}]# [Jan 01, 2026 - 18:38:10 (KST)] exegol-pentest /workspace # curl -s http://www.trilocor.local/ \ | grep -Eo 'wp-content/(plugins|themes)/[^/"]+' \ | sort -u wp-content/plugins/elementor wp-content/themes/astra [Jan 01, 2026 - 18:56:31 (KST)] exegol-pentest /workspace # curl -X POST -i http://www.trilocor.local/xmlrpc.php \ -d "<methodCall><methodName>system.listMethods</methodName></methodCall>" HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:56:36 GMT Server: Apache/2.4.41 (Ubuntu) Connection: close Vary: Accept-Encoding Content-Length: 4272 Content-Type: text/xml; charset=UTF-8 <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <params> <param> <value> <array><data> <value><string>system.multicall</string></value> <value><string>system.listMethods</string></value> <value><string>system.getCapabilities</string></value> <value><string>demo.addTwoNumbers</string></value> <value><string>demo.sayHello</string></value> <value><string>pingback.extensions.getPingbacks</string></value> <value><string>pingback.ping</string></value> <value><string>mt.publishPost</string></value> <value><string>mt.getTrackbackPings</string></value> <value><string>mt.supportedTextFilters</string></value> <value><string>mt.supportedMethods</string></value> <value><string>mt.setPostCategories</string></value> <value><string>mt.getPostCategories</string></value> <value><string>mt.getRecentPostTitles</string></value> <value><string>mt.getCategoryList</string></value> <value><string>metaWeblog.getUsersBlogs</string></value> <value><string>metaWeblog.deletePost</string></value> <value><string>metaWeblog.newMediaObject</string></value> <value><string>metaWeblog.getCategories</string></value> <value><string>metaWeblog.getRecentPosts</string></value> <value><string>metaWeblog.getPost</string></value> <value><string>metaWeblog.editPost</string></value> <value><string>metaWeblog.newPost</string></value> <value><string>blogger.deletePost</string></value> <value><string>blogger.editPost</string></value> <value><string>blogger.newPost</string></value> <value><string>blogger.getRecentPosts</string></value> <value><string>blogger.getPost</string></value> <value><string>blogger.getUserInfo</string></value> <value><string>blogger.getUsersBlogs</string></value> <value><string>wp.restoreRevision</string></value> <value><string>wp.getRevisions</string></value> <value><string>wp.getPostTypes</string></value> <value><string>wp.getPostType</string></value> <value><string>wp.getPostFormats</string></value> <value><string>wp.getMediaLibrary</string></value> <value><string>wp.getMediaItem</string></value> <value><string>wp.getCommentStatusList</string></value> <value><string>wp.newComment</string></value> <value><string>wp.editComment</string></value> <value><string>wp.deleteComment</string></value> <value><string>wp.getComments</string></value> <value><string>wp.getComment</string></value> <value><string>wp.setOptions</string></value> <value><string>wp.getOptions</string></value> <value><string>wp.getPageTemplates</string></value> <value><string>wp.getPageStatusList</string></value> <value><string>wp.getPostStatusList</string></value> <value><string>wp.getCommentCount</string></value> <value><string>wp.deleteFile</string></value> <value><string>wp.uploadFile</string></value> <value><string>wp.suggestCategories</string></value> <value><string>wp.deleteCategory</string></value> <value><string>wp.newCategory</string></value> <value><string>wp.getTags</string></value> <value><string>wp.getCategories</string></value> <value><string>wp.getAuthors</string></value> <value><string>wp.getPageList</string></value> <value><string>wp.editPage</string></value> <value><string>wp.deletePage</string></value> <value><string>wp.newPage</string></value> <value><string>wp.getPages</string></value> <value><string>wp.getPage</string></value> <value><string>wp.editProfile</string></value> <value><string>wp.getProfile</string></value> <value><string>wp.getUsers</string></value> <value><string>wp.getUser</string></value> <value><string>wp.getTaxonomies</string></value> <value><string>wp.getTaxonomy</string></value> <value><string>wp.getTerms</string></value> <value><string>wp.getTerm</string></value> <value><string>wp.deleteTerm</string></value> <value><string>wp.editTerm</string></value> <value><string>wp.newTerm</string></value> <value><string>wp.getPosts</string></value> <value><string>wp.getPost</string></value> <value><string>wp.deletePost</string></value> <value><string>wp.editPost</string></value> <value><string>wp.newPost</string></value> <value><string>wp.getUsersBlogs</string></value> </data></array> </value> </param> </params> </methodResponse> [Jan 01, 2026 - 19:09:03 (KST)] exegol-pentest /workspace # wpscan --url http://www.trilocor.local --usernames web-admin --passwords /usr/share/wordlists/rockyou.txt _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://www.trilocor.local/ [10.129.205.208] [+] Started: Thu Jan 1 19:09:16 2026 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://www.trilocor.local/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://www.trilocor.local/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] The external WP-Cron seems to be enabled: http://www.trilocor.local/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30). | Found By: Rss Generator (Passive Detection) | - http://www.trilocor.local/index.php/feed/, <generator>https://wordpress.org/?v=6.0.2</generator> | - http://www.trilocor.local/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0.2</generator> [+] WordPress theme in use: astra | Location: http://www.trilocor.local/wp-content/themes/astra/ | Last Updated: 2025-12-16T00:00:00.000Z | Readme: http://www.trilocor.local/wp-content/themes/astra/readme.txt | [!] The version is out of date, the latest version is 4.11.18 | Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css | Style Name: Astra | Style URI: https://wpastra.com/ | Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,... | Author: Brainstorm Force | Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 3.9.2 (80% confidence) | Found By: Style (Passive Detection) | - http://www.trilocor.local/wp-content/themes/astra/style.css, Match: 'Version: 3.9.2' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] elementor | Location: http://www.trilocor.local/wp-content/plugins/elementor/ | Last Updated: 2025-12-22T12:28:00.000Z | [!] The version is out of date, the latest version is 3.34.0 | | Found By: Urls In Homepage (Passive Detection) | | Version: 3.7.7 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.7.7 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:08 <=> (137 / 137) 100.00% Time: 00:00:08 [Jan 01, 2026 - 19:41:31 (KST)] exegol-pentest /workspace # ffuf -u http://trilocor.local/wp-admin/FUZZ -w `fzf-wordlists` -e .php -ac -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0 ________________________________________________ :: Method : GET :: URL : http://trilocor.local/wp-admin/FUZZ :: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt :: Extensions : .php :: Follow redirects : false :: Calibration : true :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2340ms] about.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 7588ms] admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1389ms] admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1400ms] GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.trilocor.local%2Fwp-admin%2Fadmin.php&reauth=1 HTTP/1.1 Host: www.trilocor.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i [Jan 01, 2026 - 20:45:46 (KST)] exegol-pentest /workspace # curl -i "http://www.trilocor.local/wp-login.php" HTTP/1.1 403 Forbidden Date: Thu, 01 Jan 2026 11:58:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 283 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address> </body></html> [Jan 01, 2026 - 21:19:22 (KST)] exegol-pentest /workspace # curl -si http://www.trilocor.local/wp-admin/admin-ajax.php HTTP/1.1 400 Bad Request Date: Thu, 01 Jan 2026 12:19:52 GMT Server: Apache/2.4.41 (Ubuntu) X-Robots-Tag: noindex Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 0# ------- [Jan 01, 2026 - 21:46:34 (KST)] exegol-pentest /workspace # ffuf -w `fzf-wordlists` -H "Host:FUZZ.trilocor.local" -u http://www.trilocor.local/ -ic -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0 ________________________________________________ :: Method : GET :: URL : http://www.trilocor.local/ :: Wordlist : FUZZ: /opt/lists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt :: Header : Host: FUZZ.trilocor.local :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ admin [Status: 200, Size: 5599, Words: 223, Lines: 88, Duration: 357ms] http://admin.trilocor.local/ [Jan 01, 2026 - 21:46:24 (KST)] exegol-pentest /workspace # curl -s http://admin.trilocor.local <!DOCTYPE html> <html lang="en-US"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Log In &lsaquo; Trilocor — WordPress</title> <meta name='robots' content='max-image-preview:large, noindex, noarchive' /> <link rel='dns-prefetch' href='//s.w.org' /> <link rel='stylesheet' id='dashicons-css' href='http://admin.trilocor.local/wp-includes/css/dashicons.min.css?ver=6.0.2' media='all' /> <link rel='stylesheet' id='buttons-css' href='http://admin.trilocor.local/wp-includes/css/buttons.min.css?ver=6.0.2' media='all' /> <link rel='stylesheet' id='forms-css' href='http://admin.trilocor.local/wp-admin/css/forms.min.css?ver=6.0.2' media='all' /> <link rel='stylesheet' id='l10n-css' href='http://admin.trilocor.local/wp-admin/css/l10n.min.css?ver=6.0.2' media='all' /> <link rel='stylesheet' id='login-css' href='http://admin.trilocor.local/wp-admin/css/login.min.css?ver=6.0.2' media='all' /> <meta name='referrer' content='strict-origin-when-cross-origin' /> <meta name="viewport" content="width=device-width" /> </head> <body class="login no-js login-action-login wp-core-ui locale-en-us"> <script type="text/javascript"> document.body.className = document.body.className.replace('no-js','js'); </script> <div id="login"> <h1><a href="https://wordpress.org/">Powered by WordPress</a></h1> <form name="loginform" id="loginform" action="http://admin.trilocor.local/wp-login.php" method="post"> <p> <label for="user_login">Username or Email Address</label> <input type="text" name="log" id="user_login" class="input" value="" size="20" autocapitalize="off" autocomplete="username" /> </p> <div class="user-pass-wrap"> <label for="user_pass">Password</label> <div class="wp-pwd"> <input type="password" name="pwd" id="user_pass" class="input password-input" value="" size="20" autocomplete="current-password" /> <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="Show password"> <span class="dashicons dashicons-visibility" aria-hidden="true"></span> </button> </div> </div> <p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> <label for="rememberme">Remember Me</label></p> <p class="submit"> <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" /> <input type="hidden" name="redirect_to" value="http://admin.trilocor.local/wp-admin/" /> <input type="hidden" name="testcookie" value="1" /> </p> </form> <p id="nav"> <a href="http://admin.trilocor.local/wp-login.php?action=lostpassword">Lost your password?</a> </p> <script type="text/javascript"> function wp_attempt_focus() {setTimeout( function() {try {d = document.getElementById( "user_login" );d.focus(); d.select();} catch( er ) {}}, 200);} wp_attempt_focus(); if ( typeof wpOnload === 'function' ) { wpOnload() } </script> <p id="backtoblog"> <a href="http://admin.trilocor.local/">← Go to Trilocor</a> </p> </div> <script src='http://admin.trilocor.local/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script> <script id='zxcvbn-async-js-extra'> var _zxcvbnSettings = {"src":"http:\/\/admin.trilocor.local\/wp-includes\/js\/zxcvbn.min.js"}; </script> <script src='http://admin.trilocor.local/wp-includes/js/zxcvbn-async.min.js?ver=1.0' id='zxcvbn-async-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9' id='regenerator-runtime-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0' id='wp-polyfill-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3' id='wp-hooks-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/dist/i18n.min.js?ver=ebee46757c6a411e38fd079a7ac71d94' id='wp-i18n-js'></script> <script id='wp-i18n-js-after'> wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); </script> <script id='password-strength-meter-js-extra'> var pwsL10n = {"unknown":"Password strength unknown","short":"Very weak","bad":"Weak","good":"Medium","strong":"Strong","mismatch":"Mismatch"}; </script> <script src='http://admin.trilocor.local/wp-admin/js/password-strength-meter.min.js?ver=6.0.2' id='password-strength-meter-js'></script> <script src='http://admin.trilocor.local/wp-includes/js/underscore.min.js?ver=1.13.3' id='underscore-js'></script> <script id='wp-util-js-extra'> var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}}; </script> <script src='http://admin.trilocor.local/wp-includes/js/wp-util.min.js?ver=6.0.2' id='wp-util-js'></script> <script id='user-profile-js-extra'> var userProfileL10n = {"user_id":"0","nonce":"ea584adfea"}; </script> <script src='http://admin.trilocor.local/wp-admin/js/user-profile.min.js?ver=6.0.2' id='user-profile-js'></script> <script> /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1); </script> <div class="clear"></div> </body> </html> # [Jan 01, 2026 - 22:32:15 (KST)] exegol-pentest /workspace # wpscan --url http://admin.trilocor.local --usernames web-admin --passwords `fzf-wordlists` --password-attack xmlrpc -t 20 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.28 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://admin.trilocor.local/ [10.129.205.208] [+] Started: Thu Jan 1 22:59:53 2026 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://admin.trilocor.local/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://admin.trilocor.local/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] The external WP-Cron seems to be enabled: http://admin.trilocor.local/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30). | Found By: Emoji Settings (Passive Detection) | - http://admin.trilocor.local/a6a1910.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.2' | Confirmed By: Meta Generator (Passive Detection) | - http://admin.trilocor.local/a6a1910.html, Match: 'WordPress 6.0.2' 지금 태스크 1 에서 막혀있는데, 풀이 방법을 알려줘.

1	Trilocor Robotics Ltd. (“Trilocor” herein) invited you to a private assessment to perform a targeted Web Application Penetration Test of Trilocor’s externally facing web applications to identify high-risk security weaknesses, determine the impact to Trilocor, document all findings in a clear and repeatable manner, and provide remediation recommendations.
2	The following types of findings are in-scope for this assessment:
3
4	* Sensitive or personally identifiable information disclosure
5
6	* Cross-Site Scripting (XSS)
7
8	* Remote Code Execution (RCE)
9
10	* Arbitrary file upload
11
12	* All forms of session attacks
13
14	* All forms of server-side attacks (excluding DoS ones)
15
16	* Authentication or authorization flaws, such as insecure direct object references (IDOR) and authentication bypasses
17
18	* All forms of injection vulnerabilities
19
20	* Directory traversal
21
22	* Local file read
23
24	* Significant security misconfigurations and business logic flaws
25
26	* Exposed credentials that could be leveraged to gain further access
27
28	The following types of activities are considered out-of-scope for this assessment:
29
30	* Scanning and assessing any other IP in the Entry Point's network
31
32	* Physical attacks against Trilocor properties
33
34	* Unverified scanner output
35
36	* Man-in-the-Middle attacks
37
38	* Any vulnerabilities identified through DDoS or spam attacks
39
40	* Self-XSS
41
42	* Login/logout CSRF
43
44	* Issues with SSL certificates, open ports, TLS versions, or missing HTTP response headers
45
46	* Vulnerabilities in third-party libraries unless they can be leveraged to significantly impact the target
47
48	* Any theoretical attacks or attacks that require significant user interaction or low risk
49
50	Scope
51	The scope of this assessment is as follows:
52
53	* www.trilocor.local, any identified *.trilocor.local subdomain and any open web server ports discovered on the "Entry Point" IP address that will become visible upon pressing "SPAWN INSTANCE" (Step 2 below).
54
55	* Scanning any other IP in the Entry Point's network is NOT allowed!
56
57	* Five (5) different applications exist, as well as simulated users in certain application locations that you can attack.
58
59	URL
60	Description
61	www.trilocor.local
62	Main Trilocor website
63	Discover the port
64	PR website
65	Discover the port
66	Jobs portal
67	Discover the port
68	HR website
69	Discover the port
70	Online shop
71	Connectivity Prerequisites
72	If you are using Pwnbox to conduct your exam web application security assessment activities, please make sure that eu-academy-exams-X or us-academy-exams-X is visible when opening a terminal. Then and only then Pwnbox will be able to reach the exam lab's applications. If you see otherwise, you will need to terminate any spawned Pwnbox in a module and spawn a new one from inside the exam lab's page (Step 1 below).
73	If you are using your own attacking virtual machine to connect to the exam lab's VPN, then you can test your connectivity by adding an entry regarding www.trilocor.local in your virtual machine's hosts file and browsing http://www.trilocor.local.
74	Exam Objectives
75	To be awarded the HTB Certified Web Exploitation Specialist (HTB CWES) certification you must:
76
77	* Obtain a minimum of 80 points by successfully completing the tasks below AND
78
79	* Compose and submit a commercial-grade report including all identified vulnerabilities, evidence of successful exploitation (in a step-by-step manner), and remediation advice, based on the provided report template.
80
81
82
83
84	TASK1
85	Try to gain access to the admin dashboard of Trilocor's main website to read the flag. (10 points)
86
87	TASK2
88	Try to gain remote code execution on Trilocor's main website to read the (.txt) flag in the '/' directory. (5 points)
89
90	TASK3
91	Try to bypass the login screen on Trilocor's HR dashboard application to read the flag. (5 points)
92
93	TASK4
94	Try to gain remote code execution on Trilocor's HR dashboard application to read the (.txt) flag in the '/' directory. (15 points)
95
96	TASK5
97	Try to gain access to the admin panel of Trilocor's Jobs Portal to read the flag. (10 points)
98
99	TASK6
100	Try to gain remote code execution on Trilocor's Jobs Portal to read the (.txt) flag in the '/' directory. (10 points)
101
102	TASK7
103	Try to gain access to Trilocor's PR admin panel to read the flag. (5 points)
104
105	TASK8
106	Try to gain remote code execution on Trilocor's PR admin panel to read the (.txt) flag in the '/' directory. (15 points)
107
108	TASK9
109	Try to gain admin access on Trilocor's Shop to read the flag. (10 points)
110
111	TASK10
112	Try to gain remote code execution on the Trilocor Shop application to read the (.txt) flag in the '/' directory. (15 points)
113
114
115
116
117
118
119	vi /etc/hosts
120	10.129.205.208 www.trilocor.local trilocor.local
121
122
123
124
125	nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000
126
127	nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000
128	Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:14 KST
129	Nmap scan report for 10.129.205.208
130	Host is up (0.21s latency).
131	Not shown: 65528 closed tcp ports (reset), 2 filtered tcp ports (no-response)
132	Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
133	PORT STATE SERVICE
134	80/tcp open http
135	8009/tcp open ajp13
136	8080/tcp open http-proxy
137	8088/tcp open radan-http
138	9000/tcp open cslistener
139
140	Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds
141
142
143
144
145	[Jan 01, 2026 - 18:17:56 (KST)] exegol-pentest /workspace # nmap -sC -sV -Pn -n --open -p80,8009,8080,8088,9000 10.129.205.208 --min-rate 3000 -oA cwes_svc
146	Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:18 KST
147	Nmap scan report for 10.129.205.208
148	Host is up (0.21s latency).
149
150	PORT STATE SERVICE VERSION
151	80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
152	\|_http-title: Did not follow redirect to http://www.trilocor.local/
153	\|_http-server-header: Apache/2.4.41 (Ubuntu)
154	8009/tcp open http nginx
155	\| http-cookie-flags:
156	\| /:
157	\| PHPSESSID:
158	\|_ httponly flag not set
159	\|_http-title: Trilocor Public Relations
160	\|_ajp-methods: Failed to get a valid response for the OPTION request
161	8080/tcp open http Apache httpd 2.4.54 ((Unix))
162	\|_http-open-proxy: Proxy might be redirecting requests
163	\| http-title: Trilocor - Job Portal
164	\|_Requested resource was /login.php
165	\|_http-server-header: Apache/2.4.54 (Unix)
166	8088/tcp open http Apache httpd 2.4.41 ((Ubuntu))
167	\|_http-server-header: Apache/2.4.41 (Ubuntu)
168	\|_http-title: Human Resources - Login
169	9000/tcp open http nginx
170	\|_http-title: TRILOCOR Shop \| Home
171
172	Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
173	Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds
174
175
176
177
178	[Jan 01, 2026 - 18:20:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/robots.txt
179	HTTP/1.1 200 OK
180	Date: Thu, 01 Jan 2026 09:21:06 GMT
181	Server: Apache/2.4.41 (Ubuntu)
182	Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/"
183	Vary: Accept-Encoding
184	Content-Length: 118
185	Content-Type: text/plain; charset=utf-8
186
187	User-agent: *
188	Disallow: /wp-admin/
189	Allow: /wp-admin/admin-ajax.php
190
191	Sitemap: http://www.trilocor.local/wp-sitemap.xml
192
193
194
195
196
197	[Jan 01, 2026 - 18:29:50 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-login.php \| sed -n '1,20p'
198
199	HTTP/1.1 403 Forbidden
200	Date: Thu, 01 Jan 2026 09:33:10 GMT
201	Server: Apache/2.4.41 (Ubuntu)
202	Content-Length: 283
203	Content-Type: text/html; charset=iso-8859-1
204
205	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
206	<html><head>
207	<title>403 Forbidden</title>
208	</head><body>
209	<h1>Forbidden</h1>
210	<p>You don't have permission to access this resource.</p>
211	<hr>
212	<address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address>
213	</body></html>
214
215
216
217
218
219
220
221	[Jan 01, 2026 - 18:28:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-json/wp/v2/users
222	HTTP/1.1 200 OK
223	Date: Thu, 01 Jan 2026 09:29:03 GMT
224	Server: Apache/2.4.41 (Ubuntu)
225	X-Robots-Tag: noindex
226	Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/"
227	X-Content-Type-Options: nosniff
228	Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
229	Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
230	X-WP-Total: 1
231	X-WP-TotalPages: 1
232	Allow: GET
233	Vary: Origin
234	Content-Length: 643
235	Content-Type: application/json; charset=UTF-8
236
237	[{"id":1,"name":"web-admin","url":"http:\/\/www.trilocor.local","description":"","link":"http:\/\/www.trilocor.local\/index.php\/author\/web-admin\/","slug":"web-admin","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users"}]}}]#
238
239
240
241
242	[Jan 01, 2026 - 18:38:10 (KST)] exegol-pentest /workspace # curl -s http://www.trilocor.local/ \
243	\| grep -Eo 'wp-content/(plugins\|themes)/[^/"]+' \
244	\| sort -u
245
246	wp-content/plugins/elementor
247	wp-content/themes/astra
248
249
250
251
252	[Jan 01, 2026 - 18:56:31 (KST)] exegol-pentest /workspace # curl -X POST -i http://www.trilocor.local/xmlrpc.php \
253	-d "<methodCall><methodName>system.listMethods</methodName></methodCall>"
254	HTTP/1.1 200 OK
255	Date: Thu, 01 Jan 2026 09:56:36 GMT
256	Server: Apache/2.4.41 (Ubuntu)
257	Connection: close
258	Vary: Accept-Encoding
259	Content-Length: 4272
260	Content-Type: text/xml; charset=UTF-8
261
262	<?xml version="1.0" encoding="UTF-8"?>
263	<methodResponse>
264	<params>
265	<param>
266	<value>
267	<array><data>
268	<value><string>system.multicall</string></value>
269	<value><string>system.listMethods</string></value>
270	<value><string>system.getCapabilities</string></value>
271	<value><string>demo.addTwoNumbers</string></value>
272	<value><string>demo.sayHello</string></value>
273	<value><string>pingback.extensions.getPingbacks</string></value>
274	<value><string>pingback.ping</string></value>
275	<value><string>mt.publishPost</string></value>
276	<value><string>mt.getTrackbackPings</string></value>
277	<value><string>mt.supportedTextFilters</string></value>
278	<value><string>mt.supportedMethods</string></value>
279	<value><string>mt.setPostCategories</string></value>
280	<value><string>mt.getPostCategories</string></value>
281	<value><string>mt.getRecentPostTitles</string></value>
282	<value><string>mt.getCategoryList</string></value>
283	<value><string>metaWeblog.getUsersBlogs</string></value>
284	<value><string>metaWeblog.deletePost</string></value>
285	<value><string>metaWeblog.newMediaObject</string></value>
286	<value><string>metaWeblog.getCategories</string></value>
287	<value><string>metaWeblog.getRecentPosts</string></value>
288	<value><string>metaWeblog.getPost</string></value>
289	<value><string>metaWeblog.editPost</string></value>
290	<value><string>metaWeblog.newPost</string></value>
291	<value><string>blogger.deletePost</string></value>
292	<value><string>blogger.editPost</string></value>
293	<value><string>blogger.newPost</string></value>
294	<value><string>blogger.getRecentPosts</string></value>
295	<value><string>blogger.getPost</string></value>
296	<value><string>blogger.getUserInfo</string></value>
297	<value><string>blogger.getUsersBlogs</string></value>
298	<value><string>wp.restoreRevision</string></value>
299	<value><string>wp.getRevisions</string></value>
300	<value><string>wp.getPostTypes</string></value>
301	<value><string>wp.getPostType</string></value>
302	<value><string>wp.getPostFormats</string></value>
303	<value><string>wp.getMediaLibrary</string></value>
304	<value><string>wp.getMediaItem</string></value>
305	<value><string>wp.getCommentStatusList</string></value>
306	<value><string>wp.newComment</string></value>
307	<value><string>wp.editComment</string></value>
308	<value><string>wp.deleteComment</string></value>
309	<value><string>wp.getComments</string></value>
310	<value><string>wp.getComment</string></value>
311	<value><string>wp.setOptions</string></value>
312	<value><string>wp.getOptions</string></value>
313	<value><string>wp.getPageTemplates</string></value>
314	<value><string>wp.getPageStatusList</string></value>
315	<value><string>wp.getPostStatusList</string></value>
316	<value><string>wp.getCommentCount</string></value>
317	<value><string>wp.deleteFile</string></value>
318	<value><string>wp.uploadFile</string></value>
319	<value><string>wp.suggestCategories</string></value>
320	<value><string>wp.deleteCategory</string></value>
321	<value><string>wp.newCategory</string></value>
322	<value><string>wp.getTags</string></value>
323	<value><string>wp.getCategories</string></value>
324	<value><string>wp.getAuthors</string></value>
325	<value><string>wp.getPageList</string></value>
326	<value><string>wp.editPage</string></value>
327	<value><string>wp.deletePage</string></value>
328	<value><string>wp.newPage</string></value>
329	<value><string>wp.getPages</string></value>
330	<value><string>wp.getPage</string></value>
331	<value><string>wp.editProfile</string></value>
332	<value><string>wp.getProfile</string></value>
333	<value><string>wp.getUsers</string></value>
334	<value><string>wp.getUser</string></value>
335	<value><string>wp.getTaxonomies</string></value>
336	<value><string>wp.getTaxonomy</string></value>
337	<value><string>wp.getTerms</string></value>
338	<value><string>wp.getTerm</string></value>
339	<value><string>wp.deleteTerm</string></value>
340	<value><string>wp.editTerm</string></value>
341	<value><string>wp.newTerm</string></value>
342	<value><string>wp.getPosts</string></value>
343	<value><string>wp.getPost</string></value>
344	<value><string>wp.deletePost</string></value>
345	<value><string>wp.editPost</string></value>
346	<value><string>wp.newPost</string></value>
347	<value><string>wp.getUsersBlogs</string></value>
348	</data></array>
349	</value>
350	</param>
351	</params>
352	</methodResponse>
353
354
355
356
357
358	[Jan 01, 2026 - 19:09:03 (KST)] exegol-pentest /workspace # wpscan --url http://www.trilocor.local --usernames web-admin --passwords /usr/share/wordlists/rockyou.txt
359	_______________________________________________________________
360	__ _______ _____
361	\ \ / / __ \ / ____\|
362	\ \ /\ / /\| \|__) \| (___ ___ __ _ _ __ ®
363	\ \/ \/ / \| ___/ \___ \ / __\|/ _` \| '_ \
364	\ /\ / \| \| ____) \| (__\| (_\| \| \| \| \|
365	\/ \/ \|_\| \|_____/ \___\|\__,_\|_\| \|_\|
366
367	WordPress Security Scanner by the WPScan Team
368	Version 3.8.28
369
370	@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
371	_______________________________________________________________
372
373	[i] Updating the Database ...
374	[i] Update completed.
375
376	[+] URL: http://www.trilocor.local/ [10.129.205.208]
377	[+] Started: Thu Jan 1 19:09:16 2026
378
379	Interesting Finding(s):
380
381	[+] Headers
382	\| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
383	\| Found By: Headers (Passive Detection)
384	\| Confidence: 100%
385
386	[+] robots.txt found: http://www.trilocor.local/robots.txt
387	\| Interesting Entries:
388	\| - /wp-admin/
389	\| - /wp-admin/admin-ajax.php
390	\| Found By: Robots Txt (Aggressive Detection)
391	\| Confidence: 100%
392
393	[+] XML-RPC seems to be enabled: http://www.trilocor.local/xmlrpc.php
394	\| Found By: Direct Access (Aggressive Detection)
395	\| Confidence: 100%
396	\| References:
397	\| - http://codex.wordpress.org/XML-RPC_Pingback_API
398	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
399	\| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
400	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
401	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
402
403	[+] The external WP-Cron seems to be enabled: http://www.trilocor.local/wp-cron.php
404	\| Found By: Direct Access (Aggressive Detection)
405	\| Confidence: 60%
406	\| References:
407	\| - https://www.iplocation.net/defend-wordpress-from-ddos
408	\| - https://github.com/wpscanteam/wpscan/issues/1299
409
410	[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).
411	\| Found By: Rss Generator (Passive Detection)
412	\| - http://www.trilocor.local/index.php/feed/, <generator>https://wordpress.org/?v=6.0.2</generator>
413	\| - http://www.trilocor.local/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0.2</generator>
414
415	[+] WordPress theme in use: astra
416	\| Location: http://www.trilocor.local/wp-content/themes/astra/
417	\| Last Updated: 2025-12-16T00:00:00.000Z
418	\| Readme: http://www.trilocor.local/wp-content/themes/astra/readme.txt
419	\| [!] The version is out of date, the latest version is 4.11.18
420	\| Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css
421	\| Style Name: Astra
422	\| Style URI: https://wpastra.com/
423	\| Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,...
424	\| Author: Brainstorm Force
425	\| Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme
426	\|
427	\| Found By: Urls In Homepage (Passive Detection)
428	\| Confirmed By: Urls In 404 Page (Passive Detection)
429	\|
430	\| Version: 3.9.2 (80% confidence)
431	\| Found By: Style (Passive Detection)
432	\| - http://www.trilocor.local/wp-content/themes/astra/style.css, Match: 'Version: 3.9.2'
433
434	[+] Enumerating All Plugins (via Passive Methods)
435	[+] Checking Plugin Versions (via Passive and Aggressive Methods)
436
437	[i] Plugin(s) Identified:
438
439	[+] elementor
440	\| Location: http://www.trilocor.local/wp-content/plugins/elementor/
441	\| Last Updated: 2025-12-22T12:28:00.000Z
442	\| [!] The version is out of date, the latest version is 3.34.0
443	\|
444	\| Found By: Urls In Homepage (Passive Detection)
445	\|
446	\| Version: 3.7.7 (100% confidence)
447	\| Found By: Query Parameter (Passive Detection)
448	\| - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.7.7
449	\| Confirmed By:
450	\| Readme - Stable Tag (Aggressive Detection)
451	\| - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt
452	\| Readme - ChangeLog Section (Aggressive Detection)
453	\| - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt
454
455	[+] Enumerating Config Backups (via Passive and Aggressive Methods)
456	Checking Config Backups - Time: 00:00:08 <=> (137 / 137) 100.00% Time: 00:00:08
457
458
459
460
461
462
463	[Jan 01, 2026 - 19:41:31 (KST)] exegol-pentest /workspace # ffuf -u http://trilocor.local/wp-admin/FUZZ -w `fzf-wordlists` -e .php -ac -c
464
465	/'___\ /'___\ /'___\
466	/\ \__/ /\ \__/ __ __ /\ \__/
467	\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
468	\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
469	\ \_\ \ \_\ \ \____/ \ \_\
470	\/_/ \/_/ \/___/ \/_/
471
472	v2.1.0
473	________________________________________________
474
475	:: Method : GET
476	:: URL : http://trilocor.local/wp-admin/FUZZ
477	:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt
478	:: Extensions : .php
479	:: Follow redirects : false
480	:: Calibration : true
481	:: Timeout : 10
482	:: Threads : 40
483	:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
484	________________________________________________
485
486	[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2340ms]
487	about.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 7588ms]
488	admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1389ms]
489	admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1400ms]
490
491
492
493
494
495	GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.trilocor.local%2Fwp-admin%2Fadmin.php&reauth=1 HTTP/1.1
496	Host: www.trilocor.local
497	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
498	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
499	Accept-Language: en-US,en;q=0.5
500	Accept-Encoding: gzip, deflate, br
501	Connection: keep-alive
502	Upgrade-Insecure-Requests: 1
503	Priority: u=0, i
504
505
506
507
508
509
510
511	[Jan 01, 2026 - 20:45:46 (KST)] exegol-pentest /workspace # curl -i "http://www.trilocor.local/wp-login.php"
512	HTTP/1.1 403 Forbidden
513	Date: Thu, 01 Jan 2026 11:58:46 GMT
514	Server: Apache/2.4.41 (Ubuntu)
515	Content-Length: 283
516	Content-Type: text/html; charset=iso-8859-1
517
518	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
519	<html><head>
520	<title>403 Forbidden</title>
521	</head><body>
522	<h1>Forbidden</h1>
523	<p>You don't have permission to access this resource.</p>
524	<hr>
525	<address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address>
526	</body></html>
527
528
529
530
531
532
533	[Jan 01, 2026 - 21:19:22 (KST)] exegol-pentest /workspace # curl -si http://www.trilocor.local/wp-admin/admin-ajax.php
534	HTTP/1.1 400 Bad Request
535	Date: Thu, 01 Jan 2026 12:19:52 GMT
536	Server: Apache/2.4.41 (Ubuntu)
537	X-Robots-Tag: noindex
538	Expires: Wed, 11 Jan 1984 05:00:00 GMT
539	Cache-Control: no-cache, must-revalidate, max-age=0
540	Content-Length: 1
541	Connection: close
542	Content-Type: text/html; charset=UTF-8
543
544	0#
545
546
547
548
549	-------
550
551
552	[Jan 01, 2026 - 21:46:34 (KST)] exegol-pentest /workspace # ffuf -w `fzf-wordlists` -H "Host:FUZZ.trilocor.local" -u http://www.trilocor.local/ -ic -c
553
554	/'___\ /'___\ /'___\
555	/\ \__/ /\ \__/ __ __ /\ \__/
556	\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
557	\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
558	\ \_\ \ \_\ \ \____/ \ \_\
559	\/_/ \/_/ \/___/ \/_/
560
561	v2.1.0
562	________________________________________________
563
564	:: Method : GET
565	:: URL : http://www.trilocor.local/
566	:: Wordlist : FUZZ: /opt/lists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
567	:: Header : Host: FUZZ.trilocor.local
568	:: Follow redirects : false
569	:: Calibration : false
570	:: Timeout : 10
571	:: Threads : 40
572	:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
573	________________________________________________
574
575	admin [Status: 200, Size: 5599, Words: 223, Lines: 88, Duration: 357ms]
576
577
578
579
580
581
582
583
584	http://admin.trilocor.local/
585
586
587
588
589
590	[Jan 01, 2026 - 21:46:24 (KST)] exegol-pentest /workspace # curl -s http://admin.trilocor.local
591	<!DOCTYPE html>
592	<html lang="en-US">
593	<head>
594	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
595	<title>Log In &lsaquo; Trilocor — WordPress</title>
596	<meta name='robots' content='max-image-preview:large, noindex, noarchive' />
597	<link rel='dns-prefetch' href='//s.w.org' />
598	<link rel='stylesheet' id='dashicons-css' href='http://admin.trilocor.local/wp-includes/css/dashicons.min.css?ver=6.0.2' media='all' />
599	<link rel='stylesheet' id='buttons-css' href='http://admin.trilocor.local/wp-includes/css/buttons.min.css?ver=6.0.2' media='all' />
600	<link rel='stylesheet' id='forms-css' href='http://admin.trilocor.local/wp-admin/css/forms.min.css?ver=6.0.2' media='all' />
601	<link rel='stylesheet' id='l10n-css' href='http://admin.trilocor.local/wp-admin/css/l10n.min.css?ver=6.0.2' media='all' />
602	<link rel='stylesheet' id='login-css' href='http://admin.trilocor.local/wp-admin/css/login.min.css?ver=6.0.2' media='all' />
603	<meta name='referrer' content='strict-origin-when-cross-origin' />
604	<meta name="viewport" content="width=device-width" />
605	</head>
606	<body class="login no-js login-action-login wp-core-ui locale-en-us">
607	<script type="text/javascript">
608	document.body.className = document.body.className.replace('no-js','js');
609	</script>
610	<div id="login">
611	<h1><a href="https://wordpress.org/">Powered by WordPress</a></h1>
612
613	<form name="loginform" id="loginform" action="http://admin.trilocor.local/wp-login.php" method="post">
614	<p>
615	<label for="user_login">Username or Email Address</label>
616	<input type="text" name="log" id="user_login" class="input" value="" size="20" autocapitalize="off" autocomplete="username" />
617	</p>
618
619	<div class="user-pass-wrap">
620	<label for="user_pass">Password</label>
621	<div class="wp-pwd">
622	<input type="password" name="pwd" id="user_pass" class="input password-input" value="" size="20" autocomplete="current-password" />
623	<button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="Show password">
624	<span class="dashicons dashicons-visibility" aria-hidden="true"></span>
625	</button>
626	</div>
627	</div>
628	<p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> <label for="rememberme">Remember Me</label></p>
629	<p class="submit">
630	<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
631	<input type="hidden" name="redirect_to" value="http://admin.trilocor.local/wp-admin/" />
632	<input type="hidden" name="testcookie" value="1" />
633	</p>
634	</form>
635
636	<p id="nav">
637	<a href="http://admin.trilocor.local/wp-login.php?action=lostpassword">Lost your password?</a>
638	</p>
639	<script type="text/javascript">
640	function wp_attempt_focus() {setTimeout( function() {try {d = document.getElementById( "user_login" );d.focus(); d.select();} catch( er ) {}}, 200);}
641	wp_attempt_focus();
642	if ( typeof wpOnload === 'function' ) { wpOnload() } </script>
643	<p id="backtoblog">
644	<a href="http://admin.trilocor.local/">← Go to Trilocor</a> </p>
645	</div>
646	<script src='http://admin.trilocor.local/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
647	<script src='http://admin.trilocor.local/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
648	<script id='zxcvbn-async-js-extra'>
649	var _zxcvbnSettings = {"src":"http:\/\/admin.trilocor.local\/wp-includes\/js\/zxcvbn.min.js"};
650	</script>
651	<script src='http://admin.trilocor.local/wp-includes/js/zxcvbn-async.min.js?ver=1.0' id='zxcvbn-async-js'></script>
652	<script src='http://admin.trilocor.local/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9' id='regenerator-runtime-js'></script>
653	<script src='http://admin.trilocor.local/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0' id='wp-polyfill-js'></script>
654	<script src='http://admin.trilocor.local/wp-includes/js/dist/hooks.min.js?ver=c6d64f2cb8f5c6bb49caca37f8828ce3' id='wp-hooks-js'></script>
655	<script src='http://admin.trilocor.local/wp-includes/js/dist/i18n.min.js?ver=ebee46757c6a411e38fd079a7ac71d94' id='wp-i18n-js'></script>
656	<script id='wp-i18n-js-after'>
657	wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
658	</script>
659	<script id='password-strength-meter-js-extra'>
660	var pwsL10n = {"unknown":"Password strength unknown","short":"Very weak","bad":"Weak","good":"Medium","strong":"Strong","mismatch":"Mismatch"};
661	</script>
662	<script src='http://admin.trilocor.local/wp-admin/js/password-strength-meter.min.js?ver=6.0.2' id='password-strength-meter-js'></script>
663	<script src='http://admin.trilocor.local/wp-includes/js/underscore.min.js?ver=1.13.3' id='underscore-js'></script>
664	<script id='wp-util-js-extra'>
665	var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}};
666	</script>
667	<script src='http://admin.trilocor.local/wp-includes/js/wp-util.min.js?ver=6.0.2' id='wp-util-js'></script>
668	<script id='user-profile-js-extra'>
669	var userProfileL10n = {"user_id":"0","nonce":"ea584adfea"};
670	</script>
671	<script src='http://admin.trilocor.local/wp-admin/js/user-profile.min.js?ver=6.0.2' id='user-profile-js'></script>
672	<script>
673	/(trident\|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a\|select\|input\|button\|textarea)$/i.test(t.tagName)\|\|(t.tabIndex=-1),t.focus())},!1);
674	</script>
675	<div class="clear"></div>
676	</body>
677	</html>
678	#
679
680
681
682
683
684
685	[Jan 01, 2026 - 22:32:15 (KST)] exegol-pentest /workspace # wpscan --url http://admin.trilocor.local --usernames web-admin --passwords `fzf-wordlists` --password-attack xmlrpc -t 20
686	_______________________________________________________________
687	__ _______ _____
688	\ \ / / __ \ / ____\|
689	\ \ /\ / /\| \|__) \| (___ ___ __ _ _ __ ®
690	\ \/ \/ / \| ___/ \___ \ / __\|/ _` \| '_ \
691	\ /\ / \| \| ____) \| (__\| (_\| \| \| \| \|
692	\/ \/ \|_\| \|_____/ \___\|\__,_\|_\| \|_\|
693
694	WordPress Security Scanner by the WPScan Team
695	Version 3.8.28
696	Sponsored by Automattic - https://automattic.com/
697	@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
698	_______________________________________________________________
699
700	[+] URL: http://admin.trilocor.local/ [10.129.205.208]
701	[+] Started: Thu Jan 1 22:59:53 2026
702
703	Interesting Finding(s):
704
705	[+] Headers
706	\| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
707	\| Found By: Headers (Passive Detection)
708	\| Confidence: 100%
709
710	[+] robots.txt found: http://admin.trilocor.local/robots.txt
711	\| Interesting Entries:
712	\| - /wp-admin/
713	\| - /wp-admin/admin-ajax.php
714	\| Found By: Robots Txt (Aggressive Detection)
715	\| Confidence: 100%
716
717	[+] XML-RPC seems to be enabled: http://admin.trilocor.local/xmlrpc.php
718	\| Found By: Direct Access (Aggressive Detection)
719	\| Confidence: 100%
720	\| References:
721	\| - http://codex.wordpress.org/XML-RPC_Pingback_API
722	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
723	\| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
724	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
725	\| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
726
727	[+] The external WP-Cron seems to be enabled: http://admin.trilocor.local/wp-cron.php
728	\| Found By: Direct Access (Aggressive Detection)
729	\| Confidence: 60%
730	\| References:
731	\| - https://www.iplocation.net/defend-wordpress-from-ddos
732	\| - https://github.com/wpscanteam/wpscan/issues/1299
733
734	[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).
735	\| Found By: Emoji Settings (Passive Detection)
736	\| - http://admin.trilocor.local/a6a1910.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.2'
737	\| Confirmed By: Meta Generator (Passive Detection)
738	\| - http://admin.trilocor.local/a6a1910.html, Match: 'WordPress 6.0.2'
739
740
741
742	지금 태스크 1 에서 막혀있는데, 풀이 방법을 알려줘.