Trilocor Robotics Ltd. (“Trilocor” herein) invited you to a private assessment to perform a targeted Web Application Penetration Test of Trilocor’s externally facing web applications to identify high-risk security weaknesses, determine the impact to Trilocor, document all findings in a clear and repeatable manner, and provide remediation recommendations. The following types of findings are in-scope for this assessment: * Sensitive or personally identifiable information disclosure * Cross-Site Scripting (XSS) * Remote Code Execution (RCE) * Arbitrary file upload * All forms of session attacks * All forms of server-side attacks (excluding DoS ones) * Authentication or authorization flaws, such as insecure direct object references (IDOR) and authentication bypasses * All forms of injection vulnerabilities * Directory traversal * Local file read * Significant security misconfigurations and business logic flaws * Exposed credentials that could be leveraged to gain further access The following types of activities are considered out-of-scope for this assessment: * Scanning and assessing any other IP in the Entry Point's network * Physical attacks against Trilocor properties * Unverified scanner output * Man-in-the-Middle attacks * Any vulnerabilities identified through DDoS or spam attacks * Self-XSS * Login/logout CSRF * Issues with SSL certificates, open ports, TLS versions, or missing HTTP response headers * Vulnerabilities in third-party libraries unless they can be leveraged to significantly impact the target * Any theoretical attacks or attacks that require significant user interaction or low risk Scope The scope of this assessment is as follows: * www.trilocor.local, any identified *.trilocor.local subdomain and any open web server ports discovered on the "Entry Point" IP address that will become visible upon pressing "SPAWN INSTANCE" (Step 2 below). * Scanning any other IP in the Entry Point's network is NOT allowed! * Five (5) different applications exist, as well as simulated users in certain application locations that you can attack. URL Description www.trilocor.local Main Trilocor website Discover the port PR website Discover the port Jobs portal Discover the port HR website Discover the port Online shop Connectivity Prerequisites If you are using Pwnbox to conduct your exam web application security assessment activities, please make sure that eu-academy-exams-X or us-academy-exams-X is visible when opening a terminal. Then and only then Pwnbox will be able to reach the exam lab's applications. If you see otherwise, you will need to terminate any spawned Pwnbox in a module and spawn a new one from inside the exam lab's page (Step 1 below). If you are using your own attacking virtual machine to connect to the exam lab's VPN, then you can test your connectivity by adding an entry regarding www.trilocor.local in your virtual machine's hosts file and browsing http://www.trilocor.local. Exam Objectives To be awarded the HTB Certified Web Exploitation Specialist (HTB CWES) certification you must: * Obtain a minimum of 80 points by successfully completing the tasks below AND * Compose and submit a commercial-grade report including all identified vulnerabilities, evidence of successful exploitation (in a step-by-step manner), and remediation advice, based on the provided report template.       TASK1 Try to gain access to the admin dashboard of Trilocor's main website to read the flag. (10 points)   TASK2 Try to gain remote code execution on Trilocor's main website to read the (.txt) flag in the '/' directory. (5 points)   TASK3 Try to bypass the login screen on Trilocor's HR dashboard application to read the flag. (5 points)   TASK4 Try to gain remote code execution on Trilocor's HR dashboard application to read the (.txt) flag in the '/' directory. (15 points)   TASK5 Try to gain access to the admin panel of Trilocor's Jobs Portal to read the flag. (10 points)   TASK6 Try to gain remote code execution on Trilocor's Jobs Portal to read the (.txt) flag in the '/' directory. (10 points)   TASK7 Try to gain access to Trilocor's PR admin panel to read the flag. (5 points)   TASK8 Try to gain remote code execution on Trilocor's PR admin panel to read the (.txt) flag in the '/' directory. (15 points)   TASK9 Try to gain admin access on Trilocor's Shop to read the flag. (10 points)   TASK10 Try to gain remote code execution on the Trilocor Shop application to read the (.txt) flag in the '/' directory. (15 points)             vi /etc/hosts 10.129.205.208 www.trilocor.local trilocor.local         nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000   nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000 Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:14 KST Nmap scan report for 10.129.205.208 Host is up (0.21s latency). Not shown: 65528 closed tcp ports (reset), 2 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT     STATE SERVICE 80/tcp   open  http 8009/tcp open  ajp13 8080/tcp open  http-proxy 8088/tcp open  radan-http 9000/tcp open  cslistener   Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds         [Jan 01, 2026 - 18:17:56 (KST)] exegol-pentest /workspace # nmap -sC -sV -Pn -n --open -p80,8009,8080,8088,9000 10.129.205.208 --min-rate 3000 -oA cwes_svc Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:18 KST Nmap scan report for 10.129.205.208 Host is up (0.21s latency).   PORT     STATE SERVICE VERSION 80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://www.trilocor.local/ |_http-server-header: Apache/2.4.41 (Ubuntu) 8009/tcp open  http    nginx | http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set |_http-title: Trilocor Public Relations |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open  http    Apache httpd 2.4.54 ((Unix)) |_http-open-proxy: Proxy might be redirecting requests | http-title: Trilocor - Job Portal |_Requested resource was /login.php |_http-server-header: Apache/2.4.54 (Unix) 8088/tcp open  http    Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Human Resources - Login 9000/tcp open  http    nginx |_http-title: TRILOCOR Shop | Home   Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds         [Jan 01, 2026 - 18:20:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/robots.txt HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:21:06 GMT Server: Apache/2.4.41 (Ubuntu) Link: ; rel="https://api.w.org/" Vary: Accept-Encoding Content-Length: 118 Content-Type: text/plain; charset=utf-8   User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php   Sitemap: http://www.trilocor.local/wp-sitemap.xml           [Jan 01, 2026 - 18:29:50 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-login.php | sed -n '1,20p'   HTTP/1.1 403 Forbidden Date: Thu, 01 Jan 2026 09:33:10 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 283 Content-Type: text/html; charset=iso-8859-1   403 Forbidden

Forbidden

You don't have permission to access this resource.

Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80
              [Jan 01, 2026 - 18:28:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-json/wp/v2/users HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:29:03 GMT Server: Apache/2.4.41 (Ubuntu) X-Robots-Tag: noindex Link: ; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type X-WP-Total: 1 X-WP-TotalPages: 1 Allow: GET Vary: Origin Content-Length: 643 Content-Type: application/json; charset=UTF-8   [{"id":1,"name":"web-admin","url":"http:\/\/www.trilocor.local","description":"","link":"http:\/\/www.trilocor.local\/index.php\/author\/web-admin\/","slug":"web-admin","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users"}]}}]#         [Jan 01, 2026 - 18:38:10 (KST)] exegol-pentest /workspace # curl -s http://www.trilocor.local/ \  | grep -Eo 'wp-content/(plugins|themes)/[^/"]+' \  | sort -u   wp-content/plugins/elementor wp-content/themes/astra         [Jan 01, 2026 - 18:56:31 (KST)] exegol-pentest /workspace # curl -X POST -i http://www.trilocor.local/xmlrpc.php \   -d "system.listMethods" HTTP/1.1 200 OK Date: Thu, 01 Jan 2026 09:56:36 GMT Server: Apache/2.4.41 (Ubuntu) Connection: close Vary: Accept-Encoding Content-Length: 4272 Content-Type: text/xml; charset=UTF-8                       system.multicall   system.listMethods   system.getCapabilities   demo.addTwoNumbers   demo.sayHello   pingback.extensions.getPingbacks   pingback.ping   mt.publishPost   mt.getTrackbackPings   mt.supportedTextFilters   mt.supportedMethods   mt.setPostCategories   mt.getPostCategories   mt.getRecentPostTitles   mt.getCategoryList   metaWeblog.getUsersBlogs   metaWeblog.deletePost   metaWeblog.newMediaObject   metaWeblog.getCategories   metaWeblog.getRecentPosts   metaWeblog.getPost   metaWeblog.editPost   metaWeblog.newPost   blogger.deletePost   blogger.editPost   blogger.newPost   blogger.getRecentPosts   blogger.getPost   blogger.getUserInfo   blogger.getUsersBlogs   wp.restoreRevision   wp.getRevisions   wp.getPostTypes   wp.getPostType   wp.getPostFormats   wp.getMediaLibrary   wp.getMediaItem   wp.getCommentStatusList   wp.newComment   wp.editComment   wp.deleteComment   wp.getComments   wp.getComment   wp.setOptions   wp.getOptions   wp.getPageTemplates   wp.getPageStatusList   wp.getPostStatusList   wp.getCommentCount   wp.deleteFile   wp.uploadFile   wp.suggestCategories   wp.deleteCategory   wp.newCategory   wp.getTags   wp.getCategories   wp.getAuthors   wp.getPageList   wp.editPage   wp.deletePage   wp.newPage   wp.getPages   wp.getPage   wp.editProfile   wp.getProfile   wp.getUsers   wp.getUser   wp.getTaxonomies   wp.getTaxonomy   wp.getTerms   wp.getTerm   wp.deleteTerm   wp.editTerm   wp.newTerm   wp.getPosts   wp.getPost   wp.deletePost   wp.editPost   wp.newPost   wp.getUsersBlogs                       [Jan 01, 2026 - 19:09:03 (KST)] exegol-pentest /workspace # wpscan --url http://www.trilocor.local --usernames web-admin --passwords /usr/share/wordlists/rockyou.txt _______________________________________________________________          __          _______   _____          \ \        / /  __ \ / ____|           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \             \  /\  /  | |     ____) | (__| (_| | | | |              \/  \/   |_|    |_____/ \___|\__,_|_| |_|            WordPress Security Scanner by the WPScan Team                          Version 3.8.28          @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________   [i] Updating the Database ... [i] Update completed.   [+] URL: http://www.trilocor.local/ [10.129.205.208] [+] Started: Thu Jan  1 19:09:16 2026   Interesting Finding(s):   [+] Headers  | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)  | Found By: Headers (Passive Detection)  | Confidence: 100%   [+] robots.txt found: http://www.trilocor.local/robots.txt  | Interesting Entries:  |  - /wp-admin/  |  - /wp-admin/admin-ajax.php  | Found By: Robots Txt (Aggressive Detection)  | Confidence: 100%   [+] XML-RPC seems to be enabled: http://www.trilocor.local/xmlrpc.php  | Found By: Direct Access (Aggressive Detection)  | Confidence: 100%  | References:  |  - http://codex.wordpress.org/XML-RPC_Pingback_API  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/   [+] The external WP-Cron seems to be enabled: http://www.trilocor.local/wp-cron.php  | Found By: Direct Access (Aggressive Detection)  | Confidence: 60%  | References:  |  - https://www.iplocation.net/defend-wordpress-from-ddos  |  - https://github.com/wpscanteam/wpscan/issues/1299   [+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).  | Found By: Rss Generator (Passive Detection)  |  - http://www.trilocor.local/index.php/feed/, https://wordpress.org/?v=6.0.2  |  - http://www.trilocor.local/index.php/comments/feed/, https://wordpress.org/?v=6.0.2   [+] WordPress theme in use: astra  | Location: http://www.trilocor.local/wp-content/themes/astra/  | Last Updated: 2025-12-16T00:00:00.000Z  | Readme: http://www.trilocor.local/wp-content/themes/astra/readme.txt  | [!] The version is out of date, the latest version is 4.11.18  | Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css  | Style Name: Astra  | Style URI: https://wpastra.com/  | Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,...  | Author: Brainstorm Force  | Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme  |  | Found By: Urls In Homepage (Passive Detection)  | Confirmed By: Urls In 404 Page (Passive Detection)  |  | Version: 3.9.2 (80% confidence)  | Found By: Style (Passive Detection)  |  - http://www.trilocor.local/wp-content/themes/astra/style.css, Match: 'Version: 3.9.2'   [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)   [i] Plugin(s) Identified:   [+] elementor  | Location: http://www.trilocor.local/wp-content/plugins/elementor/  | Last Updated: 2025-12-22T12:28:00.000Z  | [!] The version is out of date, the latest version is 3.34.0  |  | Found By: Urls In Homepage (Passive Detection)  |  | Version: 3.7.7 (100% confidence)  | Found By: Query Parameter (Passive Detection)  |  - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.7.7  | Confirmed By:  |  Readme - Stable Tag (Aggressive Detection)  |   - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt  |  Readme - ChangeLog Section (Aggressive Detection)  |   - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt   [+] Enumerating Config Backups (via Passive and Aggressive Methods)  Checking Config Backups - Time: 00:00:08 <=> (137 / 137) 100.00% Time: 00:00:08             [Jan 01, 2026 - 19:41:31 (KST)] exegol-pentest /workspace # ffuf -u http://trilocor.local/wp-admin/FUZZ -w `fzf-wordlists` -e .php -ac -c           /'___\  /'___\           /'___\        /\ \__/ /\ \__/  __  __  /\ \__/        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/          \ \_\   \ \_\  \ \____/  \ \_\           \/_/    \/_/   \/___/    \/_/          v2.1.0 ________________________________________________    :: Method           : GET  :: URL              : http://trilocor.local/wp-admin/FUZZ  :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt  :: Extensions       : .php  :: Follow redirects : false  :: Calibration      : true  :: Timeout          : 10  :: Threads          : 40  :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________                           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2340ms] about.php               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 7588ms] admin.php               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1389ms] admin.php               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1400ms]           GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.trilocor.local%2Fwp-admin%2Fadmin.php&reauth=1 HTTP/1.1 Host: www.trilocor.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i               [Jan 01, 2026 - 20:45:46 (KST)] exegol-pentest /workspace # curl -i "http://www.trilocor.local/wp-login.php" HTTP/1.1 403 Forbidden Date: Thu, 01 Jan 2026 11:58:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 283 Content-Type: text/html; charset=iso-8859-1   403 Forbidden

Forbidden

You don't have permission to access this resource.

Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80
            [Jan 01, 2026 - 21:19:22 (KST)] exegol-pentest /workspace # curl -si http://www.trilocor.local/wp-admin/admin-ajax.php      HTTP/1.1 400 Bad Request Date: Thu, 01 Jan 2026 12:19:52 GMT Server: Apache/2.4.41 (Ubuntu) X-Robots-Tag: noindex Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8   0#         -------     [Jan 01, 2026 - 21:46:34 (KST)] exegol-pentest /workspace # ffuf -w `fzf-wordlists` -H "Host:FUZZ.trilocor.local" -u http://www.trilocor.local/ -ic -c           /'___\  /'___\           /'___\        /\ \__/ /\ \__/  __  __  /\ \__/        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/          \ \_\   \ \_\  \ \____/  \ \_\           \/_/    \/_/   \/___/    \/_/          v2.1.0 ________________________________________________    :: Method           : GET  :: URL              : http://www.trilocor.local/  :: Wordlist         : FUZZ: /opt/lists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt  :: Header           : Host: FUZZ.trilocor.local  :: Follow redirects : false  :: Calibration      : false  :: Timeout          : 10  :: Threads          : 40  :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________   admin                   [Status: 200, Size: 5599, Words: 223, Lines: 88, Duration: 357ms]                 http://admin.trilocor.local/           [Jan 01, 2026 - 21:46:24 (KST)] exegol-pentest /workspace # curl -s http://admin.trilocor.local                                 Log In ‹ Trilocor — WordPress                                                                                
               

Powered by WordPress

                 
                       

                                                                                       

                         
                                                               
                                                                                                               
                       
                                               

                       

                                                                                                                                                                                                       

               
                                                                                                                 

                        ← Go to Trilocor               

                       
                                                                               
                        #             [Jan 01, 2026 - 22:32:15 (KST)] exegol-pentest /workspace # wpscan --url http://admin.trilocor.local --usernames web-admin --passwords `fzf-wordlists` --password-attack xmlrpc -t 20 _______________________________________________________________          __          _______   _____          \ \        / /  __ \ / ____|           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \             \  /\  /  | |     ____) | (__| (_| | | | |              \/  \/   |_|    |_____/ \___|\__,_|_| |_|            WordPress Security Scanner by the WPScan Team                          Version 3.8.28        Sponsored by Automattic - https://automattic.com/        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________   [+] URL: http://admin.trilocor.local/ [10.129.205.208] [+] Started: Thu Jan  1 22:59:53 2026   Interesting Finding(s):   [+] Headers  | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)  | Found By: Headers (Passive Detection)  | Confidence: 100%   [+] robots.txt found: http://admin.trilocor.local/robots.txt  | Interesting Entries:  |  - /wp-admin/  |  - /wp-admin/admin-ajax.php  | Found By: Robots Txt (Aggressive Detection)  | Confidence: 100%   [+] XML-RPC seems to be enabled: http://admin.trilocor.local/xmlrpc.php  | Found By: Direct Access (Aggressive Detection)  | Confidence: 100%  | References:  |  - http://codex.wordpress.org/XML-RPC_Pingback_API  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/   [+] The external WP-Cron seems to be enabled: http://admin.trilocor.local/wp-cron.php  | Found By: Direct Access (Aggressive Detection)  | Confidence: 60%  | References:  |  - https://www.iplocation.net/defend-wordpress-from-ddos  |  - https://github.com/wpscanteam/wpscan/issues/1299   [+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).  | Found By: Emoji Settings (Passive Detection)  |  - http://admin.trilocor.local/a6a1910.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.2'  | Confirmed By: Meta Generator (Passive Detection)  |  - http://admin.trilocor.local/a6a1910.html, Match: 'WordPress 6.0.2'       지금 태스크 1 에서 막혀있는데, 풀이 방법을 알려줘.