Revision of gistfile1.txt

1

+

Trilocor Robotics Ltd. (“Trilocor” herein) invited you to a private assessment to perform a targeted Web Application Penetration Test of Trilocor’s externally facing web applications to identify high-risk security weaknesses, determine the impact to Trilocor, document all findings in a clear and repeatable manner, and provide remediation recommendations.

2

+

The following types of findings are in-scope for this assessment:

3

+

4

+

* Sensitive or personally identifiable information disclosure

5

+

6

+

* Cross-Site Scripting (XSS)

7

+

8

+

* Remote Code Execution (RCE)

9

+

10

+

* Arbitrary file upload

11

+

12

+

* All forms of session attacks

13

+

14

+

* All forms of server-side attacks (excluding DoS ones)

15

+

16

+

* Authentication or authorization flaws, such as insecure direct object references (IDOR) and authentication bypasses

17

+

18

+

* All forms of injection vulnerabilities

19

+

20

+

* Directory traversal

21

+

22

+

* Local file read

23

+

24

+

* Significant security misconfigurations and business logic flaws

25

+

26

+

* Exposed credentials that could be leveraged to gain further access

27

+

28

+

The following types of activities are considered out-of-scope for this assessment:

29

+

30

+

* Scanning and assessing any other IP in the Entry Point's network

31

+

32

+

* Physical attacks against Trilocor properties

33

+

34

+

* Unverified scanner output

35

+

36

+

* Man-in-the-Middle attacks

37

+

38

+

* Any vulnerabilities identified through DDoS or spam attacks

39

+

40

+

* Self-XSS

41

+

42

+

* Login/logout CSRF

43

+

44

+

* Issues with SSL certificates, open ports, TLS versions, or missing HTTP response headers

45

+

46

+

* Vulnerabilities in third-party libraries unless they can be leveraged to significantly impact the target

47

+

48

+

* Any theoretical attacks or attacks that require significant user interaction or low risk

49

+

50

+

Scope

51

+

The scope of this assessment is as follows:

52

+

53

+

* www.trilocor.local, any identified *.trilocor.local subdomain and any open web server ports discovered on the "Entry Point" IP address that will become visible upon pressing "SPAWN INSTANCE" (Step 2 below).

54

+

55

+

* Scanning any other IP in the Entry Point's network is NOT allowed!

56

+

57

+

* Five (5) different applications exist, as well as simulated users in certain application locations that you can attack.

58

+

59

+

URL

60

+

Description

61

+

www.trilocor.local

62

+

Main Trilocor website

63

+

Discover the port

64

+

PR website

65

+

Discover the port

66

+

Jobs portal

67

+

Discover the port

68

+

HR website

69

+

Discover the port

70

+

Online shop

71

+

Connectivity Prerequisites

72

+

If you are using Pwnbox to conduct your exam web application security assessment activities, please make sure that eu-academy-exams-X or us-academy-exams-X is visible when opening a terminal. Then and only then Pwnbox will be able to reach the exam lab's applications. If you see otherwise, you will need to terminate any spawned Pwnbox in a module and spawn a new one from inside the exam lab's page (Step 1 below).

73

+

If you are using your own attacking virtual machine to connect to the exam lab's VPN, then you can test your connectivity by adding an entry regarding www.trilocor.local in your virtual machine's hosts file and browsing http://www.trilocor.local.

74

+

Exam Objectives

75

+

To be awarded the HTB Certified Web Exploitation Specialist (HTB CWES) certification you must:

76

+

77

+

* Obtain a minimum of 80 points by successfully completing the tasks below AND

78

+

79

+

* Compose and submit a commercial-grade report including all identified vulnerabilities, evidence of successful exploitation (in a step-by-step manner), and remediation advice, based on the provided report template.

80

+

81

+

82

+

83

+

84

+

TASK1

85

+

Try to gain access to the admin dashboard of Trilocor's main website to read the flag. (10 points)

86

+

87

+

TASK2

88

+

Try to gain remote code execution on Trilocor's main website to read the (.txt) flag in the '/' directory. (5 points)

89

+

90

+

TASK3

91

+

Try to bypass the login screen on Trilocor's HR dashboard application to read the flag. (5 points)

92

+

93

+

TASK4

94

+

Try to gain remote code execution on Trilocor's HR dashboard application to read the (.txt) flag in the '/' directory. (15 points)

95

+

96

+

TASK5

97

+

Try to gain access to the admin panel of Trilocor's Jobs Portal to read the flag. (10 points)

98

+

99

+

TASK6

100

+

Try to gain remote code execution on Trilocor's Jobs Portal to read the (.txt) flag in the '/' directory. (10 points)

101

+

102

+

TASK7

103

+

Try to gain access to Trilocor's PR admin panel to read the flag. (5 points)

104

+

105

+

TASK8

106

+

Try to gain remote code execution on Trilocor's PR admin panel to read the (.txt) flag in the '/' directory. (15 points)

107

+

108

+

TASK9

109

+

Try to gain admin access on Trilocor's Shop to read the flag. (10 points)

110

+

111

+

TASK10

112

+

Try to gain remote code execution on the Trilocor Shop application to read the (.txt) flag in the '/' directory. (15 points)

113

+

114

+

115

+

116

+

117

+

118

+

119

+

vi /etc/hosts

120

+

10.129.205.208 www.trilocor.local trilocor.local

121

+

122

+

123

+

124

+

125

+

nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000

126

+

127

+

nmap -sS -Pn -n --open -p- 10.129.205.208 --min-rate 3000

128

+

Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:14 KST

129

+

Nmap scan report for 10.129.205.208

130

+

Host is up (0.21s latency).

131

+

Not shown: 65528 closed tcp ports (reset), 2 filtered tcp ports (no-response)

132

+

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

133

+

PORT STATE SERVICE

134

+

80/tcp open http

135

+

8009/tcp open ajp13

136

+

8080/tcp open http-proxy

137

+

8088/tcp open radan-http

138

+

9000/tcp open cslistener

139

+

140

+

Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds

141

+

142

+

143

+

144

+

145

+

[Jan 01, 2026 - 18:17:56 (KST)] exegol-pentest /workspace # nmap -sC -sV -Pn -n --open -p80,8009,8080,8088,9000 10.129.205.208 --min-rate 3000 -oA cwes_svc

146

+

Starting Nmap 7.93 ( https://nmap.org ) at 2026-01-01 18:18 KST

147

+

Nmap scan report for 10.129.205.208

148

+

Host is up (0.21s latency).

149

+

150

+

PORT STATE SERVICE VERSION

151

+

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

152

+

|_http-title: Did not follow redirect to http://www.trilocor.local/

153

+

|_http-server-header: Apache/2.4.41 (Ubuntu)

154

+

8009/tcp open http nginx

155

+

| http-cookie-flags:

156

+

| /:

157

+

| PHPSESSID:

158

+

|_ httponly flag not set

159

+

|_http-title: Trilocor Public Relations

160

+

|_ajp-methods: Failed to get a valid response for the OPTION request

161

+

8080/tcp open http Apache httpd 2.4.54 ((Unix))

162

+

|_http-open-proxy: Proxy might be redirecting requests

163

+

| http-title: Trilocor - Job Portal

164

+

|_Requested resource was /login.php

165

+

|_http-server-header: Apache/2.4.54 (Unix)

166

+

8088/tcp open http Apache httpd 2.4.41 ((Ubuntu))

167

+

|_http-server-header: Apache/2.4.41 (Ubuntu)

168

+

|_http-title: Human Resources - Login

169

+

9000/tcp open http nginx

170

+

|_http-title: TRILOCOR Shop | Home

171

+

172

+

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

173

+

Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds

174

+

175

+

176

+

177

+

178

+

[Jan 01, 2026 - 18:20:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/robots.txt

179

+

HTTP/1.1 200 OK

180

+

Date: Thu, 01 Jan 2026 09:21:06 GMT

181

+

Server: Apache/2.4.41 (Ubuntu)

182

+

Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/"

183

+

Vary: Accept-Encoding

184

+

Content-Length: 118

185

+

Content-Type: text/plain; charset=utf-8

186

+

187

+

User-agent: *

188

+

Disallow: /wp-admin/

189

+

Allow: /wp-admin/admin-ajax.php

190

+

191

+

Sitemap: http://www.trilocor.local/wp-sitemap.xml

192

+

193

+

194

+

195

+

196

+

197

+

[Jan 01, 2026 - 18:29:50 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-login.php | sed -n '1,20p'

198

+

199

+

HTTP/1.1 403 Forbidden

200

+

Date: Thu, 01 Jan 2026 09:33:10 GMT

201

+

Server: Apache/2.4.41 (Ubuntu)

202

+

Content-Length: 283

203

+

Content-Type: text/html; charset=iso-8859-1

204

+

205

+

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

206

+

207

+

<title>403 Forbidden</title>

208

+

</head><body>

209

+

<h1>Forbidden</h1>

210

+

<p>You don't have permission to access this resource.</p>

211

+

<hr>

212

+

<address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address>

213

+

</body></html>

214

+

215

+

216

+

217

+

218

+

219

+

220

+

221

+

[Jan 01, 2026 - 18:28:46 (KST)] exegol-pentest /workspace # curl -s -i http://www.trilocor.local/wp-json/wp/v2/users

222

+

HTTP/1.1 200 OK

223

+

Date: Thu, 01 Jan 2026 09:29:03 GMT

224

+

Server: Apache/2.4.41 (Ubuntu)

225

+

X-Robots-Tag: noindex

226

+

Link: <http://www.trilocor.local/index.php/wp-json/>; rel="https://api.w.org/"

227

+

X-Content-Type-Options: nosniff

228

+

Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link

229

+

Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type

230

+

X-WP-Total: 1

231

+

X-WP-TotalPages: 1

232

+

Allow: GET

233

+

Vary: Origin

234

+

Content-Length: 643

235

+

Content-Type: application/json; charset=UTF-8

236

+

237

+

[{"id":1,"name":"web-admin","url":"http:\/\/www.trilocor.local","description":"","link":"http:\/\/www.trilocor.local\/index.php\/author\/web-admin\/","slug":"web-admin","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/b3b777a4d9b45d225796292eea0cdade?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/www.trilocor.local\/index.php\/wp-json\/wp\/v2\/users"}]}}]#

238

+

239

+

240

+

241

+

242

+

[Jan 01, 2026 - 18:38:10 (KST)] exegol-pentest /workspace # curl -s http://www.trilocor.local/ \

243

+

| grep -Eo 'wp-content/(plugins|themes)/[^/"]+' \

244

+

| sort -u

245

+

246

+

wp-content/plugins/elementor

247

+

wp-content/themes/astra

248

+

249

+

250

+

251

+

252

+

[Jan 01, 2026 - 18:56:31 (KST)] exegol-pentest /workspace # curl -X POST -i http://www.trilocor.local/xmlrpc.php \

253

+

-d "<methodCall><methodName>system.listMethods</methodName></methodCall>"

254

+

HTTP/1.1 200 OK

255

+

Date: Thu, 01 Jan 2026 09:56:36 GMT

256

+

Server: Apache/2.4.41 (Ubuntu)

257

+

Connection: close

258

+

Vary: Accept-Encoding

259

+

Content-Length: 4272

260

+

Content-Type: text/xml; charset=UTF-8

261

+

262

+

<?xml version="1.0" encoding="UTF-8"?>

263

+

264

+

265

+

<param>

266

+

<value>

267

+

268

+

<value><string>system.multicall</string></value>

269

+

<value><string>system.listMethods</string></value>

270

+

<value><string>system.getCapabilities</string></value>

271

+

<value><string>demo.addTwoNumbers</string></value>

272

+

<value><string>demo.sayHello</string></value>

273

+

<value><string>pingback.extensions.getPingbacks</string></value>

274

+

<value><string>pingback.ping</string></value>

275

+

<value><string>mt.publishPost</string></value>

276

+

<value><string>mt.getTrackbackPings</string></value>

277

+

<value><string>mt.supportedTextFilters</string></value>

278

+

<value><string>mt.supportedMethods</string></value>

279

+

<value><string>mt.setPostCategories</string></value>

280

+

<value><string>mt.getPostCategories</string></value>

281

+

<value><string>mt.getRecentPostTitles</string></value>

282

+

<value><string>mt.getCategoryList</string></value>

283

+

<value><string>metaWeblog.getUsersBlogs</string></value>

284

+

<value><string>metaWeblog.deletePost</string></value>

285

+

<value><string>metaWeblog.newMediaObject</string></value>

286

+

<value><string>metaWeblog.getCategories</string></value>

287

+

<value><string>metaWeblog.getRecentPosts</string></value>

288

+

<value><string>metaWeblog.getPost</string></value>

289

+

<value><string>metaWeblog.editPost</string></value>

290

+

<value><string>metaWeblog.newPost</string></value>

291

+

<value><string>blogger.deletePost</string></value>

292

+

<value><string>blogger.editPost</string></value>

293

+

<value><string>blogger.newPost</string></value>

294

+

<value><string>blogger.getRecentPosts</string></value>

295

+

<value><string>blogger.getPost</string></value>

296

+

<value><string>blogger.getUserInfo</string></value>

297

+

<value><string>blogger.getUsersBlogs</string></value>

298

+

<value><string>wp.restoreRevision</string></value>

299

+

<value><string>wp.getRevisions</string></value>

300

+

<value><string>wp.getPostTypes</string></value>

301

+

<value><string>wp.getPostType</string></value>

302

+

<value><string>wp.getPostFormats</string></value>

303

+

<value><string>wp.getMediaLibrary</string></value>

304

+

<value><string>wp.getMediaItem</string></value>

305

+

<value><string>wp.getCommentStatusList</string></value>

306

+

<value><string>wp.newComment</string></value>

307

+

<value><string>wp.editComment</string></value>

308

+

<value><string>wp.deleteComment</string></value>

309

+

<value><string>wp.getComments</string></value>

310

+

<value><string>wp.getComment</string></value>

311

+

<value><string>wp.setOptions</string></value>

312

+

<value><string>wp.getOptions</string></value>

313

+

<value><string>wp.getPageTemplates</string></value>

314

+

<value><string>wp.getPageStatusList</string></value>

315

+

<value><string>wp.getPostStatusList</string></value>

316

+

<value><string>wp.getCommentCount</string></value>

317

+

<value><string>wp.deleteFile</string></value>

318

+

<value><string>wp.uploadFile</string></value>

319

+

<value><string>wp.suggestCategories</string></value>

320

+

<value><string>wp.deleteCategory</string></value>

321

+

<value><string>wp.newCategory</string></value>

322

+

<value><string>wp.getTags</string></value>

323

+

<value><string>wp.getCategories</string></value>

324

+

<value><string>wp.getAuthors</string></value>

325

+

<value><string>wp.getPageList</string></value>

326

+

<value><string>wp.editPage</string></value>

327

+

<value><string>wp.deletePage</string></value>

328

+

<value><string>wp.newPage</string></value>

329

+

<value><string>wp.getPages</string></value>

330

+

<value><string>wp.getPage</string></value>

331

+

<value><string>wp.editProfile</string></value>

332

+

<value><string>wp.getProfile</string></value>

333

+

<value><string>wp.getUsers</string></value>

334

+

<value><string>wp.getUser</string></value>

335

+

<value><string>wp.getTaxonomies</string></value>

336

+

<value><string>wp.getTaxonomy</string></value>

337

+

<value><string>wp.getTerms</string></value>

338

+

<value><string>wp.getTerm</string></value>

339

+

<value><string>wp.deleteTerm</string></value>

340

+

<value><string>wp.editTerm</string></value>

341

+

<value><string>wp.newTerm</string></value>

342

+

<value><string>wp.getPosts</string></value>

343

+

<value><string>wp.getPost</string></value>

344

+

<value><string>wp.deletePost</string></value>

345

+

<value><string>wp.editPost</string></value>

346

+

<value><string>wp.newPost</string></value>

347

+

<value><string>wp.getUsersBlogs</string></value>

348

+

</data></array>

349

+

</value>

350

+

</param>

351

+

</params>

352

+

</methodResponse>

353

+

354

+

355

+

356

+

357

+

358

+

[Jan 01, 2026 - 19:09:03 (KST)] exegol-pentest /workspace # wpscan --url http://www.trilocor.local --usernames web-admin --passwords /usr/share/wordlists/rockyou.txt

359

+

_______________________________________________________________

360

+

__ _______ _____

361

+

\ \ / / __ \ / ____|

362

+

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

363

+

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

364

+

\ /\ / | | ____) | (__| (_| | | | |

365

+

\/ \/ |_| |_____/ \___|\__,_|_| |_|

366

+

367

+

WordPress Security Scanner by the WPScan Team

368

+

Version 3.8.28

369

+

370

+

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

371

+

_______________________________________________________________

372

+

373

+

[i] Updating the Database ...

374

+

[i] Update completed.

375

+

376

+

[+] URL: http://www.trilocor.local/ [10.129.205.208]

377

+

[+] Started: Thu Jan 1 19:09:16 2026

378

+

379

+

Interesting Finding(s):

380

+

381

+

[+] Headers

382

+

| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)

383

+

| Found By: Headers (Passive Detection)

384

+

| Confidence: 100%

385

+

386

+

[+] robots.txt found: http://www.trilocor.local/robots.txt

387

+

| Interesting Entries:

388

+

| - /wp-admin/

389

+

| - /wp-admin/admin-ajax.php

390

+

| Found By: Robots Txt (Aggressive Detection)

391

+

| Confidence: 100%

392

+

393

+

[+] XML-RPC seems to be enabled: http://www.trilocor.local/xmlrpc.php

394

+

| Found By: Direct Access (Aggressive Detection)

395

+

| Confidence: 100%

396

+

| References:

397

+

| - http://codex.wordpress.org/XML-RPC_Pingback_API

398

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

399

+

| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

400

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

401

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

402

+

403

+

[+] The external WP-Cron seems to be enabled: http://www.trilocor.local/wp-cron.php

404

+

| Found By: Direct Access (Aggressive Detection)

405

+

| Confidence: 60%

406

+

| References:

407

+

| - https://www.iplocation.net/defend-wordpress-from-ddos

408

+

| - https://github.com/wpscanteam/wpscan/issues/1299

409

+

410

+

[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).

411

+

| Found By: Rss Generator (Passive Detection)

412

+

| - http://www.trilocor.local/index.php/feed/, <generator>https://wordpress.org/?v=6.0.2</generator>

413

+

| - http://www.trilocor.local/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.0.2</generator>

414

+

415

+

[+] WordPress theme in use: astra

416

+

| Location: http://www.trilocor.local/wp-content/themes/astra/

417

+

| Last Updated: 2025-12-16T00:00:00.000Z

418

+

| Readme: http://www.trilocor.local/wp-content/themes/astra/readme.txt

419

+

| [!] The version is out of date, the latest version is 4.11.18

420

+

| Style URL: http://www.trilocor.local/wp-content/themes/astra/style.css

421

+

| Style Name: Astra

422

+

| Style URI: https://wpastra.com/

423

+

| Description: Astra is fast, fully customizable & beautiful WordPress theme suitable for blog, personal portfolio,...

424

+

| Author: Brainstorm Force

425

+

| Author URI: https://wpastra.com/about/?utm_source=theme_preview&utm_medium=author_link&utm_campaign=astra_theme

426

+

|

427

+

| Found By: Urls In Homepage (Passive Detection)

428

+

| Confirmed By: Urls In 404 Page (Passive Detection)

429

+

|

430

+

| Version: 3.9.2 (80% confidence)

431

+

| Found By: Style (Passive Detection)

432

+

| - http://www.trilocor.local/wp-content/themes/astra/style.css, Match: 'Version: 3.9.2'

433

+

434

+

[+] Enumerating All Plugins (via Passive Methods)

435

+

[+] Checking Plugin Versions (via Passive and Aggressive Methods)

436

+

437

+

[i] Plugin(s) Identified:

438

+

439

+

[+] elementor

440

+

| Location: http://www.trilocor.local/wp-content/plugins/elementor/

441

+

| Last Updated: 2025-12-22T12:28:00.000Z

442

+

| [!] The version is out of date, the latest version is 3.34.0

443

+

|

444

+

| Found By: Urls In Homepage (Passive Detection)

445

+

|

446

+

| Version: 3.7.7 (100% confidence)

447

+

| Found By: Query Parameter (Passive Detection)

448

+

| - http://www.trilocor.local/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.7.7

449

+

| Confirmed By:

450

+

| Readme - Stable Tag (Aggressive Detection)

451

+

| - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt

452

+

| Readme - ChangeLog Section (Aggressive Detection)

453

+

| - http://www.trilocor.local/wp-content/plugins/elementor/readme.txt

454

+

455

+

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

456

+

Checking Config Backups - Time: 00:00:08 <=> (137 / 137) 100.00% Time: 00:00:08

457

+

458

+

459

+

460

+

461

+

462

+

463

+

[Jan 01, 2026 - 19:41:31 (KST)] exegol-pentest /workspace # ffuf -u http://trilocor.local/wp-admin/FUZZ -w `fzf-wordlists` -e .php -ac -c

464

+

465

+

/'___\ /'___\ /'___\

466

+

/\ \__/ /\ \__/ __ __ /\ \__/

467

+

\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\

468

+

\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/

469

+

\ \_\ \ \_\ \ \____/ \ \_\

470

+

\/_/ \/_/ \/___/ \/_/

471

+

472

+

v2.1.0

473

+

________________________________________________

474

+

475

+

:: Method : GET

476

+

:: URL : http://trilocor.local/wp-admin/FUZZ

477

+

:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt

478

+

:: Extensions : .php

479

+

:: Follow redirects : false

480

+

:: Calibration : true

481

+

:: Timeout : 10

482

+

:: Threads : 40

483

+

:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

484

+

________________________________________________

485

+

486

+

[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 2340ms]

487

+

about.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 7588ms]

488

+

admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1389ms]

489

+

admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1400ms]

490

+

491

+

492

+

493

+

494

+

495

+

GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.trilocor.local%2Fwp-admin%2Fadmin.php&reauth=1 HTTP/1.1

496

+

Host: www.trilocor.local

497

+

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

498

+

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

499

+

Accept-Language: en-US,en;q=0.5

500

+

Accept-Encoding: gzip, deflate, br

501

+

Connection: keep-alive

502

+

Upgrade-Insecure-Requests: 1

503

+

Priority: u=0, i

504

+

505

+

506

+

507

+

508

+

509

+

510

+

511

+

[Jan 01, 2026 - 20:45:46 (KST)] exegol-pentest /workspace # curl -i "http://www.trilocor.local/wp-login.php"

512

+

HTTP/1.1 403 Forbidden

513

+

Date: Thu, 01 Jan 2026 11:58:46 GMT

514

+

Server: Apache/2.4.41 (Ubuntu)

515

+

Content-Length: 283

516

+

Content-Type: text/html; charset=iso-8859-1

517

+

518

+

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

519

+

520

+

<title>403 Forbidden</title>

521

+

</head><body>

522

+

<h1>Forbidden</h1>

523

+

<p>You don't have permission to access this resource.</p>

524

+

<hr>

525

+

<address>Apache/2.4.41 (Ubuntu) Server at www.trilocor.local Port 80</address>

526

+

</body></html>

527

+

528

+

529

+

530

+

531

+

532

+

533

+

[Jan 01, 2026 - 21:19:22 (KST)] exegol-pentest /workspace # curl -si http://www.trilocor.local/wp-admin/admin-ajax.php

534

+

HTTP/1.1 400 Bad Request

535

+

Date: Thu, 01 Jan 2026 12:19:52 GMT

536

+

Server: Apache/2.4.41 (Ubuntu)

537

+

X-Robots-Tag: noindex

538

+

Expires: Wed, 11 Jan 1984 05:00:00 GMT

539

+

Cache-Control: no-cache, must-revalidate, max-age=0

540

+

Content-Length: 1

541

+

Connection: close

542

+

Content-Type: text/html; charset=UTF-8

543

+

544

+

0#

545

+

546

+

547

+

548

+

549

+

-------

550

+

551

+

552

+

[Jan 01, 2026 - 21:46:34 (KST)] exegol-pentest /workspace # ffuf -w `fzf-wordlists` -H "Host:FUZZ.trilocor.local" -u http://www.trilocor.local/ -ic -c

553

+

554

+

/'___\ /'___\ /'___\

555

+

/\ \__/ /\ \__/ __ __ /\ \__/

556

+

\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\

557

+

\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/

558

+

\ \_\ \ \_\ \ \____/ \ \_\

559

+

\/_/ \/_/ \/___/ \/_/

560

+

561

+

v2.1.0

562

+

________________________________________________

563

+

564

+

:: Method : GET

565

+

:: URL : http://www.trilocor.local/

566

+

:: Wordlist : FUZZ: /opt/lists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

567

+

:: Header : Host: FUZZ.trilocor.local

568

+

:: Follow redirects : false

569

+

:: Calibration : false

570

+

:: Timeout : 10

571

+

:: Threads : 40

572

+

:: Matcher : Response status: 200-299,301,302,307,401,403,405,500

573

+

________________________________________________

574

+

575

+

admin [Status: 200, Size: 5599, Words: 223, Lines: 88, Duration: 357ms]

576

+

577

+

578

+

579

+

580

+

581

+

582

+

583

+

584

+

http://admin.trilocor.local/

585

+

586

+

587

+

588

+

589

+

590

+

[Jan 01, 2026 - 21:46:24 (KST)] exegol-pentest /workspace # curl -s http://admin.trilocor.local

591

+

<!DOCTYPE html>

592

+

593

+

<head>

594

+

595

+

<title>Log In &lsaquo; Trilocor — WordPress</title>

596

+

597

+

598

+

599

+

600

+

601

+

602

+

603

+

604

+

605

+

</head>

606

+

607

+

608

+

document.body.className = document.body.className.replace('no-js','js');

609

+

</script>

610

+

611

+

<h1><a href="https://wordpress.org/">Powered by WordPress</a></h1>

612

+

613

+

614

+

<p>

615

+

<label for="user_login">Username or Email Address</label>

616

+

617

+

</p>

618

+

619

+

620

+

<label for="user_pass">Password</label>

621

+

622

+

623

+

624

+

625

+

</button>

626

+

</div>

627

+

</div>

628

+

<p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> <label for="rememberme">Remember Me</label></p>

629

+

630

+

631

+

632

+

633

+

</p>

634

+

</form>

635

+

636

+

637

+

<a href="http://admin.trilocor.local/wp-login.php?action=lostpassword">Lost your password?</a>

638

+

</p>

639

+

640

+

function wp_attempt_focus() {setTimeout( function() {try {d = document.getElementById( "user_login" );d.focus(); d.select();} catch( er ) {}}, 200);}

641

+

wp_attempt_focus();

642

+

if ( typeof wpOnload === 'function' ) { wpOnload() } </script>

643

+

644

+

<a href="http://admin.trilocor.local/">← Go to Trilocor</a> </p>

645

+

</div>

646

+

647

+

648

+

649

+

var _zxcvbnSettings = {"src":"http:\/\/admin.trilocor.local\/wp-includes\/js\/zxcvbn.min.js"};

650

+

</script>

651

+

652

+

653

+

654

+

655

+

656

+

657

+

wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );

658

+

</script>

659

+

660

+

var pwsL10n = {"unknown":"Password strength unknown","short":"Very weak","bad":"Weak","good":"Medium","strong":"Strong","mismatch":"Mismatch"};

661

+

</script>

662

+

663

+

664

+

665

+

var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}};

666

+

</script>

667

+

668

+

669

+

var userProfileL10n = {"user_id":"0","nonce":"ea584adfea"};

670

+

</script>

671

+

672

+

673

+

/(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1);

674

+

</script>

675

+

676

+

</body>

677

+

</html>

678

+

#

679

+

680

+

681

+

682

+

683

+

684

+

685

+

[Jan 01, 2026 - 22:32:15 (KST)] exegol-pentest /workspace # wpscan --url http://admin.trilocor.local --usernames web-admin --passwords `fzf-wordlists` --password-attack xmlrpc -t 20

686

+

_______________________________________________________________

687

+

__ _______ _____

688

+

\ \ / / __ \ / ____|

689

+

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

690

+

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

691

+

\ /\ / | | ____) | (__| (_| | | | |

692

+

\/ \/ |_| |_____/ \___|\__,_|_| |_|

693

+

694

+

WordPress Security Scanner by the WPScan Team

695

+

Version 3.8.28

696

+

Sponsored by Automattic - https://automattic.com/

697

+

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

698

+

_______________________________________________________________

699

+

700

+

[+] URL: http://admin.trilocor.local/ [10.129.205.208]

701

+

[+] Started: Thu Jan 1 22:59:53 2026

702

+

703

+

Interesting Finding(s):

704

+

705

+

[+] Headers

706

+

| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)

707

+

| Found By: Headers (Passive Detection)

708

+

| Confidence: 100%

709

+

710

+

[+] robots.txt found: http://admin.trilocor.local/robots.txt

711

+

| Interesting Entries:

712

+

| - /wp-admin/

713

+

| - /wp-admin/admin-ajax.php

714

+

| Found By: Robots Txt (Aggressive Detection)

715

+

| Confidence: 100%

716

+

717

+

[+] XML-RPC seems to be enabled: http://admin.trilocor.local/xmlrpc.php

718

+

| Found By: Direct Access (Aggressive Detection)

719

+

| Confidence: 100%

720

+

| References:

721

+

| - http://codex.wordpress.org/XML-RPC_Pingback_API

722

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/

723

+

| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/

724

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/

725

+

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

726

+

727

+

[+] The external WP-Cron seems to be enabled: http://admin.trilocor.local/wp-cron.php

728

+

| Found By: Direct Access (Aggressive Detection)

729

+

| Confidence: 60%

730

+

| References:

731

+

| - https://www.iplocation.net/defend-wordpress-from-ddos

732

+

| - https://github.com/wpscanteam/wpscan/issues/1299

733

+

734

+

[+] WordPress version 6.0.2 identified (Insecure, released on 2022-08-30).

735

+

| Found By: Emoji Settings (Passive Detection)

736

+

| - http://admin.trilocor.local/a6a1910.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.0.2'

737

+

| Confirmed By: Meta Generator (Passive Detection)

738

+

| - http://admin.trilocor.local/a6a1910.html, Match: 'WordPress 6.0.2'

739

+

740

+

741

+

742

+

지금 태스크 1 에서 막혀있는데, 풀이 방법을 알려줘.

sehoon0519 / gistfile1.txt

sehoon0519 revised this gist 1 month ago. Go to revision