For Business Reasons (without Metasploit) — TryHackMe

0xsanz
6 min readJan 31, 2021

This is a write-up for a TryHackMe’s room named “For Business Reasons”. This room is rated Hard

This room can be found here:- https://tryhackme.com/room/forbusinessreasons

Description:

In your network scan, you found an unknown VM…

You find a Host run by MilkCo*, run by a competent but not perfect team of sysadmins… But teams make mistakes.

Immature teams often do things like have all the elements of security like strict firewalls but then throw it all away by not understanding a technology or using shared passwords.

This is a hyper-realistic room. This room also features a difficult pivot.

Enumeration:

# Identify the list of services running on the target machine

sudo nmap -sS -Pn -T4 -p- 10.10.53.149

# Perform further information gathering on the open ports identified above — 80 in our case

sudo nmap -O -A -Pn -T4 -p80 10.10.53.149

Our NMAP scan reveals a WordPress site on port 80. Now lets run a WPScan to check if we can find any vulnerability.

WPScan

This will enumerate all plugins and users

wpscan --url 10.10.53.149 --enumerate u,ap

If a WPScan shows xml-rpc enabled on the website, whenever this file is enabled on any WordPress website, the website becomes vulnerable to brute-force attack. Here we have XML-RPC enabled and we got a user named “sysadmin”. Lets try to brute force this user’s password using WPScan only.

wpscan --url http://10.10.53.149 -U sysadmin -P /usr/share/wordlists/rockyou.txt

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204