For Business Reasons (without Metasploit) — TryHackMe

6 min readJan 31, 2021

This is a write-up for a TryHackMe’s room named “For Business Reasons”. This room is rated Hard

This room can be found here:-


In your network scan, you found an unknown VM…

You find a Host run by MilkCo*, run by a competent but not perfect team of sysadmins… But teams make mistakes.

Immature teams often do things like have all the elements of security like strict firewalls but then throw it all away by not understanding a technology or using shared passwords.

This is a hyper-realistic room. This room also features a difficult pivot.


# Identify the list of services running on the target machine

sudo nmap -sS -Pn -T4 -p-

# Perform further information gathering on the open ports identified above — 80 in our case

sudo nmap -O -A -Pn -T4 -p80

Our NMAP scan reveals a WordPress site on port 80. Now lets run a WPScan to check if we can find any vulnerability.


This will enumerate all plugins and users

wpscan --url --enumerate u,ap

If a WPScan shows xml-rpc enabled on the website, whenever this file is enabled on any WordPress website, the website becomes vulnerable to brute-force attack. Here we have XML-RPC enabled and we got a user named “sysadmin”. Lets try to brute force this user’s password using WPScan only.

wpscan --url -U sysadmin -P /usr/share/wordlists/rockyou.txt


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204