SoSimple
This is a free linux, proving grounds machine, you can also download it from vulhub.
NMAP SCAN
nmap -sV -sC -T4 -oN $HOME/Desktop/labs/SoSimple 192.168.199.78with the command above to scan fully the machine , fellow ports where seen
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-16 19:35 EAT
Nmap scan report for 192.168.199.78
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| 256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_ 256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.27 seconds
port 22 and 80 are open, On checking the auth-methods we the following on how to access the ssh
nmap -p 22 --script ssh-auth-methods 192.168.199.78Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-16 19:44 EAT
Nmap scan report for 192.168.199.78
Host is up (0.25s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ password
ssh-hostkey
nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full 192.168.199.78Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-16 19:50 EAT
Nmap scan report for 192.168.199.78
Host is up (0.26s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZJ+y+c4YDmXPBY8hytP7uA0bmTKJfUnWpZn1744GxKheNmQqG98tALhL+Hz4OxWRhLzoGa/klypcYMEstzpopxZvLIUil5PPfrCTW+dwCixiULgi8Q9ImfBgKNYaQ6aog7qXG0N0GUazyJj/O2Sfx8qc32cvgh27SOOfiIvZ3s3xeh1DOqjC1kEkzJG9YeMRKRc0AC2TCtRmGbvBGL3iKjjuLS+lXxgtNEnjGI3m+n7RwgMDe0iv82ThCc1oRjeTEysstm4baIJvsdRs/trfvV/2cfAAfl77B0p6HS3rPWZYj2WCoSyG6Z3bK+kjjt+FG5V+zhQ8G4yntT/brCIXGa0iSe1vGrLk6dIrRsmbPsG3V3dkggyOL/aWkL6Q2bnb3suFINJ98Hvjd9Pe3ngsnv5iefgRaHwu/GgP7sVpLsKGdvo2smS7PTmHrZFqP74SeGC+TQ2BIhxYe9uAoL5NRappcCyA0ZF3kB9907nSggM/1bZ2uXnWqzKwPD5dBvTM=
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO/ko3XtMH5m6keCi750yCg/B93iEWSBbyGrmJZ4sHThaowuRlW6sm/WuHR6AUeoCsU0su07XVlgPtCJOf35ByU=
|_ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkLRPLyIQqo5WToErae3vTYq6M2ZYupOFtsl1oNG0rp
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
scanning port 80
Here we see we have a simple website and we have nothing suspicious in the source code so i decided to look for directories and files that might be present on the server
feroxbuster
feroxbuster -u http://192.168.199.78/ -x html,php,txt![[Screenshot_2023-11-16_20-46-34.png]]
And with some time manage to see that their a /wordpress folder present which indicates that their might be a wordpress website present and its true.
![[1.png]]
When you look closely down you see a post hello world! that was created and this was posted by admin which means we have a user on the system called admin. So lets try to find the password of admin to the wordpress login.
With the use of Wpscan we can brute force the password for our user admin.
wpscan :
wpscan --url http://192.168.199.78/wordpress -U admin -P /usr/share/wordlists/rockyou.txt
![[2.png]]
ccvbn google
nmap -sV -sC ipnmap
wpscan --url http://192.168.239.78/wordpress/ -e ap,u --passwords /usr/share/wordlists/rockyou.txtLast updated