`

port 21

• ^{A WordPress login page at 172.16.10.12/wp-login.php}

• ^{A WordPress user-enumeration vulnerability (CVE-2017-5487)}

at 172.16.10.12/wp-json/wp/v2/users

Let’s confirm these three findings manually to ensure there are

no false positives. Connect to the identified FTP server at

172.16.10.11 by issuing the following ftp command. This

command will connect to the server using the anonymous user and

an empty password (note that there is nothing specified after the

colon (:):

$ ftp ftp://anonymous:@172.16.10.11

Connected to 172.16.10.11.

220 (vsFTPd 3.0.5)

331 Please specify the password.

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

200 Switching to Binary mode.

We were able to connect! Let's issue an ls command to verify

that we can list files and directories on the server:

ftp> ls

229 Entering Extended Passive Mode (|||33817|)

150 Here comes the directory listing.

drwxr-xr-x 1 0 0 4096 Mar 11 05:23 backup

-rw-r--r-- 1 0 0 10671 Mar 11 05:22 index.html

226 Directory send OK.

We see an index.html file and a backup folder. This is the same

folder that stores the two git repositories we saw earlier, except now

we have access to the FTP server where these files actually live.

Next, open a browser to http://172.16.10.12/wp-login.php from

your Kali machine. You should see the page in Figure 5-2.

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks