Mini Pentest Workshop

blur bright business codes

Mini workshop

All the details of my presentation for those that fall behind

Pre-requisites for the workshop(software):

  1. Any Linux distro

  2. Arduino IDE (

  3. Wireshark (sudo apt-get install wireshark)(Ubuntu/Debian based)

  4. Python

GR-GSM(This requires an SDR and some time to compile)

sudo apt-get update && \
sudo apt-get install -y \
    cmake \
    autoconf \
    libtool \
    pkg-config \
    build-essential \
    python-docutils \
    libcppunit-dev \
    swig \
    doxygen \
    liblog4cpp5-dev \
    python-scipy \
    python-gtk2 \
    gnuradio-dev \
    gr-osmosdr \

Download GR-gsm and compile with (

git clone
cd gr-gsm
mkdir build
cd build
cmake ..
mkdir $HOME/.grc_gnuradio/ $HOME/.gnuradio/
sudo make install
sudo ldconfig

Wifi Deauthentication using ESP8266

(I will provide 4 Nodemcu’s you can play around which are pre configured ) First we need to flash the NodeMcu using this tutorial (easier to follow the link)

Pentest part

This pen test will cover tools like

Nmap ZAP metasploit

You are more than welcome to download the Vm and run this on your machine,216/

Firstly open up Kali linux or any linux machine

lets run an Nmap scan on the target machine(you can easily get this since the Vm has a gui by going to connection information)

nmap -p- -sS -Pn -n -vvv -oA nmap-host-ports <machine-ip>

For demostration purposes i will be using openVas to show some of the vulnabilities

We can see that port 21,22,80 are open (using openVas we can see that port 21 is exploitable)

This looks promising. Let’s try to exploit it with Metasploit.

search ProFTPD
use exploit/unix/ftp/proftpd_133c_backdoor

Bingo! Found something. Let’s set the target’s IP.


And run the exploit.



Now that we have gained root access lets dig a little deeper and find some more fancy stuff!

{we can skip this step since we already used Nmap but lets explore the GUI version} Start up Zenmap and scan against the target IP

It revealed a couple of open ports:

21 – ProFTPD (What we already exploited)
22 – OpenSSH
80 – HTTP with Apache

Now try and open the Targets IP address with a web browser

Now open up your terminal again and start up a uniscan Scan the given URL (-u http://<target-ip>) for vulnerabilities, enabling directory and dynamic checks (-qd):

uniscan -u http://<target-ip> -qd 

Interesting. This reveals a URL that we might want to have a deeper look at.


Also, some external hosts were found:

And a test of

http://<target-ip>/secret/wp-login.php reveals a WP-Login page. 

Bingo! Now the fun can begin.
Alright, we are a big step further now. The first thing I want to do now is run WPScan against the site to enumerate potential users and find potential vulnerabilities.

wpscan --url http://<taget-ip>/secret/

The WPScan discovers a couple of vulnerabilities:

WordPress 2.8.6-4.9 – Authenticated JavaScript File Upload – CVE-2017-17092
WordPress 1.5.0-4.9 – RSS and Atom Feed Escaping – CVE-2017-17094
WordPress 4.3.0-4.9 – HTML Language Attribute Escaping – CVE-2017-17093
WordPress 3.7-4.9 – ‘newbloguser’ Key Weak Hashing – CVE-2017-17091
WordPress 3.7-4.9.1 – MediaElement Cross-Site Scripting (XSS) – CVE-2018-5776
WordPress <= 4.9.4 – Application Denial of Service (DoS) (unpatched) – CVE-2018-6389

But first, let’s run a user enumeration with WPScan.

wpscan --url --enumerate u

Admin as a username… Why not try admin/admin? Huh? Entering Username and Password redirects us somewhere else, a domain.

That’s weird. Let’s figure out what’s up with that.

All links on the “Secret Blog” redirect to a domain named vtcsec, leaving us with a blank page. So if we want to click on a link on the Secret Blog, we get redirected, for example, to


However, if we replace

http://vtcsec/ with 

We are able to access the site. Now to be able to run a brute-force attack against the WordPress site without error, we need to add pointing to vtcsec into our hosts file.

nano /etc/hosts

We can verify if that worked by clicking on a link on the http://<target-ip>/secret/ site again. And there we go, hit F5 to refresh the page, and it starts loading correctly. We now have access to the Admin Dashboard, which gives us a host of new things to try.

But not so fast, what if the password hadn’t been admin/admin? We could have used wpscan to brute-force a couple of default passwords against it by running the command below.

wpscan --url http://vtcsec/secret/wp-login.php --username admin --wordlist /usr/share/wordlists/metasploit/http_default_pass.txt --wp-content-dir http://<target-ip>:80/secret/wp-content/ --threads 50

I used the http_default_pass.txt wordlist and it, sure enough, found the correct password as well.

(This part will not work in this example, but is a proof of concept) We are going to add malicious code to the header.php page. I went to /usr/share/webshells/php and copy the code of php-reverse-shell.php

On your Attacking Computer, go to Places → File System → usr → share → webshells → PHP and open php-reverse-shell.php

Copy all of it’s content:

Now I went to Appearance → Editor → Theme Header(header.php) in WordPress. I pasted the code at the bottom of the file and changed the IP to my attacking computer. You can delete the code that was in the file before. Also, I changed the port for good measure. Now I updated the file.

Next, I need to start a listener on my attacking computer.

nc -lvp 443

Once that is done, you just open


Once more and you will see that we get a connection on our listener.

We are logged in as the www-data User.

Using Metasploit to upload a malicious WordPress Plugin

The Metasploit Admin Shell Upload module sounds promising. Firing up Metasploit and configuring the module first.

use exploit/unix/webapp/wp_admin_shell_upload

Set up every thing like so:

Finally run by typing


And boom! We got a Meterpreter shell