# WordPress - 4
[Medium]

Same file from WordPress - 1

Q1. What is the name of the function that the attacker tested the exploit with, and what is the name/version of the attacker's server?

Q2. What is the username that was logged on during the attack, including the domain?

Q3. The attacker attempted to upload a reverse shell. Mention the IP and port. What command posed an obstacle during the process of the reverse shell?

Flag Format `0xL4ugh{A1_A2_A3}`

Example: `0xL4ugh{functionName()_serverName/version_domain\username_IP:PORT_command}`

---

Solution:

Remember earlier, from 3, that RCE were sent by `192.168.204.1` and used `172.26.211.155` as the C2?

Let's use them for filtering `((ip.src == 192.168.204.1) || (ip.dst == 192.168.204.1) || (ip.src == 172.26.211.155) || (ip.dst == 172.26.211.155)) && http`


There we go! Q1 answer: `phpinfo()_SimpleHTTP/0.6`

For Q2, let's take a look at the result from the packet that invoked `whoami`


Q2 answer: `desktop-2r3ar22\administrator`

Finally, for Q3, the retrieval of the reverse shell happened after invoking the `whomai` command. Since we saw earlier that if `wp_abspath` is the only parameter, it retrieved the payload from the C2.


```php

Original writeup (https://github.com/pspspsps-ctf/writeups/tree/main/2024/0xL4ugh%20CTF%202024/Forensics/Wordpress/4).