Service Discovery & Authentication BypassAn Nmap scan [nmap -sS -sV -T4 -Pn -vv 192.168.22.130] revealed a number of different services running on the machine and fingerprinted the machine as running CentOS:

Service DiscoveryAn Nmap scan [nmap -sS -sV -T4 -vv 192.168.22.128] revealed that the machine had a number of services running, most notably an old version of Apache and a Samba service.

FristiLeaks is a VM created by Ar0xA and has a difficulty rating of “basic”. The goal is to get root access and read the flag file.

Due to a lack of CSRF mitigation and entity encoding in the output generated by `arabic-font.php` and `/inc/panel.php`, it is possible to store and execute scripts in the context of an admin user.

This is the first time I have written a blog post regarding WordPress Exploit Framework. I’ve never felt the need to write one yet, but given some of the changes in the latest update that I have pushed to GitHub, it seemed fitting to do so now in order to update people on some of the bigger changes in v1.6.1.