Welcome back fellow security enthusiasts! Today I will show you how to hack a WordPress Website using the Mr. Robot CTF as an example. I have just worked through this excellent CTF myself and learned a ton in the process. I wanted to level up my Web Vulnerability Analysis game a notch and started with this CTF.
If you really want to learn Cybersecurity, I highly recommend reading my huge Getting started with Cybersecurity in 2019 beginner guide, where I teach you how to start, completely free! Also worth checking out is the Best Hacking Books in 2019 article.
DISCLAIMER: This “how to hack a WordPress website” is a Ethical Hacking Tutorial and geared towards Security Professionals. Do not, I repeat, do not use those techniques without the written consent of the receiving party. If you use this tutorial in a unlawful context, lawful charges and / or prison time might be waiting for you. Only use those techniques in a closed laboratory environment.
A CTF is a so-called Capture the Flag game, where your goal is to collect a certain number of flags (or keys, for that matter). CTF’s are used to practice your hacking skills in a safe and legal environment. I can recommend Vulnhub as a resource for a selection of an excellent CTF’s.
Ok, let’s get started.
Step 1 – Evaluating if a Website is using WordPress
If you don’t know if a Website is using WordPress or not, there mostly is a very easy way to find that out.
You can simply type: www.addressofthewebsite.com/wp-admin
Which in most cases will bring up a wp-admin login gui, except the admin has disabled it.
wpscan -u www.addressofyourtarget.com
In my case, scanning the Mr. Robot VM reveals the following.
As you can see, it clearly indicates that the site is using WordPress. Also, it presents you with 46 identified vulnerabilities. Now, most hosters and recent versions of WordPress will block a scan like this by default. So most likely this is only going to work with outdated WordPress versions without any protection from a hoster.
Ok, so far so good. Now we can verify that by checking if the login page exists by navigating to the website URL + /wp-admin like so:
And sure enough, the Login mask comes up.
Step 2 – Grabbing Code with Burpsuite
Now comes the difficult part, finding out the username. You could start with admin, but WordPress usually generates a random username, so it might be difficult to figure out and you might need to do some further research on the target.
In the Mr. Robot example, I know that the username is Elliot (not too hard to guess). You could also try to run hydra against a couple of username lists, but first, we need to use burpsuite to grab some code from the login page.
Start burpsuite by typing
Create a new Temporary Project using the Burp defaults.
Navigate to the Target -> Scope Tab and click on Add to Include the wp-login page to the scope. Select Yes in the pop-up dialogue.
Next, go to the Preferences Menu of Firefox and scroll all the way down until you find Network Proxy. Click on Settings.
Select Manual proxy configuration and enter the IP 127.0.0.1 and the port 8080. Tick “Use this proxy server for all protocols”. Click OK.
Back to Burpsuite. Open the Proxy Tab. Now back to the WP-Login page. Enter any random username and password and click Log In. Make sure Privacy Badger, uBlock Origins, and NoScript are disabled for the site.
Once you clicked on login, go back to Burpsuite and look at the output.
Now we got something we can feed to Hydra.
Step 3 – Finding the correct Username
Let’s have a little bit of fun to give you an idea how you could find out a username for your target. The VM we are using for this example, as mentioned above, is Mr. Robot themed. So it’s very likely that the username will be found in some trivia that has to do with Mr. Robot.
First go back to your Burpsuite and close it. We don’t need it any more right now. Also go back to your Proxy settings and disable the Proxy again.
Now I head to the Mr. Robot Wikipedia page: https://en.wikipedia.org/wiki/Mr._Robot
And I will create a username list from this exact page using CeWL.
Open a new Terminal Window and type
sudo cewl -w usernames.txt -d1 -m4 https://en.wikipedia.org/wiki/Mr._Robot
Let’s break this down.
- -w usernames.txt – should be pretty clear, this is the name of the wordlist that will be created
- -d1 – Defines the depth in which CeWL will crawl the website. 1 indicates that it will stay on this exact site and not open any links on it.
- -m4 – Defines the minimum length of the word that will be put in the list
- https://en.wikipedia.org/wiki/Mr._Robot – obviously the website we are going to crawl.
So as you see, you could apply this technique to any target relevant website.
Running a quick
Shows us, that our usernames.txt was created.
In some cases you get lucky using wpscan to enumerate the username, so always try this too:
wpscan --url http://www.targetwebsite.com --enumerate u
Now we are going to use Hydra to Bruteforce this list against the wp-login page.
Step 4 – Bruteforcing Usernames with Hydra
Alright, time to feed the Usernames to our Hydra. I found this particular method on one of the many Walkthroughs from Vulnhub, although don’t remember exactly which one it was, but I give credit where credit is due. Open a new terminal window and type:
hydra -V -L usernames.txt -p whatever 192.168.1.109 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log:F=Invalid username'
Let’s break this down.
- -V – Verbose
- -L – Our usernames.txt list
- -p whatever – The password, we don’t care, because we want to find out the username
- http-post-form – The type of Brute Force attack we want to run
- /wp-login.php – The path to the login form
- log = ^USER^&pwd=^PASS^&wp-submit=Log+In – The values that will be sent to the form, where ^USER^ and ^PASS^ are placeholders for our -L and -p options
- F=Invalid username – Tells hydra that the attempt failed if it returns Invalid username
Alright, let’s run that command, shall we?
And sure enough, we get returned that the login with the username elliot was successful (Which it wasn’t, it just confirmed that the web form didn’t return invalid username).
So we still need to figure out the password. But at least we have a username.
Step 5 – Brute Forcing the Password
Now we could also use Hydra to Brute Force the User’s password, but I prefer using wpscan as the syntax is easier.
wpscan --url http://192.168.1.109/wp-login.php --passwords /usr/share/wordlists/rockyou.txt.gz --usernames elliot --wp-content-dir http://192.168.1.109/wp-login.php
rockyou.txt.gz is just an example, replace with whatever password list you want to use.
And voila, we got the Username and the Password.
Step 6 – Implementing malicious Code into WordPress
Alright, now that we got Admin Access to WordPress, there are a couple of ways we can go from here. I will show you one of the easier ones.
On your Attacking Computer go to Places -> File System -> usr -> share -> webshells -> php and open php-reverse-shell.php
Copy all of it’s content:
Now in WordPress, navigate to Appearance -> Editor and select the 404.php Template. This is just an example, you can implement the code in many different ways.
Now paste your code in here so it looks something like this:
Edit the lines marked in yellow so the IP points to your attacking computer and choose a port.
Step 7 – Starting a Netcat listener
Now back on the attacking computer, we start a Netcat listener:
nc -lvp 443
Then you are going to open the 404 page like just going to the link: www.yourtargetwebsite.com/404
And we are in! Not only did we hack the WordPress Admin Account, we also got access to the Server itself. From here you need to use your skills to gain elevated access, but that shouldn’t be too hard anymore now.
You can see, CTF’s are a great way to learn new stuff.
Until next time, keep on hacking!
*All the techniques provided in the tutorials on ceos3c.com are solely meant for educational purposes only.
All of the techniques taught here are only meant to be used in a closed laboratory environment or in consent with a second party.
If you are using any of those techniques for illegal purposes, Ceos3c can’t be held responsible for possible lawful consequences.