April Meetup: WordPress Hacks
Details
Come and learn how to hack a WordPress website. Reilly will be presenting on this topic. There will be a live demo, and everyone is invited to hack an intentionally insecure WordPress website hosted by Valpo Hacks. Bring a laptop and we recommend using Kali Linux
Tools used:
nmap
w3af
wpscan
dirbuster
sqlmap
hashcat
weevely
(all are included in Kali Linux distro)
Recon - we will look at the WordPress website and discuss potential entry points, we will also port scan the web server with nmap, scan the web app with w3af, scan wordpress with wpscan, and do a bruteforce directory search with dirbuster to look at the attack surface and potential entry points.
SQL injection - we will discover an SQLi vulnerable plugin, and use sqlmap to dump the wp_users table of the database which will contain all usernames and (hashed, salted) passwords
Offline Bruteforce of password hashes - we will use hashcat with a wordlist called rockyou.txt which contains around 15million possible passwords to try. Some of the accounts with weaker passwords will be revealed.
PHP backdoor - we will use weevely to generate a PHP backdoor, then we will log into WordPress, plant the backdoor inside one of the PHP files using the editor, and then access the server command line through the PHP backdoor.
Privilege Escalation - Now that we have command line access of a user on the server through the PHP backdoor, we want to escalate that access to an SSH account, and root privilege if possible. We will search through WordPress config files and bash history to look for plaintext passwords.
SSH access - after finding a few potential passwords, we will try to use them to log in over SSH.
Security Recommendations:
At the end of the demo I will give recommendations for making WordPress more secure.