Help options and we’re gonna be using some some basic commands here but Analects be explaining what they do alright so let’s get started now the first thing we need to do is we need to enumerate the user names and this can be done you know you by exploiting the vulnerable plugins now by default as I’ve already said this WordPress version.
Is vulnerable and it is set up to be vulnerable and it’s just a way of me explaining how this goes really.
Ok so let me just clear that up and we can get started and we maximize the terminal because we’re gonna need all this the real estate that we have that we actually need alright excellent let’s begin so now we’re.
Going to start off with when you just enumerate the help yeah just to get started so we are going to actually start a numerating username so the username of course we’re looking at the basic.
Syntax here so again since we are using the you command because we are targeting a URL so the syntax will be.
Pretty simple we’ll be using the you command we’ll be using the e command if I can find it here yeah there.
We are there to enumerate options and then we’re going to be enumerated in.
Usernames so again it’s going to get user names here and finally we are going to be targeting only the vulnerable plugins all right.
So that is right here VP only the vulnerable plugins so let’s get started I’m just going to clear the terminal again and there we are so WP scan.
And after that we use the IP address so one ninety two dot one sixty eight point one point 108 excellent now we use the e to.
Enumerate all right the e command now use you all right because we are specifying in him enumerate user name so you is not actually an argument.
It’s more of an expression of enumerate right so EU so enumerate user names and I want you to target only vulnerable plugins there we are so hopefully this returns the default user name.
So great enter and this should be relatively quickly because again the user name is not is going to be the default user name so I’m just gonna hit enter and whoops sorry about that oh my bad apologies I forgot to specify the you command there to target the.
URL so once we enter this should give us alright so there we are and it’s targeting the.
Oh immediately we’ve got it alright awesome as you can see the default WordPress username is admin so.
Really easy way of targeting vulnerable plugins to find the username again you know targeting the vulnerable.
Plugins are super important and this gives you an awesome as you can see WordPress super cache actually have used this plug-in before and actually did they fix these issues no but this was.
Something really really big I actually remember a lot of people explaining this back in the day the doc wordpress super cache is essentially just speeds up your website and purges the files on your website.
To make it load faster anyway as you can see it’s performed its.
Enumerated to username and we have the.
Username as admin fantastic now we need to enumerate the password we need to actually brute force for the password right so I already have a word a word list that I’ve created or a hat form from a long time ago.
And it has all the default username and password combinations for most of the top websites you know in the world so for example Yahoo Gmail you know – it adds all of that stuff so I.
Have it right here and I’ve already modified it and sorted it so that it takes you know a.
Less amount of time for the WordPress scan.
To actually get the password all right so I’m going to clear this out so we’ve got the username and now getting the password.
Awesome so now we essentially need to get the password so WordPress.
Can let me just enlarge the terminal here and clear that again we’ll press scan there we are we’ll press can you point 108 that’s the IP address or the URL for that matter now we are also enumerated username swoops and numerating the username because it’s also very important to enumerate user names with the password combination all right now we specify word list so we are specifying a word list here alright now after I specified.
The word list we can then select the directory of the word list – I’m on my route.
And on my it’s actually in my root directory so I’m going to select the word list dot txt file there we are and let’s hit enter and let’s see what we get it should actually do this really really quickly this.
This word list is oh there we are fantastic did that really liquidy and again it used the brute force and.
It took like zero seconds I believe there we also log in the admin username is admin password is admin 1 2 3 and let’s actually try that right now that was really really quickly yeah that was really really quick so WordPress admin and the username is admin.
Password is admin 1 2 3 I believe or actually I believe the username of admin with the.
Lowercase if I’m correct yeah I can actually see that it’s telling me to area alright and we have successfully we have successfully exploited word base now granted that.
It’s running the you know quite an old version of WordPress WordPress four point seven point four a regardless of that with with the plugins that it does have installed we were able to exploit it really really easily using WordPress.
Can and it’s a fantastic tool really now one would.
Go about usually what a lot of the black hats to is they would go to plugins and they would add new and they’ll go to the file manager alright so let me just show you this right now we’ll go.
To the file manager and they would look whoops they would actually install the file manager go to plugins and install the file manager plug-in and then they would get a reverse shell and replace it with.
The 404 page and then actually trigger that page and they essentially have access or a reverse reverse shell or a matter British shell right so they would install the file manager and.
If I just you know if I just search for reverse shell whoops this fill PHP there we are reverse show PHP and this should actually return quite an easier there we are.
PHP reversed shell that’s the one they use a lot.
So I’m just going to activate the file manager here and I’m just gonna download it pretty small file I’m gonna save it’s essentially a very very simple PHP of course it has to be.
In PHP because you’re replacing the actual 404 PHP.
File alright so there we are I’m gonna open this up and.
Then just open that up let me extract this here and we.
Have the PHP reverse shell there PHP reversal copying the PHP reversal you can read the readme and you can configure the PHP reverse cell obviously to connect to your IP address here as you can see there’s a few there we are change this so the IP address you’d essentially change that and the port you want it to connect to and yes you upload it and replace it you replace it with the editor here settings and you.
Go to general I believe that the general yes you go to general or appearance and customize their your appearance.
And editor there we are that’s what we have to go to and one would go to the 404 if I can find that there we are for for template and they would replace the in they will just get rid of all of this and they will replace this 404 script here and update the file and what happens is when you go.
To for example 192 one 168 point one 2108 and you go to the 404 page there we are it would essentially load this script and you know they go for a four dot PHP for that matter so that would.
Grant you you know that would actually act as a backdoor into the WordPress system and they go so that’s essentially how to exploit a vulnerable WordPress system I know this was quite basic but.
Again it’s very important to understand the flow the flow of procedures and how things work so we started off with a numerating usernames passwords and then we logged in and then you need to you need to find a way to maintain access and then there’s clearing up your tracks but in this case in most cases.
The blackhat hackers will you know just take over the entire WordPress site and they claimed responsibility immediately so that’s how it’s done and hopefully this also gives you great awareness and few security tips you can take away from this if your WordPress site owner get.
Make sure all your subdomains are you know if you if you have a subdomain and you’re performing some testing on it and you know you’re running some really some really really vulnerable scripts please do.
Not list them just work on them in your own you know modularized environment and do not upload them to your server until there ready right the next thing is to keep your WordPress updated and keep your plugins updated that’s very very important and I would really really recommend that you do not install any plugins that do.
Not have good ratings you regardless of whether or not.
They perform a task you know really recommend that you use the most popular and the highest rated ones because they.
Are they promise the the best security all right and the last one is to take regular backups of your site so that in case of anything of any breach any hack you can easily you know you can easily get ahold of your site.
And you can reapplied it to another WordPress server and you’re pretty much good to go so that’s.
Gonna be it for this video guys thank you so much for the support.