Wordpress

WpScan

wpscan --url $(target)/wordpress/
wpscan --url $(target)/wordpress/ --api-token=.....
wpscan --url $(target)/wordpress/ --api-token=..... -U user.lst -P /usr/share/wordlists/rockyou.txt

API

• http://11.22.33.44/index.php/wp-json/
• http://11.22.33.44/index.php/wp-json/wp/v2/users

Create wordlist (pass.lst)

cewl -w pass.lst $(target)/wordpress -d 2 

Create wordlist (user.lst)

• based on /index.php/wp-json/wp/v2/users

Directory enumeration

gobuster dir --url $(target) --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_wordpress.raw

Bruteforce login

wpscan --url $(target)/wordpress -U user.lst -P pass.lst