Wordpress Hacking Lab - Setup Tutorial

Introduction

    I recently found myself in need of a live wordpress system to install and test various tools against, as well as test for and validate exploits. So as part of my lab setup series, I'm going through a quick step-by-step version of configuring a quick wordpress lab.

    This lab uses containers to make this an easily followed process and simplicity sake. If your specific lab needs a virtual or dedicated machine to run your testing, this may not be the ideal place to start. Either way, challenging myself to do some tutorials, so lets get into this! 

Requirements:

    So, there are a few requirements expected before this lab can be ran, though this should be generally cross platform:

  • docker (or docker desktop)
  • docker-compose
  • an attacker system/container (in my example, I had curl, wpscan and greenbon/openvas installed on a separate container that I used to test against this)

Steps:

1. To start with, just simple docker-compose for wordpress, using the latest version and some pretty standard passwords. Save this file in an empty folder as the file name docker-compose.yml and move on to step 2


 2.  Run `docker-compose build` and `docker-compose up -d`. This configures the environment and runs it in the background. 


3. Inspect to find the ip address of the container, useful for targeting with scanners (with a linux docker host, use grep instead of findstr)


 4.  Open http://localhost:8030 in your browser (or if you changed the port, choose a different port), and go through the steps of configuring the instance





  5. Login using our pretty simple, and honestly really bad password:



  6. go ahead and go up to `visit site` before changing anything and lets see how our default wordpress install looks



  7.  Lets do some basic testing to make sure we can get good results. This is sort of post-setup just to be sure it appears to have everything it should and nothing funky out the gate. 


wpscan --rua --url http://localhost:8030/ -e ap,u,at --plugins-version-detection aggressive -P /Wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://localhost:8030/ [::1]
[+] Started: Tue Sep 30 20:02:08 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.62 (Debian)
 |  - X-Powered-By: PHP/8.2.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://localhost:8030/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://localhost:8030/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://localhost:8030/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.8.2 identified (Latest, released on 2025-07-15).
 | Found By: Rss Generator (Passive Detection)
 |  - http://localhost:8030/?feed=rss2, <generator>https://wordpress.org/?v=6.8.2</generator>
 |  - http://localhost:8030/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.8.2</generator>

[+] WordPress theme in use: twentytwentyfive
 | Location: http://localhost:8030/wp-content/themes/twentytwentyfive/
 | Latest Version: 1.3 (up to date)
 | Last Updated: 2025-08-05T00:00:00.000Z
 | Readme: http://localhost:8030/wp-content/themes/twentytwentyfive/readme.txt
 | Style URL: http://localhost:8030/wp-content/themes/twentytwentyfive/style.css?ver=1.3
 | Style Name: Twenty Twenty-Five
 | Style URI: https://wordpress.org/themes/twentytwentyfive/
 | Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentyfive/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:20 <======================================================================================================================================================================================================================================> (30434 / 30434) 100.00% Time: 00:00:20
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] twentytwentyfive
 | Location: http://localhost:8030/wp-content/themes/twentytwentyfive/
 | Latest Version: 1.3 (up to date)
 | Last Updated: 2025-08-05T00:00:00.000Z
 | Readme: http://localhost:8030/wp-content/themes/twentytwentyfive/readme.txt
 | Style URL: http://localhost:8030/wp-content/themes/twentytwentyfive/style.css
 | Style Name: Twenty Twenty-Five
 | Style URI: https://wordpress.org/themes/twentytwentyfive/
 | Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentyfive/, status: 403
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentyfive/style.css, Match: 'Version: 1.3'

[+] twentytwentyfour
 | Location: http://localhost:8030/wp-content/themes/twentytwentyfour/
 | Latest Version: 1.3 (up to date)
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://localhost:8030/wp-content/themes/twentytwentyfour/readme.txt
 | Style URL: http://localhost:8030/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentyfour/, status: 403
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.3'

[+] twentytwentythree
 | Location: http://localhost:8030/wp-content/themes/twentytwentythree/
 | Latest Version: 1.6 (up to date)
 | Last Updated: 2024-11-13T00:00:00.000Z
 | Readme: http://localhost:8030/wp-content/themes/twentytwentythree/readme.txt
 | Style URL: http://localhost:8030/wp-content/themes/twentytwentythree/style.css
 | Style Name: Twenty Twenty-Three
 | Style URI: https://wordpress.org/themes/twentytwentythree
 | Description: Twenty Twenty-Three is designed to take advantage of the new design tools introduced in WordPress 6....
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentythree/, status: 403
 |
 | Version: 1.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://localhost:8030/wp-content/themes/twentytwentythree/style.css, Match: 'Version: 1.6'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <============================================================================================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] tester
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - tester / tester
Trying tester / teamoandres Time: 00:09:14 <                                                                                                                                                                                                                                    > (42640 / 14387032)  0.29%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: tester, Password: tester

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Sep 30 20:12:01 2025
[+] Requests Done: 73137
[+] Cached Requests: 17
[+] Data Sent: 30.234 MB
[+] Data Received: 30.461 MB
[+] Memory used: 386.172 MB
[+] Elapsed time: 00:09:52

8. Then over on greenbone, lets go ahead and use it to scan this, by setting a target and a scan (not going into too much detail here, if you don't have this setup we'll go over that in a different tutorial




   9. Now lets go setup a plugin to test. Lets go back to the admin page on the wordpress install and go to plugins, then `add plugin`



   10.  This forms thing over here sounds sketchy enough with enough popularity, lets go ahead and install that (WPForms easy form builder...) and lets view it in the installed plugins and go ahead and activate it.





11. I'm going to then go over here to simple contact form, during the step by step guidance it asks if you want to embed in page, I'm going to embed it in our main "sample" page and click lets go. 




12. It then tells me to choose a block, and I suppose im going to come down here and click WPForms, then on it, click and select "simple contact form" then click save






13. Now we go back to viewing the website and check for the form, seems to be working at least for that much. I didn't both setting up a receiver for it, because I'm not trying to do all that right now.




14. Checking back on wpscan, I'm still not getting any external plugins detected:

wpscan --rua --url http://localhost:8030/ -e ap,dbe,tt,cb --plugins-version-detection aggressive --detection-mode aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://localhost:8030/ [::1]
[+] Started: Tue Sep 30 20:49:59 2025

Interesting Finding(s):

[+] XML-RPC seems to be enabled: http://localhost:8030/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://localhost:8030/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://localhost:8030/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.8.2 identified (Latest, released on 2025-07-15).
 | Found By: Atom Generator (Aggressive Detection)
 |  - http://localhost:8030/?feed=atom, <generator uri="https://wordpress.org/" version="6.8.2">WordPress</generator>
 | Confirmed By: Opml Generator (Aggressive Detection)
 |  - http://localhost:8030/wp-links-opml.php, Match: 'generator="WordPress/6.8.2"'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Timthumbs (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:01 <========================================================================================================================================================================================================================================> (2568 / 2568) 100.00% Time: 00:00:01

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <===========================================================================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <=================================================================================================================================================================================================================================================> (74 / 74) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Sep 30 20:50:03 2025
[+] Requests Done: 2814
[+] Cached Requests: 2
[+] Data Sent: 1001.498 KB
[+] Data Received: 550.592 KB
[+] Memory used: 259.91 MB
[+] Elapsed time: 00:00:03

15. Now we can log into the wordpress container and investigate source code, get a file listing to check against our web fuzzers, whatever. 


16. Then we start looking at sources:


17. Then after going through all the code, lets try to see if we can target any of them. This is where I'm gonna end this tutorial. I would like to bring to attention this tutorial (https://archive.is/pMpc0) and this video (https://youtube.com/watch?v=pO6GZ2zcoo) which showcases some common lookups for bad practices in wordpress plugins and it specifies this to be more common in lesser used plugins. Since the one we downloaded was on the popular page, you'd imagine these wouldn't show up. Either way, y'all can make your way through here, I just wanted to leave this with one last little look at what this might look like in our environment to do these searches:



Cleanup

    For cleanup, it's super simple and worth the time. Once you've made all the notes you wanted from your lab, it's time for cleanup. So, docker-compose down -v from that same directory we brought the service up from, and it'll not just tear down the service, but also the storage used by docker for the service. Making it so next time you spin it up, you can repeat this same process and start completely fresh with the latest version that's available as a container.

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

DNS-Rebinding and such

      What started off as an interesting read on how DNS rebinding attacks work, and how they're leveraged to scan internal networks. The high level gist of the scenario is that if you have multiple A records, or the ability to rapidly change A records during someone's visit to a page, you can cause them to run push requests to other pages. This may include things like scanning a web-page visitor's local network, or replaying known addresses (maybe due to public dns resolving internal addresses) there is potential for attempting things like xss to steal credentials. Since it's the same domain being resolved, the browser often won't have any issue attempting requests.     Now, what this turned into was my general thought of "I've seen attacks before where people used webrtc, wasm, flash, vbs, etc... to port scan a network, I wonder if you could just use javascript targeting subdomains of other websites that have sub-domains pointing to private ips. This woul...
Read more