Exercise : Penetration test Quaoar, WordPress brute force attack

Hi Everyone,

I am back, In this post I would like to describe the attack to Quaoar box provided by vulnhub.com.

In the previous post that during our scanning phase, i found that there is a wordpress page on the quaoar machine

/index (Status: 200)
/upload (Status: 301)
/wordpress (Status: 301)
/robots (Status: 200)
/INSTALL (Status: 200)
/LICENSE (Status: 200)
/COPYING (Status: 200)
/CHANGELOG (Status: 200)
/server-status (Status: 403)

If we open the page you can see a fully functional wordpress platform


We can go further do analyses manually using burpsuite or using the most favourite application for analysing wordpress is wpscan. Let start wpscan application to check.

We can see that the wpscan found alot of vulnerability on the wpscan as show in the above console view.

During the scan, I also include to enumerate user of the wordpress. It found 2 user as below

  1. admin
  2. wpuser

We can now do brute force the wordpress, I would try brute forcing it using burpsuite intruder, I would explain the step by step on how to setup it.

  1. Open burpsuite and activate proxy
  2. Go to wordpress login page
  3. Set the browser to proxy to burpsuite
  4. Input username admin and password check
  5. submit
  6. Burp will catch the http request as below
  7. You can send the http request to intruder as show above
  8. In the intruder tab go to sub tab position
  9. Select sniper from attack type dropdown
  10. Press clear button at the right
  11. At the payload you can see our password “check”, hightlight it and
  12. press add button
  13. Go to payload tab
  14. At the payload options, select Passwords list 19
  15. Press Add button
  16. You can directly start the attack by pressing the start attack button
  17. There are another setting such as the number of threads and throttles, this setting would change the behaviour of the request engine which impacting the traffic pattern catched by the security device in between such as F5 WAF
  18. When the attack is running you can see the response of each bruteforce as below image
  19. The easiest one to check potential success password is by sorting the response length where it mean there different response from other password.
  20. Here, We can see that the correct password is admin

Lets try another tools to do the brute force, let see how effective the tools

We are using wpscan for bruteforcing the password, You can follow the step as below

As shown above, simplest way to do bruteforcing is using wpscan but at another side burpsuite has advance request engine that can be customed to evade the security device detection

based on the testing above, you can use both application to do bruteforcing since the result is very accurate but please also consider the penetration environment that you are facing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s