WordPress Pentest Lab Setup in Multiple Ways

WordPress Pentest Lab Setup in Multiple Ways

In this post, we will demonstrate how to set-up our own Vulnerable WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.  

Table of Content

·         For Ubuntu 20.04

·         For Docker in Ubuntu 20.04

·         For XAMP server in Windows

WordPress Setup in Ubuntu 20.04

In order to configure Wordpress in your Ubuntu platform, there are some prerequisites before we install the CMS.

Prerequisites for wordPress

Apache

Database (MySQL/Mariadb)

PHP

Install Apache

To Start HTTP service with the help of Apache thus, using privilege account (as root) execute the following command in the terminal.

apt install apache2

Install MySQL

For run WordPress, you will also need a database server. The database server is where WordPress content is saved. So, we are going choose MariaDB-server as the required database for Wordpress and execute the following command

apt install mariadb-server mariadb-client

Next, execute the following commands to protect remote root login for the database server.

mysql_secure_installation
Then respond to questions asked after the command has been executed.

§  Enter current password for root (enter for none): press the Enter

§  Set root password? [Y/n]: Y

§  New password: Enter password

§  Re-enter new password: Repeat password

§  Remove anonymous users? [Y/n]: Y

§  Disallow root login remotely? [Y/n]: Y

§  Remove test database and access to it? [Y/n]:  Y

§  Reload privilege tables now? [Y/n]:  Y

Install php
And at last install the php php-mysql  and run the following command to install these application.

apt install php php-mysql

Create Database for WordPress

To access the mysql, enter the following command

mysql –u root –p

CREATE DATABASE wordpress;

CREATE USER ‘wp_user’@’localhost’ IDENTIFIED BY ‘password’;

GRANT ALL ON wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

exit;

WordPress Installation & Configuration

Now, its time to download and install the WordpPress on our localhost, with the help of wget we have fetched the compressed file of wordpress setup and extract the folder inside /var/www/html directory.

cd /var/www/html

wget http://www.wordpress.org/latest.tar.gz

tar –xvf latest.tar.gz

Then run the given command to change ownership of ‘wordpress’ directory as well permission for upload directory.

chown -R www-data:www-data wordpress/

chmod -R 755  wordpress/

mkdir  wordpress/wp-content/uploads

chmod -R  www-data:www-data wordpress/wp-content/uploads

Now, till here we are done with installation, to configure WordPress we need to access the application over web browser on localhost by executing following.

http://localhost/wordpress/

This will open the setup file and ask to choose your preferred language. I select English and then press the continue Tab.

Read the given content and press Let’s go to continue the activity.

To continue the activity, we need to enter the required details that will help the application to connect with database, thus it should be the same information that we have entered above at the time of database was created for WordPress.

And if your above given detail is correct, you get the Installation page as we have here.

Now after that, it will ask you enter details for your Website which you want to host using WordPress CMS as shown in the below and then finally click on install Tab.

Note: The User and Password asked before the installation is referred to your Database information, and the username and password asked after installed is referred to your application (CMS).

And once it is done, you get application login page where you have to enter credential to access the dashboard of your CMS.

You get the dashboard where you can write your content that to be posted on the website.

Open the wp-config.php file in wordpress directory and paste the following lines in it to access the website page.

define(‘ WP_SITEURL ‘, ‘http://’ .S_SERVER[‘HTTP_HOST’].’/wordpress’);

define(‘ WP_HOME ‘, ‘http://’ .S_SERVER[‘HTTP_HOST’].’/wordpress’);

And Finally, it is over here, and your WordPress is completely ready to go😊.

Install WordPress using Docker

Install WordPress through will release your effort of installing prerequisites for WordPress setup. I very easy and quick technique to configured WordPress. All you need to have some basic knowledge of Docker and its functionalities.

To install wordpress using docker, first we will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:

apt install docker.io

Docker Compose is used to run multiple containers as a single service. Let’s begin the installation of docker-compose with the help of apt by entering following command.

apt install docker-compose

After installing the composer for the Docker, we must create a directory by the name of wordpress.

After creating the directory, we will create a .yml file that will contain the service definitions for your setup.

mkdir wordpress

cd wordpress/

nano docker-compose.yml

Now Paste the following text in the .yml and the configuration.

version: '3.3'

services:

   db:

     image: mysql:5.7

     volumes:

       - db_data:/var/lib/mysql

     restart: always

     environment:

       MYSQL_ROOT_PASSWORD: somewordpress

       MYSQL_DATABASE: wordpress

       MYSQL_USER: wordpress

       MYSQL_PASSWORD: wordpress

   wordpress:

     depends_on:

       - db

     image: wordpress:latest

     ports:

       - "8000:80"

     restart: always

     environment:

       WORDPRESS_DB_HOST: db:3306

       WORDPRESS_DB_USER: wordpress

       WORDPRESS_DB_PASSWORD: wordpress

       WORDPRESS_DB_NAME: wordpress

volumes:

    db_data: {}

Now the docker image in detach mode using following command

docker–compose up -d

After the doing all the configuration step-by-step, now access the localhost on port 8000 that will be hosting your WordPress Docker image and configure your WordPress site as done in previous section.

You get the dashboard where you can write your content that to be posted on the website. But here we need to make some changes inside the setting so that the wordpress after installation it will work properly. Thus, enter your localhost ip address with port number on which your docker image is running.

And Finally, it is over here, and your WordPress is completely ready to go but over port 8000 as shown here 😊.

Install Wordpress on Windows Platform

Installation of WordPress is also very easy as compared to ubuntu, because to fulfil the prerequisites of LAMP Server we can use XAMPP that will completed the all required dependency like apache and MySQL for the  WordPress.

Now download the extract the zip file of WordPress inside the /htdocs folder in /xampp folder in C-Drive.

Now open the PHPMYADMIN in web browser by accessing /localhost/phpMyAdmin and create the database for Wordpress to stored its data.

Now in order to configure wordpress, explore the /localhost/wordpress/ and then enter the detail for database.

Note: By Default, XAMPP DB_User is root and DB_Pass is empty

So as per XMAPP database configuration we entered following details in the given record.

Now again repeat the same step as done in above section.

You get the dashboard where you can write your content that to be posted on the website.

To make it vulnerable WordPress platform in order to perform penetration testing I install some vulnerable plugin as highlighted in the image.

To know how we can go do WordPress Penetration testing read this article.