Get your own WordPress server for penetration testing

Getting WordPress in a virtual machine
Here, I will talk about how to quickly get WordPress running in a virtual machine. I will use VirtualBox. Note that this is valid for other CMS. You can download a virtual machine with WordPress fully integrated here, on the bitnami website, that provides a lot of material and solutions to make your life easier. After downloading it, check the checksum value of the file you just dowloaded, and compare it to that given on the website. You can then open the file with VirtualBox. Follow the instruction and import the new appliance. And that’s it, you have your web server with Worpress on it ready.


If you are a web pentester enthusiast, you probably already know some plateforms where you can test your skills (OverTheWire, vulnhub, hackthisite, etc.). However, sometimes, you might be targeting a specific web application. This application might have a captcha (or not) or have non standard settings. In such case, you would probably need a dummy app, that you can set as you wish, and on which you can test your tools or fine tune your scripts. One solution would be to install a web server, and then replicate the app you want to attack. Starting from scratch can be a hassle, especially if you want to test different web frameworks or different content management systems (CMS), such as Worpress, Joomla, etc. One of the solutions is to get a virtual machine with everything already implemented, for you, in it. Luckily, such solutions already exist.

Starting the web server
Now you can start up the virtual machine. I will refer to that machine as the WordPress machine. Wait until you see a colorful screen as the one below. Several credentials should be appear on the screen together with the IP address of the server.
To access the console the username is bitnami and the password is bitnami. The other credentials you see are to access the administrator page of the web application.

Fig.1 : Login interface bignami virtual machine

Access to the web application
Now that the web server is set, it is time to access it and try some penetration testing. Usually, I would do that from my Kali virtual machine. Make sure that both machines (in my case Kali and WordPress virtual machines) are on the same network. I usually use a NAT network. If you don’t have a NAT network yet, you can create one; go to the VirtualBox manager > file > Preferences > Network > NAT Network, and add a new one. Check here for more information. Once the NAT network is ready, go to the preferences of each machine, and set them to use that network.

This image has an empty alt attribute; its file name is 2.png
Fig.2 : NAT network setup for virtual machines

The IP of the WordPress machine was given to you on the login screen of the server (check Fig. 1). In my case, the server has the IP address 10.0.2.7.
Now let’s try to connect to the web server from the Kali machine. Open a web browser on Kali and set as address the IP you got for your WordPress machine.

This image has an empty alt attribute; its file name is 3-1024x486.png
Fig. 3 : Connection to web server via browser

And here we go. The web server is working with basic functionalities.

You can add the plugins that you desire by login with the second set of credentials given in the WordPress virtual machine. Go to the following link http://10.0.2.7/admin and enter the credentials there.

Fig. 4 : Login page on the web server from browser


Remember to set the IP address accordingly to your web server.

Fig. 5 : Admin panel

You have reached the admin panel of the web application. From here you can add plugins, users, etc. This allows you to set the application as you desire and build a replica of the web app you are trying to pentest.

Take also another look at the bitnami website. There are plenty of platforms, servers, app that you can get in a virtual machine and use to play around.

3 thoughts on “Get your own WordPress server for penetration testing

  1. Free Stuff

    One thing I’d like to say is that before obtaining more pc memory, look at the machine directly into which it can be installed. When the machine is usually running Windows XP, for instance, the actual memory limit is 3.25GB. Applying greater than this would easily constitute any waste. Be sure that one’s mother board can handle the upgrade quantity, as well. Thanks for your blog post.

    Reply
  2. Free Stuff

    Hmm it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I as well am an aspiring blog blogger but I’m still new to everything. Do you have any recommendations for beginner blog writers? I’d genuinely appreciate it.

    Reply
    1. watcher Post author

      Hey, thanks for the nice comment! Nice to see that the blog is being appreciated 😀
      Your comment did not get lost. The comments need to be moderated before appearing on the blog, and I could only do it now.

      You are right, one must pay attention on the hardware in order to set the virtual machine running. However, I think this virtual machine running WordPress is not really big (no GUI) and can be run on most modern computers.

      Would you like to start blogging on network security as well or on which topic? And how did you get to know the blog?

      Cheers

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
19 − 4 =