Get your own WordPress server for penetration testing

Getting WordPress in a virtual machine
Here, I will talk about how to quickly get WordPress running in a virtual machine. I will use VirtualBox. Note that this is valid for other CMS. You can download a virtual machine with WordPress fully integrated here, on the bitnami website, that provides a lot of material and solutions to make your life easier. After downloading it, check the checksum value of the file you just dowloaded, and compare it to that given on the website. You can then open the file with VirtualBox. Follow the instruction and import the new appliance. And that’s it, you have your web server with Worpress on it ready.

If you are a web pentester enthusiast, you probably already know some plateforms where you can test your skills (OverTheWire, vulnhub, hackthisite, etc.). However, sometimes, you might be targeting a specific web application. This application might have a captcha (or not) or have non standard settings. In such case, you would probably need a dummy app, that you can set as you wish, and on which you can test your tools or fine tune your scripts. One solution would be to install a web server, and then replicate the app you want to attack. Starting from scratch can be a hassle, especially if you want to test different web frameworks or different content management systems (CMS), such as Worpress, Joomla, etc. One of the solutions is to get a virtual machine with everything already implemented, for you, in it. Luckily, such solutions already exist.

Starting the web server
Now you can start up the virtual machine. I will refer to that machine as the WordPress machine. Wait until you see a colorful screen as the one below. Several credentials should be appear on the screen together with the IP address of the server.
To access the console the username is bitnami and the password is bitnami. The other credentials you see are to access the administrator page of the web application.

Fig.1 : Login interface bignami virtual machine

Access to the web application
Now that the web server is set, it is time to access it and try some penetration testing. Usually, I would do that from my Kali virtual machine. Make sure that both machines (in my case Kali and WordPress virtual machines) are on the same network. I usually use a NAT network. If you don’t have a NAT network yet, you can create one; go to the VirtualBox manager > file > Preferences > Network > NAT Network, and add a new one. Check here for more information. Once the NAT network is ready, go to the preferences of each machine, and set them to use that network.

This image has an empty alt attribute; its file name is 2.png
Fig.2 : NAT network setup for virtual machines

The IP of the WordPress machine was given to you on the login screen of the server (check Fig. 1). In my case, the server has the IP address
Now let’s try to connect to the web server from the Kali machine. Open a web browser on Kali and set as address the IP you got for your WordPress machine.

This image has an empty alt attribute; its file name is 3-1024x486.png
Fig. 3 : Connection to web server via browser

And here we go. The web server is working with basic functionalities.

You can add the plugins that you desire by login with the second set of credentials given in the WordPress virtual machine. Go to the following link and enter the credentials there.

Fig. 4 : Login page on the web server from browser

Remember to set the IP address accordingly to your web server.

Fig. 5 : Admin panel

You have reached the admin panel of the web application. From here you can add plugins, users, etc. This allows you to set the application as you desire and build a replica of the web app you are trying to pentest.

Take also another look at the bitnami website. There are plenty of platforms, servers, app that you can get in a virtual machine and use to play around.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
30 ⁄ 6 =