Introduction

If you’ve ever wondered how a hacker actually hacks things then you’ve come to the right place. Using this website you will be able to access a virtual computer and complete 2 hacking challenges where you’ll get to employ the tools and techniques used by real hackers to attack real websites. That’s right – you’ll be hacking for real and hopefully will get a feel for just how easy it is to take advantage of poor cybersecurity practices.

It goes without saying that nothing you learn here should ever be used in real life against a target which you do not have permission to attack.

Get OSCP Certificate Notes

Social Engineering Toolkit

SET is is a text-based application that can be used to launch a variety of cyberattacks, from the aforementioned website spoofing, Wifi attacks, spear phishing and quite a lot more besides. Understanding how cyberattacks are mounted can make them a lot easier to spot before you fall for them and we hope that the following exercises will give a glimpse of cybersecurity from a hacker’s perspective.

WordPress Hacking

WordPress is an easy-to-use Content Management System (CMS) which has been used to build a vast number of websites world-wide. Unfortunately, it can be relatively easy to hack if out of date or configured incorrectly.

There are three main things which can lead to the compromise of a WordPress site:

  • Human Error: There is a common saying in hacker circles:- “The weakest link is the human link”. This is very often the case. For example, if a site administrator happens to have a weak password then the site can easily be compromised. This includes things which adhere to password requirements but are easy to guess, such as their child’s name followed by date of birth; despite the password being technically difficult to crack, the personally identifiable information makes it easy to generate a custom password list to attack the site with.
    Equally, humans are often vulnerable to social engineering attacks. A charismatic hacker phoning around may be able to obtain credentials to access a site without undue difficulty if staff are not aware of the dangers.
  • Vulnerabilities in WordPress: Vulnerabilities in the WordPress core software are rare, but are often very dangerous. If the site has not been updated in a while then the chance of finding a vulnerability in the core software are high.
  • WordPress Plugins: One of the things that makes WordPress so easy to work with is the plugin-based system employed by the software. Plugins can be used to add a lot of functionality to the WordPress core — everything from email forms, to online shops, to simple photo galleries. The problem with plugins is that they greatly increase the attack surface available to an attacker. The WordPress core software is very well-known, and thus is frequently targetted by ethical bug bounty hunters; meaning that vulnerabilities are quickly found and patched. Plugins, on the other hand, are usually not nearly as well audited — especially are there are millions of them available. As such, it’s common to find vulnerabilities in (especially less common) plugins; some of which can be very serious indeed.
    As with the WordPress core software, outdated plugins are much more likely to be vulnerable.

Ultimately, an attacker usually only needs one thing to be wrong for them to get their hook into the site. An attacker with administrative access to a WordPress website can cause chaos. As a worst case scenario they can use the access to gain access to the server (and anything else hosted on it); this is usually a very easy task with the default configuration of WordPress as the system’s features lend themselves well to executing arbitrary code. An attacker could also use their access to deface the site, host malicious files on the server, or perform a wide range of other less than savoury actions — limited only by their imagination.

Video Walk-Through

 

About the Author

Cybersecurity Instructor & Swimmer

View Articles