As you (hopefully) know, it is illegal to attempt hacking other people’s websites without their express permission. Even when you think you’re doing a company a favor by submitting a bug found in their setup, it could imply you were “hacking” their system and backfire on you big time! 🚔
This inherit danger in your learning process necessitates a safe space for your wild imagination. 😉
Luckily… you can easily setup your own local Wordpress site on any computer in a snap! 👍
In this tutorial, we’ll show you how to use automated Wordpress installations courtesy of WPDistillery that can be spun up in VirtualBox using Vagrant at lightning speeds! ⚡️
Installing VirtualBox & Vagrant
NOTE: Windows users must always open the Command Prompt & VirtualBox with Run as Administrator when installing and using this setup.
Make sure VirtualBox works and opens normally.
Test Vagrant by running:
$ vagrant v
Install the vagrant hostupdater for Wordpress
$ vagrant plugin install vagrant-hostsupdater
If you run into errors, try running:
VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install vagrant-hostsupdater
Verify the plugin was installed correctly:
$ vagrant plugin list
Setting Up Wordpress with WPDistillery
$ mkdir ~/pentesting $ cd ~/pentesting $ git clone https://github.com/flurinduerst/WPDistillery.git $ nano WPDistillery/wpdistillery/config.yml
You’ll want to peruse this section for interesting settings, but here’s a few we’ll want to tinker with right away.
# WPDISTILLERY SETUP
We’re going to change the wordpress version to an older version to make it easier
to practice our exploits. So we’ll change that line to
We’re also opting for a minimal setup by changing our
WPDISTILLERY SETUP to:
setup: wp: true settings: true themes: false plugins: false cleanup: false # adjust what data you want to be deleted within the cleanup (requires `cleanup: true`) comment: false posts: false files: false
Now it’s time to fire 🔥 up our VM!
$ vagrant up
Now, the first time you run this it’s gotta download a large image, so better give yourself a coffee break.
If everything went smoothly, you should see: 👀
==> default: ========== WPDISTILLERY FINISHED ==========
Another quick way to test your VM is up is with ping:
$ ping wpdistillery.vm
If you run into an error about not finding the host, then try adding a line to your hosts file:
$ sudo echo "192.168.33.10 wpdistillery.vm" >> /etc/hosts
or you have packet loss, try pinging its IP:
$ ping 192.168.33.10
No errors? Then we’re all setup! 🎈 🎉 🎊
Break Stuff! 💥
Try using the program wpscan to give you some hints on exploits to test. If you need some pentesting tools, I’d recommend just installing Kali Linux on another virtual machine, and working from there.
Some handy commands for Vagrant
Stop the wordpress virtual machine:
$ vagrant halt
Delete & Remove the Installed Wordpress VM:
$ vagrant halt $ vagrant destroy --force $ rm -rf public