Network Discovery

Wordpress

URLs format:

Posts : /index.php?p=22
        /index.php/2017/04/12/hello-world/
        /index.php/jobs/apply/8/
Login : /wp-login/
        /wp-login.php
Uploaded files : /wp-content/uploads/%year%/%month%/%filename%

Config file and database credentials

/var/www/html/   
wordpress/wp-config.php
wordpress/htdocs/wp-config.php
Wpscan

Wpscan knows the structure of a wordpress site and will make brute force to identify the pages, the posts, the users, the theme, the plugins.
Wordpress flaws are mainly due to non-updated plugins.

wpscan --url http://10.10.10.10/wordpress/ -e
--url : wordpress url
-e : enum pages, posts, users, theme, plugins, ...

Login bruteforce

wpscan --url http://10.10.10.10/wordpress/  -P rockyou.txt -U admin

Privilege Elevation - Unix

Wordpress config file is:

wp-config.php

Let find it:

find /var -name wp-config.php 2>/dev/null

This config file contains login/password used to connect to the blog database. By dumping the database, it's thus possible to get wordpress user's login and password hashes.