Metasploit wordpress bruteforce
Try the brute force again with the help of metasploit with the following options:
Results
It took few hours for metasploit to crack the password with the rockyou.txt password list file.
The cracked password for james is Toyota. From the todo.txt it is also mentioned that there is LFI on other site which might be some different website.
Logging into wordpress for james
There are two plugins installed.To get a reverse shell I will try to upload a php revshell in the pluginfile and use nc to get the reverse shell.
Getting a shell
Adding a new Plugin
Upload php rev shell
Executing a shell
getting a rev shell
nc -lvnp 1234