🐚 wp2shell RCE now needs no cracking. thanks @rez0__ for the nudge.
forge a fake WP_Post (route confusion) → it runs a customize_changeset as an existing admin → POST /wp/v2/users makes a new admin → log in → shell.
I "ported" @hashcat to the GBA, the ultimate password cracking rig ever (my dumbest project yet).
The monstrously powerful 16.78 MHz ARM7TDMI chip does an astronomical 727 SHA256 hashes per second!! which is about thirty million times slower than a modern cracking rig. 350 days of continuous cracking on this bad boy could be done in about 1 second with a modern GPU-accelerated cracking rig.