After reviewing the Slothicorn website I noticed that this website is based in Wordpress. Hence, I've decided to quickly test this Wordpress installation in order to find security flaws. Here is what I've encounter:

DDos Attack

A DDos attack is a denial of service which can take temporary down the website when the attack is ongoing. This attack can be achieve by sending multiple amounts of request to the website. But, with only one computer, this attack will take too much time in order to make the website unavailable. However, this website has a common bug in the Wordpress installation. There is a path that returns all the .js files contained in the public_html folder. So, if send the request with this target, chances are higher that the website will be down with only one computer. Why? Because it needs to load a very big amount of data that takes even minutes depending on the internet connexion.

Above is an example of the response when I hit the url (note that this is not even the third part of the response and that it took time to load even though my internet is fast enough).

With a simple Python script and a faster computer, I can send more than 9999 threads to load this URL until the website is down. When the website is down, the attack will continue to avoid it to recover again during the attack.

Folder files disclosure

When you access a folder in any website, by default this request should be either blocked or rejected. However, I can disclosure the files of the uploads folder in this website:

And also, it allows me to download even the entire folder to my local development machine.

Path Disclosure

Full path disclosure is given by just loading one url. With this path disclosure, I can easily see the root user of this hosting.