Getting Started | Public Exploits | Try to identify the services running on the server above

I am kinda stuck at “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the ‘/flag.txt’ file. (note: the web server may take a few seconds to start)”

I seem to find only one port open and I am not sure how to exploit it or what exploit to use. I would really appreciate any hint

2 Likes

I haven’t done the academy, but this is one of the first steps in discovery and recon so I believe this will help even though it’s not directly tied to the academy.

After running your initial nmap scan, you should have a pretty good idea of what’s running on the host. It might be advantageous to run an all-ports scan to ensure you got all of the services running on the target.

While reviewing the nmap results, you will want to look on sites like GitHub, Exploit-DB (SearchSpolit via command line), and Google to find any exploits for the service running.

Depending on the service running, it might help to banner grab the service using netcat to see if you can see the version that way. This is helpful for services like FTP where you can connect via nc <host> 21 and see if you can leak the service and version, example vsftpd 2.3.4.

Hope this helps! If you need any further help, my inbox is always open :slight_smile:

1 Like

So, after scanning the proposed server, I see that the port is open and is used for TCP, http by the Apache 2.4.41 service.

It is also known that this port is used for a blog on WordPress 5.6.1

When I go to the page, I see that Simple Backup Plugin 2.7.10 for WordPress was installed. A little climbing on the site, I found out the name of the user, with the ability to publish posts, possibly the admin.

I run the metasploit framework and try to find any exploit using the “WordPress” or “plugin” search.

As a result, I see a bunch of different exploits, but when I try to use them, even setting the necessary options (host and port) I can’t get a result. Exploits just don’t work. Probably because I chose the wrong ones.

Can you tell me how to choose the right exploit in this case? I seem to be doing everything as in the description of the training stage and have not yet achieved a result.

If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven’t done this lab, but I assume it means “Public Exploits” more than just ones which have a metasploit file built for them.

If the exploits you’ve tried haven’t worked, it probably means that they aren’t the right ones and you need to keep looking. Generally, there isn’t an easier answer - a lot of CTF/Pentesting is simply trying things and seeing what works.

Type your comment> @TazWake said:

If you have kali, searchspolit is useful in addition to the exploits in MSF.

I have a weak laptop, I use Parrot. Now I’ll check if I have searchspolit…

If the exploits you’ve tried haven’t worked, it probably means that they aren’t the right ones and you need to keep looking. Generally, there isn’t an easier answer - a lot of CTF/Pentesting is simply trying things and seeing what works.

Thanks. I will try further…

@TazWake said:
If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven’t done

Unbelievable!!! Helped exactly searchspolit !
I got the flag I was looking for and I feel incredibly happy that I was able to figure it out!!!
Thanks everyone.

1 Like

Type your comment> @Wiiz4Rd said:

@TazWake said:
If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven’t done

Unbelievable!!! Helped exactly searchspolit !
I got the flag I was looking for and I feel incredibly happy that I was able to figure it out!!!
Thanks everyone.

Can you give me a hint? I searched with searchsploit but nothing worked from what I’ve find by doing so.

1 Like

Launch searchsploit and try searching by the name of the web application installed on the server. Look in the search results and you may find an exploit for the plugin that is installed in this web application. Then it will only be necessary to study it.

Hello. Piggy backing off this thread. I have been trying to follow along and have gotten stuck. I have found the exploit to be used but am unable to run it properly. I am inside the msfconsole and running ’ use exploit.txt ’ but get an error ‘module failed to load’. Any ideas?

– update: Was using incorrect exploit. I will have to play with this a bit more.

exploit.txt is not an exploit

2 Likes

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

@Su8Z3r0 said:

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

Possibly dozens of reasons. I haven’t done this lab so it is hard to guess as there isn’t much information to go on.

Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

Try:

  • traceroute 178.62.54.33
  • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

Its even possible the lab is configured to require you to do something differently than a simple scan.

stuck at Public Exploits, can someone help nudge on the right direction, did Searchsploit and metasploit but came at a dead end. would appreciate any help. :slight_smile:

@Wiiz4Rd said:
Launch searchsploit and try searching by the name of the web application installed on the server. Look in the search results and you may find an exploit for the plugin that is installed in this web application. Then it will only be necessary to study it.

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

Am I missing something ?

The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it…

I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

1 Like

@panzer said:

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do…

1 Like

Type your comment> @TazWake said:

@Su8Z3r0 said:

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

Possibly dozens of reasons. I haven’t done this lab so it is hard to guess as there isn’t much information to go on.

Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

Try:

  • traceroute 178.62.54.33
  • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

Its even possible the lab is configured to require you to do something differently than a simple scan.

I am sure it is not about the scan, I wasted like 2 hours performing a full scan, all the other ports open are related to other exercises.
For sure we have to use searchsploit and find something related to a plugin vulnerability (not sure if I am allowed to name the exact version and name of the plugin).

@NewHax said:
The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it…

I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

I am in the same situation as you are. I feel your pain :smile:

@Wiiz4Rd said:
@panzer said:

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do…

The extension of this exploit is .rb or .txt ?

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

1 Like

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

I have read the the .txt of this exploit (39883) many times.
= WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities - PHP webapps Exploit

I see in part 2.2 it shows how to ‘download a backup file’. I am unsure how to properly format the following in the browser bar.

http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

@panzer I will make sure we both get through this. No man left behind.

Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag