Getting Started | Public Exploits | Try to identify the services running on the server above

Allandeq · April 24, 2022, 5:27am

I’m using the following exploit

Name: exploit/multi/http/wp_plugin_backup_guard_rce
Desciption: Wordpress Plugin Backup Guard - Authenticated Remote Code execution

Allandeq · April 24, 2022, 6:51am

I think I was on wrong exploit, used searchsploit to get (I think) the correct one:

** WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities**
Metasploit name: auxiliary/scanner/http/wp_simple_backup_file_read

I feel that I’m getting closer but still trying multiple options in the exploit but without success so far,

I enter RHOST + HOSTS corresponding to the spawn but I think there is something wrong in my filepath option.

actually it is: http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt

cavendish6674 · April 24, 2022, 9:07am

when I use actually it is: “http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt” this, I just get an empty file

Allandeq · April 24, 2022, 12:29pm

I’m trying many different path to complete the exploit and get the flag but with no success so far. The only path that I’ve get a files to read was /etc/passwd but nothing in this files that can help to get the flag

Allandeq · April 24, 2022, 1:03pm

OK I GOT IT

Really don’t look too much about the flag filepath, just think about the easiest path possible. ■■■ i spent hours to find the correct one and it was just very simple one, what a waste of time

simulation42 · April 27, 2022, 5:04am

Spent a while on this. use the tools mentioned in the exercise. searchsploit and msfconsole. visit the website and the answer should be right in your face.

applofag · May 9, 2022, 9:12am

I watched the video about this task, I did everything exactly but it doesnt work now. Exploit cant save the file /flag.txt from the remote server. I think it is just a bug.

applofag · May 12, 2022, 1:51pm

I found the way how to download the file, you should use a little more advanced path traversal techniques. It works! But actually the knowledge was presented not enough to do it.

tlaing · July 7, 2022, 6:43pm

no way I would have figured it out without using clues from this forum, no spoilers It took atleast 3 days about 21hours, I finally found the flag. I am now an expert on this particular exploit.

tlaing · July 7, 2022, 7:01pm

I found it using metasploit and the public way, using the web-browser is the easiest way to view the content of the downloads.

x69h4ck3r · July 22, 2022, 9:57pm

i found the flag also using the metasploit way, if you wanna know how i got this done…
check out my write-up on Public Exploits for Getting Started. Thanks

cadmius · July 23, 2022, 8:26pm

“Doesnt it say in the question?”

Thank you TazWake! This was the nudge that I needed. Need to read carefully.
Good stuff! Thanks again!

skiddie762 · October 5, 2022, 2:54pm

this helped me as well

skilfoy · October 7, 2022, 12:27am

I’m having a ton of trouble here. I found the arbitrary file read through searchsploit and gone to the directory mentioned: 142.93.47.26:30633/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt
When I do this, a 0 byte file downloads. Aside from this, I’ve tried just about every directory I could think of, but that seems like it’s wrong.
I’ve also tried using the metasploit module, set rhosts to the IP address, set rport to the port of the box, and set the filepath to /flag.txt, as mentioned in the question. When I run the module, no file downloads - it just says:
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
I watched a video on this, and the author did exactly this, but there was another line saying that the flag.txt was saved to the msf4 loot folder.
I’ve also tried respawning the box and trying again, many times.
All to no avail. This is getting really frustrating.
Any suggestions? Is there a bug?

skiddie762 · October 9, 2022, 11:52pm

try using the directory from the question

skilfoy · October 10, 2022, 3:30pm

Yep I did that. I ended up using the integrated pwnbox to be successful. Apparently Kali over the vpn was having issues.

nashsongz · October 15, 2022, 11:52am

If you have Kali when using metasploit the RHOST use the IP add and RPORT use the port given for the Spawned machine.

idi0tech · October 28, 2022, 10:46pm

I’ve managed to get this done using metasploit but the method using the code in the .txt exploit and browser hasn’t clicked yet. I end up downloading blank flag.txt files and dont really seem to get anywhere.

Frustrating but just using metasploit kind of defeats the object of the module

idi0tech · October 28, 2022, 11:21pm

Ok so i just figured this out by examining the code in the metasploit module .rb and cross refrencing the parameters with the .txt exploit code

Both methods complete

bryan · November 5, 2022, 3:41am

First you have to search in internet for Simple Backup Plugin 2.7.10 and search for their respective exploits and then load that exploit in metasploit and configure it very, very well, that is, read the requirements and that’s it

Excuse me my English is very basic

Topic		Replies	Views
GETTING STARTED-Public Exploits Academy	3	2498	October 9, 2024
Getting Started \| Public Exploits \| WordPress simple-backup getting-started	0	1056	December 1, 2021
Getting Startet WordPress Backup-Plugin getting-started	1	478	January 10, 2022
Stuck at Getting Started -> Pentesting Basics -> Public Exploits Academy	1	375	December 21, 2021
Unique issue: Public exploits Academy getting-started	0	154	October 27, 2023

Getting Started | Public Exploits | Try to identify the services running on the server above

Related topics