Getting Started | Public Exploits | Try to identify the services running on the server above

I’m using the following exploit

Name: exploit/multi/http/wp_plugin_backup_guard_rce
Desciption: Wordpress Plugin Backup Guard - Authenticated Remote Code execution

I think I was on wrong exploit, used searchsploit to get (I think) the correct one:

** WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities**
Metasploit name: auxiliary/scanner/http/wp_simple_backup_file_read

I feel that I’m getting closer but still trying multiple options in the exploit but without success so far,

I enter RHOST + HOSTS corresponding to the spawn but I think there is something wrong in my filepath option.

actually it is: http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt

when I use actually it is: “http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt” this, I just get an empty file

I’m trying many different path to complete the exploit and get the flag but with no success so far. The only path that I’ve get a files to read was /etc/passwd but nothing in this files that can help to get the flag

OK I GOT IT :fist:

Really don’t look too much about the flag filepath, just think about the easiest path possible. ■■■ i spent hours to find the correct one and it was just very simple one, what a waste of time :rofl:

1 Like

Spent a while on this. use the tools mentioned in the exercise. searchsploit and msfconsole. visit the website and the answer should be right in your face.

I watched the video about this task, I did everything exactly but it doesnt work now. Exploit cant save the file /flag.txt from the remote server. I think it is just a bug.

I found the way how to download the file, you should use a little more advanced path traversal techniques. It works! But actually the knowledge was presented not enough to do it.