I’m using the following exploit
Name: exploit/multi/http/wp_plugin_backup_guard_rce
Desciption: Wordpress Plugin Backup Guard - Authenticated Remote Code execution
I think I was on wrong exploit, used searchsploit to get (I think) the correct one:
** WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities**
Metasploit name: auxiliary/scanner/http/wp_simple_backup_file_read
I feel that I’m getting closer but still trying multiple options in the exploit but without success so far,
I enter RHOST + HOSTS corresponding to the spawn but I think there is something wrong in my filepath option.
actually it is: http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt
when I use actually it is: “http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt” this, I just get an empty file
I’m trying many different path to complete the exploit and get the flag but with no success so far. The only path that I’ve get a files to read was /etc/passwd but nothing in this files that can help to get the flag
OK I GOT IT 
Really don’t look too much about the flag filepath, just think about the easiest path possible. ■■■ i spent hours to find the correct one and it was just very simple one, what a waste of time 
1 Like
Spent a while on this. use the tools mentioned in the exercise. searchsploit and msfconsole. visit the website and the answer should be right in your face.
I watched the video about this task, I did everything exactly but it doesnt work now. Exploit cant save the file /flag.txt from the remote server. I think it is just a bug.
I found the way how to download the file, you should use a little more advanced path traversal techniques. It works! But actually the knowledge was presented not enough to do it.