Getting Started | Public Exploits | Try to identify the services running on the server above

I’m using the following exploit

Name: exploit/multi/http/wp_plugin_backup_guard_rce
Desciption: Wordpress Plugin Backup Guard - Authenticated Remote Code execution

I think I was on wrong exploit, used searchsploit to get (I think) the correct one:

** WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities**
Metasploit name: auxiliary/scanner/http/wp_simple_backup_file_read

I feel that I’m getting closer but still trying multiple options in the exploit but without success so far,

I enter RHOST + HOSTS corresponding to the spawn but I think there is something wrong in my filepath option.

actually it is: http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt

when I use actually it is: “http://SPAWN_IP:SPAWN_PORT/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt” this, I just get an empty file

I’m trying many different path to complete the exploit and get the flag but with no success so far. The only path that I’ve get a files to read was /etc/passwd but nothing in this files that can help to get the flag

OK I GOT IT :fist:

Really don’t look too much about the flag filepath, just think about the easiest path possible. ■■■ i spent hours to find the correct one and it was just very simple one, what a waste of time :rofl:

2 Likes

Spent a while on this. use the tools mentioned in the exercise. searchsploit and msfconsole. visit the website and the answer should be right in your face.

I watched the video about this task, I did everything exactly but it doesnt work now. Exploit cant save the file /flag.txt from the remote server. I think it is just a bug.

I found the way how to download the file, you should use a little more advanced path traversal techniques. It works! But actually the knowledge was presented not enough to do it.

1 Like

no way I would have figured it out without using clues from this forum, no spoilers It took atleast 3 days about 21hours, I finally found the flag. I am now an expert on this particular exploit.

I found it using metasploit and the public way, using the web-browser is the easiest way to view the content of the downloads.

i found the flag also using the metasploit way, if you wanna know how i got this done…
check out my write-up on Public Exploits for Getting Started. Thanks

3 Likes

“Doesnt it say in the question?”

Thank you TazWake! This was the nudge that I needed. Need to read carefully.
Good stuff! Thanks again!

1 Like

this helped me as well

1 Like

I’m having a ton of trouble here. I found the arbitrary file read through searchsploit and gone to the directory mentioned: 142.93.47.26:30633/wp-admin/tools.php?page=backup_manager&download_backup_file=/flag.txt
When I do this, a 0 byte file downloads. Aside from this, I’ve tried just about every directory I could think of, but that seems like it’s wrong.
I’ve also tried using the metasploit module, set rhosts to the IP address, set rport to the port of the box, and set the filepath to /flag.txt, as mentioned in the question. When I run the module, no file downloads - it just says:
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed
I watched a video on this, and the author did exactly this, but there was another line saying that the flag.txt was saved to the msf4 loot folder.
I’ve also tried respawning the box and trying again, many times.
All to no avail. This is getting really frustrating.
Any suggestions? Is there a bug?

1 Like

try using the directory from the question :wink:

2 Likes

Yep I did that. I ended up using the integrated pwnbox to be successful. Apparently Kali over the vpn was having issues.

If you have Kali when using metasploit the RHOST use the IP add and RPORT use the port given for the Spawned machine.

I’ve managed to get this done using metasploit but the method using the code in the .txt exploit and browser hasn’t clicked yet. I end up downloading blank flag.txt files and dont really seem to get anywhere.

Frustrating but just using metasploit kind of defeats the object of the module

1 Like

Ok so i just figured this out by examining the code in the metasploit module .rb and cross refrencing the parameters with the .txt exploit code

Both methods complete

First you have to search in internet for Simple Backup Plugin 2.7.10 and search for their respective exploits and then load that exploit in metasploit and configure it very, very well, that is, read the requirements and that’s it

Excuse me my English is very basic

1 Like