many people wrote lots of things here. But someone who is trying to solve these things at first should remember that it is just for ‘getting started.’ So I think it is only required for using metasploit basically, that is all
Just try to use metasploit looking for simple backup exploit, set proper RHOST,RPORT and FILEPATH from the assignment text and then just cat the file location you got back from msfconsole.
1 Like
I wish I could kiss you.
1 Like
I was able to do this with Kali NOT running the HTB VPN.
Hi All, There are 2 method to get the flag for the question.
Searchsploit = Find the services via searchsploit and read the .txt file.
Difficulty: Harder than Metasploit
Notes: Yes it might be confusing at start, but look at those links. Example the content mentioned use oldbackup IF the folders are there, we don’t know. So what will happen if we removed that word and input something else. Try reading the text file and understand what this exploit do. You can also adding …/…/…/…/…/ then following with flag.txt then download the content. Once the downloaded file is NOT 0 bytes, it means you got the flag.
Metasploit = Search for the service and get the flag.
Difficulty: Easier than Searchsploit & manual exploitation
Notes: start msfconsole, search for the service and check if there is any relevance. Then set RHOST, RPORT, FILEPATH then RUN. FILEPATH is your target location. Then cat the file on the target directory and you got the flag.
Hope this helps.
Solved: keep overwhelming the server, I had to add a -t 10 at the end of the gobuster command. DERP on my part.
I’m having a slightly different issue, Gobuster times out so I’m not sure which file path to target. I Can’t figure out why, as I can see the webpage, ping it, nmap it, and even run Metasploit. But when I wan enumerate directories, gobuster just times out.
Hi all, I could not complete it with searchsploit but with Metasploit it was very easy.
First when you find what vulnerability you will be exploiting MAKE SURE TO READ CAREFULLY WHAT IT DOES!!
Then use metasploit and MAKE SURE TO SET TO OPTIONS. Review all options carefully.
good luck!!!
I used Kali over VPN and oh what a whirlwind it was. Failure does teach a lot. Found myself going over Burp and what not only to realize msf was my way to the light. Question tho, someone mentioned starting the “systemctl start postgresql”. What is that for? flag.txt landed in the loot in ~
First, you scan your target to identify the vulnerabilities, if you choose to exploit the WordPress Simple Backup Plugin, you can do this using searchsploit. Use searchsploit to get more context on the vulnerability. You will probably get an auxiliary exploit php/webapps/39883.txt. You can use this exploit in msfconsole and assign the file path to the filename of the flag. Remember to set your host and report too.
1 Like
Your amazing my bro, I was strangling now for an entire week, thank you. 
Hello everyone, I just came across this topic while I was looking around to solve this box.
I just solve it using MSF can some one explain to me how to solve it using searchsploit ?
I found the CVE but I didn’t understand how to use it >> feel free to DM
and thank you all for this amazing community 
This was also my problem. I ran Metasploit on kali vbox with the vpn provided by HTB, and I would always get empty files. But once I ran it on pwnbox, it downloaded the file. I don’t know if set up my vbox correctly or something. Any help would work.
It took me hours i got the exploit module but i was missing filepath
I solved using a scanner/http/wp_simple_backup_file_read from MSF.
Module options (auxiliary/scanner/http/wp_simple_backup_file_read):
Name Current Setting Required Description
DEPTH 6 yes Traversal Depth (to reach the root folder)
FILEPATH /etc/passwd yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS yes The target host(s), see Running modules | Metasploit Documentation Penetration Testing Software, Pen Testing Security
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
The vulnerable Plugin says : "This plugin will create a directory in the root of your WordPress directory called ‘simple-backup’ to store the backup files. "
If i think , the flag are on root , the path maybe be /flag.txt.
Set using it :
msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> set RHOSTS 83.136.255.40
RHOSTS => 83.136.255.40
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> set RPORT 52964
RPORT => 52964
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> set FILEPATH /flag.txt
FILEPATH => /flag.txt
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> run
[+] File saved in: /root/.msf4/loot/20240817222313_default_83.136.255.40_simplebackup.tra_931721.txt
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> SS
and now whe CAT the file " File saved in: /root/.msf4/loot/20240817222313_default_83.136.255.40_simplebackup.tra_931721.txt"
showing the flag.
I also wish to kiss you. Thank you haha
Done, finally, using metasplot
Use the exploit on simple file backup something
show options and set each of them LHOST, RHOSTS, RPORT and “FILEPATH” correctly
exploit and it will download the flag file
Set RHOSTS, RPORT, FILEPATH, and TARGETURI. When you use the exploit it will tell you the location of the text file with the flag.
it worked, thank you
PLEEEEASE HELP xD
I must be missing something fundamental because the steps I see are simmiliar to mine however the file that I am getting out of the exploit seem to be fammiliar to /etc/passwd structure.
So here is how I’ve proceeded with the challenge:
- Nmapped the target and found out that on specified port is running Apache server
- I took a look at the site and it was a WordPress site using Simple Backup Plugin x.y.z.
- So I took the Simple Backup Plugin (and it’s version) to searchsploit and found an exploit for it.
- I opened MetaSploitFramework and found the exploit, inserted target IP, inserted target Port
- It wrote something along the lines that the text file was stored inside certain location
But the content of a text file downloaded looks like etc/passwd file so is that the flag or what ?
If you’re stuck answering this question, the biggest clue I can give is check the settings when running the exploit. Additionally, read the question, as one of the settings is mentioned.