Stuck @ Academy > HACKING WORDPRESS> Skills Assessment - WordPress


I’m stuck at the last module at the fifth Question “Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.”.
I don’t know exactly what they want.
I obviously did a wpscan and found a bunch of vulnerabilities.
wpscan --url http://blog.inlanefreight.local --enumerate --api-token ****

I have already a shell on the target system but without knowing which flag they want exactly, it’s quite difficult (at least for me :smiley: )
All other questions were clear for me.

Can anyone help me?

@Toubster did you get it? I could get all the other flags but this one. I inspected the web root directory and home but found nothing. Even after have logged in at wp-admin I didn’t find any extra post/page.

Hi @y0k4i , sry for the late reply!
No, I haven’t found the solution to this one flag. :frowning:

You should detect the right Vuln plugins, and I think you should read exploit information about those vuln plugins on Exploit Database —> You will get the flag for your answering

@Satellite but it isnt the same vuln plugin we exposed in the other questions?
I tryed every plugin and have LFI and RCE access but i fail like @Toubster
I want to complet this modul :cold_sweat:

Just check the vulnerabilities with the CVE number, then you will find the answer

I have the same problem, but i have not figured out yet which file I need to download. Looking on every file accessible to the user erika , I didn’t find any HTB{} or flag yet…

Does anybody have any tips on how to get “erika’s” last name on this skills assessment?

The question: Identify the only non-admin WordPress user. (Format: )

1 Like

non-admin user is not erika

Is the flag placed inside other directories of the plugin? I am not able to find it.

wpscan --url --enumerate
scroll down to find
non-admin WordPress user is under admin C****** W******