Understanding the wordpress FILEPATH option in an MSF exploit

Fellow Hackers,

I ran a wordpress plugin backup exploit and I had to set a FILEPATH variable to ‘/flag.txt’ to obtain the flag. By default the path says ‘/etc/passwd’.

What I am trying to understand here is what does this path actually mean in terms of directory. I am guessing there is a flag.txt file at the root of the wordpress that is running on the apache server?

I attempted to run the exploit with the default FILEPATH and my output file ended up looking like this. I reckon it pulled a the ‘passwd’ file from the ‘etc’ directory on the apache webserver?

It’s as you described it and what the exploit says.

Provide the path to the file for which you wish to receive the contents for. In your case it was the /etc/passwd file that you receive the contents for.

Obtain the payload option to specify which file you wish to read from.