Getting Started | Public Exploits | Try to identify the services running on the server above...

I am kinda stuck at "Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)"

I seem to find only one port open and I am not sure how to exploit it or what exploit to use. I would really appreciate any hint

«13

Comments

  • edited March 19

    I haven't done the academy, but this is one of the first steps in discovery and recon so I believe this will help even though it's not directly tied to the academy.

    After running your initial nmap scan, you should have a pretty good idea of what's running on the host. It might be advantageous to run an all-ports scan to ensure you got all of the services running on the target.

    While reviewing the nmap results, you will want to look on sites like GitHub, Exploit-DB (SearchSpolit via command line), and Google to find any exploits for the service running.

    Depending on the service running, it might help to banner grab the service using netcat to see if you can see the version that way. This is helpful for services like FTP where you can connect via nc <host> 21 and see if you can leak the service and version, example vsftpd 2.3.4.

    Hope this helps! If you need any further help, my inbox is always open :)

    I am always open to helping; however, please ensure you explain what you have tried first before asking for hints!
    Also, reps go a long way!

    Certifications: ITIL, eJPT, eCPPT (In Progress)

  • So, after scanning the proposed server, I see that the port is open and is used for TCP, http by the Apache 2.4.41 service.

    It is also known that this port is used for a blog on WordPress 5.6.1

    When I go to the page, I see that Simple Backup Plugin 2.7.10 for WordPress was installed. A little climbing on the site, I found out the name of the user, with the ability to publish posts, possibly the admin.

    I run the metasploit framework and try to find any exploit using the "WordPress" or "plugin" search.

    As a result, I see a bunch of different exploits, but when I try to use them, even setting the necessary options (host and port) I can't get a result. Exploits just don't work. Probably because I chose the wrong ones.

    Can you tell me how to choose the right exploit in this case? I seem to be doing everything as in the description of the training stage and have not yet achieved a result.

  • If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven't done this lab, but I assume it means "Public Exploits" more than just ones which have a metasploit file built for them.

    If the exploits you've tried haven't worked, it probably means that they aren't the right ones and you need to keep looking. Generally, there isn't an easier answer - a lot of CTF/Pentesting is simply trying things and seeing what works.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    If you have kali, searchspolit is useful in addition to the exploits in MSF.

    I have a weak laptop, I use Parrot. Now I'll check if I have searchspolit...

    If the exploits you've tried haven't worked, it probably means that they aren't the right ones and you need to keep looking. Generally, there isn't an easier answer - a lot of CTF/Pentesting is simply trying things and seeing what works.

    Thanks. I will try further..

  • @TazWake said:
    If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven't done

    Unbelievable!!! Helped exactly searchspolit !
    I got the flag I was looking for and I feel incredibly happy that I was able to figure it out!!!!
    Thanks everyone.

  • Type your comment> @Wiiz4Rd said:

    @TazWake said:
    If you have kali, searchspolit is useful in addition to the exploits in MSF. I haven't done

    Unbelievable!!! Helped exactly searchspolit !
    I got the flag I was looking for and I feel incredibly happy that I was able to figure it out!!!!
    Thanks everyone.

    Can you give me a hint? I searched with searchsploit but nothing worked from what I've find by doing so.

  • Launch searchsploit and try searching by the name of the web application installed on the server. Look in the search results and you may find an exploit for the plugin that is installed in this web application. Then it will only be necessary to study it.

  • edited March 23

    Hello. Piggy backing off this thread. I have been trying to follow along and have gotten stuck. I have found the exploit to be used but am unable to run it properly. I am inside the msfconsole and running ' use exploit.txt ' but get an error 'module failed to load'. Any ideas?

    -- update: Was using incorrect exploit. I will have to play with this a bit more.

    Hack The Box

  • exploit.txt is not an exploit

  • i've encountered a problem also, Does anyone know why i'm getting this error.

    └──╼ [★]$ nmap 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
    ─[[email protected]]─[~]
    └──╼ [★]$ nmap -Pn 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Nmap scan report for 178.62.54.33
    Host is up (0.0016s latency).
    All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

    Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

  • @Su8Z3r0 said:

    i've encountered a problem also, Does anyone know why i'm getting this error.

    └──╼ [★]$ nmap 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
    ─[[email protected]]─[~]
    └──╼ [★]$ nmap -Pn 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Nmap scan report for 178.62.54.33
    Host is up (0.0016s latency).
    All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

    Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

    Possibly dozens of reasons. I haven't done this lab so it is hard to guess as there isn't much information to go on.

    Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

    Try:

    • traceroute 178.62.54.33
    • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

    Its even possible the lab is configured to require you to do something differently than a simple scan.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • stuck at Public Exploits, can someone help nudge on the right direction, did Searchsploit and metasploit but came at a dead end. would appreciate any help. ^_^

  • @Wiiz4Rd said:
    Launch searchsploit and try searching by the name of the web application installed on the server. Look in the search results and you may find an exploit for the plugin that is installed in this web application. Then it will only be necessary to study it.

    I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

    Am I missing something ?

  • The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it...

    I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

    If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

    Hack The Box

  • edited March 25

    @panzer said:

    I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

    This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do...

  • Type your comment> @TazWake said:

    @Su8Z3r0 said:

    i've encountered a problem also, Does anyone know why i'm getting this error.

    └──╼ [★]$ nmap 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
    ─[[email protected]]─[~]
    └──╼ [★]$ nmap -Pn 178.62.54.33
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
    Nmap scan report for 178.62.54.33
    Host is up (0.0016s latency).
    All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

    Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

    Possibly dozens of reasons. I haven't done this lab so it is hard to guess as there isn't much information to go on.

    Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

    Try:

    • traceroute 178.62.54.33
    • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

    Its even possible the lab is configured to require you to do something differently than a simple scan.

    I am sure it is not about the scan, I wasted like 2 hours performing a full scan, all the other ports open are related to other exercises.
    For sure we have to use searchsploit and find something related to a plugin vulnerability (not sure if I am allowed to name the exact version and name of the plugin).

    @NewHax said:
    The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it...

    I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

    If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

    I am in the same situation as you are. I feel your pain :smile:

    @Wiiz4Rd said:
    @panzer said:

    I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

    This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do...

    The extension of this exploit is .rb or .txt ?

  • Type your comment> @panzer said:

    The extension of this exploit is .rb or .txt ?

    Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

  • edited March 25

    Type your comment> @Wiiz4Rd said:

    Type your comment> @panzer said:

    The extension of this exploit is .rb or .txt ?

    Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

    I have read the the .txt of this exploit (39883) many times.
    = https://www.exploit-db.com/exploits/39883

    I see in part 2.2 it shows how to 'download a backup file'. I am unsure how to properly format the following in the browser bar.

    ' http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar '

    The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what '< WP-Path >' needs to be named to. I have tried inserting <flag.txt> but the server times out.

    @panzer I will make sure we both get through this. No man left behind.

    Hack The Box

  • Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

  • edited March 26

    Type your comment> @NewHax said:

    The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what '< WP-Path >' needs to be named to. I have tried inserting <flag.txt> but the server times out.

    WP-Path - is a WordPress Path.
    This can be the / or /wordpress or /blog, see for the circumstances.

    And to successfully get the flag file, you must clearly represent the path to it .

  • Type your comment> @NewHax said:

    Type your comment> @Wiiz4Rd said:

    Type your comment> @panzer said:

    The extension of this exploit is .rb or .txt ?

    Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

    I have read the the .txt of this exploit (39883) many times.
    = https://www.exploit-db.com/exploits/39883

    I see in part 2.2 it shows how to 'download a backup file'. I am unsure how to properly format the following in the browser bar.

    ' http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar '

    The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what '< WP-Path >' needs to be named to. I have tried inserting <flag.txt> but the server times out.

    @panzer I will make sure we both get through this. No man left behind.

    @NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

    @h3rcroot said:
    Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

    How ? What exploit did you use?

    @Wiiz4Rd said:
    Type your comment> @NewHax said:

    The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what '< WP-Path >' needs to be named to. I have tried inserting <flag.txt> but the server times out.

    WP-Path - is a WordPress Path.
    This can be the / or /wordpress or /blog, see for the circumstances.

    And to successfully get the flag file, you must clearly represent the path to it .

    How should I figure out what is supposed to be there, I ran gobuster and it seems that ip:port/wp-admin is the way to go, but still the downloaded file contains 0 byts

  • edited March 30

    Finally figured this one out. If anyone needs help you can message me and ill try and assist. The gist is run the exploit with the correct settings and Metasploit will spit out a file you can cat to view.

    --edit: See my most recent post on this thread for some hints before messaging me :)

    Hack The Box

  • Still curious on the searchsploit method, if anyone has done it. ^_^
  • Type your comment> @panzer said:

    @NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

    Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

    @h3rcroot said:
    Still curious on the searchsploit method, if anyone has done it. ^_^

    I did it using searchsploit and it's very simple.

  • Type your comment> @Wiiz4Rd said:

    Type your comment> @panzer said:

    @NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

    Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

    @h3rcroot said:
    Still curious on the searchsploit method, if anyone has done it. ^_^

    I did it using searchsploit and it's very simple.

    thanks for the tip! will do more research!!! now i know how to do it by searchsploit and metasploit!!!, thanks again!

  • Found the searchsploit vulnerability easily enough, mucked about for awhile figuring out the right location as @Wiiz4Rd mentioned previously. Trial and error are a thing, happy hunting.

  • I m got the root in final Knowledge Check. It s incredible

  • Type your comment> @Wiiz4Rd said:

    I m got the root in final Knowledge Check. It s incredible

    il try to finish the module! im excited!

  • Hi guys, i am a new noob, i have discorver the vulnerability (with all 2 methods) but i am stuck in the final process of finding the right directory of the flag.txt ( the download file is empity) can someone please give me a hint of HOW find this folder ? ( not the solution) but there are 2 days that i am in with this little thing and i don't find a way.
    any help would be very appreciated

  • @sl33p said:

    Hi guys, i am a new noob, i have discorver the vulnerability (with all 2 methods) but i am stuck in the final process of finding the right directory of the flag.txt ( the download file is empity) can someone please give me a hint of HOW find this folder ? ( not the solution) but there are 2 days that i am in with this little thing and i don't find a way.
    any help would be very appreciated

    I am not 100% sure as I haven't done this lab.

    However, you can generally try something like:

    find / -iname "flag.txt" 2>/dev/null to find the file you are looking for.

    Alternatively, I think the question says /flag.txt , so I'd start there.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.