So, after scanning the proposed server, I see that the port is open and is used for TCP, http by the Apache 2.4.41 service.
It is also known that this port is used for a blog on WordPress 5.6.1
When I go to the page, I see that Simple Backup Plugin 2.7.10 for WordPress was installed. A little climbing on the site, I found out the name of the user, with the ability to publish posts, possibly the admin.
I run the metasploit framework and try to find any exploit using the “WordPress” or “plugin” search.
As a result, I see a bunch of different exploits, but when I try to use them, even setting the necessary options (host and port) I can’t get a result. Exploits just don’t work. Probably because I chose the wrong ones.
Can you tell me how to choose the right exploit in this case? I seem to be doing everything as in the description of the training stage and have not yet achieved a result.