Getting Started | Public Exploits | Try to identify the services running on the server above

exploit.txt is not an exploit

2 Likes

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

@Su8Z3r0 said:

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

Possibly dozens of reasons. I haven’t done this lab so it is hard to guess as there isn’t much information to go on.

Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

Try:

  • traceroute 178.62.54.33
  • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

Its even possible the lab is configured to require you to do something differently than a simple scan.

stuck at Public Exploits, can someone help nudge on the right direction, did Searchsploit and metasploit but came at a dead end. would appreciate any help. :slight_smile:

@Wiiz4Rd said:
Launch searchsploit and try searching by the name of the web application installed on the server. Look in the search results and you may find an exploit for the plugin that is installed in this web application. Then it will only be necessary to study it.

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

Am I missing something ?

The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it…

I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

1 Like

@panzer said:

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do…

1 Like

Type your comment> @TazWake said:

@Su8Z3r0 said:

i’ve encountered a problem also, Does anyone know why i’m getting this error.

└──╼ [★]$ nmap 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
─[user106059@htb-xdfadiomy3]─[~]
└──╼ [★]$ nmap -Pn 178.62.54.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-23 22:36 UTC
Nmap scan report for 178.62.54.33
Host is up (0.0016s latency).
All 1000 scanned ports on 178.62.54.33 are filtered (905) or closed (95)

Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

Possibly dozens of reasons. I haven’t done this lab so it is hard to guess as there isn’t much information to go on.

Filtered generally means nmap received no response, closed generally means there was an rst packet. If you know how to use wireshark/tcpdump, you could sniff the traffic and confirm this.

Try:

  • traceroute 178.62.54.33
  • nmap -Pn -sC -sV -vvvvvvvvvv --reason -T4 -p- 178.62.54.33 to get more information from nmap.

Its even possible the lab is configured to require you to do something differently than a simple scan.

I am sure it is not about the scan, I wasted like 2 hours performing a full scan, all the other ports open are related to other exercises.
For sure we have to use searchsploit and find something related to a plugin vulnerability (not sure if I am allowed to name the exact version and name of the plugin).

@NewHax said:
The exploit I have been trying to run is the one for Wordpress Simple backup. Has everyone here been trying to run the same? I read through the entire .txt file for that exploit but still cannot wrap my head around it…

I have got the exploit to run successfully (no errors in terminal) but am unsure what exactly is being done or where to check for any kind of result.

If I make any headway I will make sure to post here as there are now a few of us trying to get past the same thing.

I am in the same situation as you are. I feel your pain :smile:

@Wiiz4Rd said:
@panzer said:

I did that, found the exploit (.rb) imported it into metasploit, but it does not work, I made the necessary settings: set rport, rhost, lhost.

This exploit, found in searchsploit, does not need to be loaded anywhere. You just need to read it and understand what to do…

The extension of this exploit is .rb or .txt ?

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

1 Like

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

I have read the the .txt of this exploit (39883) many times.
= WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities - PHP webapps Exploit

I see in part 2.2 it shows how to ‘download a backup file’. I am unsure how to properly format the following in the browser bar.

http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

@panzer I will make sure we both get through this. No man left behind.

Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

Type your comment> @NewHax said:

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

WP-Path - is a WordPress Path.
This can be the / or /wordpress or /blog, see for the circumstances.

And to successfully get the flag file, you must clearly represent the path to it .

1 Like

Type your comment> @NewHax said:

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

I have read the the .txt of this exploit (39883) many times.
= WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities - PHP webapps Exploit

I see in part 2.2 it shows how to ‘download a backup file’. I am unsure how to properly format the following in the browser bar.

http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

@panzer I will make sure we both get through this. No man left behind.

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

@h3rcroot said:
Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

How ? What exploit did you use?

@Wiiz4Rd said:
Type your comment> @NewHax said:

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

WP-Path - is a WordPress Path.
This can be the / or /wordpress or /blog, see for the circumstances.

And to successfully get the flag file, you must clearly represent the path to it .

How should I figure out what is supposed to be there, I ran gobuster and it seems that ip:port/wp-admin is the way to go, but still the downloaded file contains 0 byts

Finally figured this one out. If anyone needs help you can message me and ill try and assist. The gist is run the exploit with the correct settings and Metasploit will spit out a file you can cat to view.

–edit: See my most recent post on this thread for some hints before messaging me :slight_smile:

Still curious on the searchsploit method, if anyone has done it. :slight_smile:

Type your comment> @panzer said:

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

@h3rcroot said:
Still curious on the searchsploit method, if anyone has done it. :slight_smile:

I did it using searchsploit and it’s very simple.

1 Like

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

@h3rcroot said:
Still curious on the searchsploit method, if anyone has done it. :slight_smile:

I did it using searchsploit and it’s very simple.

thanks for the tip! will do more research!!! now i know how to do it by searchsploit and metasploit!!!, thanks again!

Found the searchsploit vulnerability easily enough, mucked about for awhile figuring out the right location as @Wiiz4Rd mentioned previously. Trial and error are a thing, happy hunting.

I m got the root in final Knowledge Check. It s incredible

Type your comment> @Wiiz4Rd said:

I m got the root in final Knowledge Check. It s incredible

il try to finish the module! im excited!

1 Like