Getting Started | Public Exploits | Try to identify the services running on the server above

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

1 Like

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

I have read the the .txt of this exploit (39883) many times.
= WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities - PHP webapps Exploit

I see in part 2.2 it shows how to ‘download a backup file’. I am unsure how to properly format the following in the browser bar.

http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

@panzer I will make sure we both get through this. No man left behind.

Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

Type your comment> @NewHax said:

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

WP-Path - is a WordPress Path.
This can be the / or /wordpress or /blog, see for the circumstances.

And to successfully get the flag file, you must clearly represent the path to it .

1 Like

Type your comment> @NewHax said:

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

The extension of this exploit is .rb or .txt ?

Searchsploit give a .txt guide on how to use the vulnerability to download absolutely any file to your machine simply from the browser bar. Just read this.

I have read the the .txt of this exploit (39883) many times.
= WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities - PHP webapps Exploit

I see in part 2.2 it shows how to ‘download a backup file’. I am unsure how to properly format the following in the browser bar.

http://127.0.0.1/~WP-path~/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

@panzer I will make sure we both get through this. No man left behind.

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

@h3rcroot said:
Solved it but used metasploit rather than searchsploit, will do this module again to check the serachsploit way of doing to get the flag

How ? What exploit did you use?

@Wiiz4Rd said:
Type your comment> @NewHax said:

The first is a loop back address which I assume needs to be changed to the IP of the target server. I have zero clue what ‘< WP-Path >’ needs to be named to. I have tried inserting <flag.txt> but the server times out.

WP-Path - is a WordPress Path.
This can be the / or /wordpress or /blog, see for the circumstances.

And to successfully get the flag file, you must clearly represent the path to it .

How should I figure out what is supposed to be there, I ran gobuster and it seems that ip:port/wp-admin is the way to go, but still the downloaded file contains 0 byts

Finally figured this one out. If anyone needs help you can message me and ill try and assist. The gist is run the exploit with the correct settings and Metasploit will spit out a file you can cat to view.

–edit: See my most recent post on this thread for some hints before messaging me :slight_smile:

Still curious on the searchsploit method, if anyone has done it. :slight_smile:

Type your comment> @panzer said:

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

@h3rcroot said:
Still curious on the searchsploit method, if anyone has done it. :slight_smile:

I did it using searchsploit and it’s very simple.

1 Like

Type your comment> @Wiiz4Rd said:

Type your comment> @panzer said:

@NewHax Thank you bro, I am in exactly in the same situation as you are. Read it tried a lot of combinations, nothing works, the file it downloads is empty.

Look in the task where the file is located flag.txt. What path do you set for him? Just /flag.txt ? You need to think about where this root folder will actually be on the server and what the path to it is.

@h3rcroot said:
Still curious on the searchsploit method, if anyone has done it. :slight_smile:

I did it using searchsploit and it’s very simple.

thanks for the tip! will do more research!!! now i know how to do it by searchsploit and metasploit!!!, thanks again!

Found the searchsploit vulnerability easily enough, mucked about for awhile figuring out the right location as @Wiiz4Rd mentioned previously. Trial and error are a thing, happy hunting.

I m got the root in final Knowledge Check. It s incredible

Type your comment> @Wiiz4Rd said:

I m got the root in final Knowledge Check. It s incredible

il try to finish the module! im excited!

1 Like

Hi guys, i am a new noob, i have discorver the vulnerability (with all 2 methods) but i am stuck in the final process of finding the right directory of the flag.txt ( the download file is empity) can someone please give me a hint of HOW find this folder ? ( not the solution) but there are 2 days that i am in with this little thing and i don’t find a way.
any help would be very appreciated

1 Like

@sl33p said:

Hi guys, i am a new noob, i have discorver the vulnerability (with all 2 methods) but i am stuck in the final process of finding the right directory of the flag.txt ( the download file is empity) can someone please give me a hint of HOW find this folder ? ( not the solution) but there are 2 days that i am in with this little thing and i don’t find a way.
any help would be very appreciated

I am not 100% sure as I haven’t done this lab.

However, you can generally try something like:

find / -iname "flag.txt" 2>/dev/null to find the file you are looking for.

Alternatively, I think the question says /flag.txt , so I’d start there.

1 Like

yes, but in this exploit i need to put the exactly path in the exploid, the problem is that i don’t know how to find this specific path(i already tryed prev section of enumeration but don’t work)

@sl33p said:

yes, but in this exploit i need to put the exactly path in the exploid, the problem is that i don’t know how to find this specific path(i already tryed prev section of enumeration but don’t work)

What does the question say?

the question is “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the ‘/flag.txt’ file. (note: the web server may take a few seconds to start)”

i have already done all the process of find the exploit ecc and i get with metasploit a file that contain the root (no more for no spoiler)
but i have tried a lot of combinations of this route but none work ( i think i am noob), someone that have done this can help me of how specific read this file to found the right foolder to /flag.txt?

sorry guys but i am really new all hint will be appreciated

@sl33p said:

the question is “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the ‘/flag.txt’ file. (note: the web server may take a few seconds to start)”

i have already done all the process of find the exploit ecc and i get with metasploit a file that contain the root (no more for no spoiler)
but i have tried a lot of combinations of this route but none work ( i think i am noob), someone that have done this can help me of how specific read this file to found the right foolder to /flag.txt?

sorry guys but i am really new all hint will be appreciated

The question says /flag.txt - have you looked at /flag.txt?

I.e. a file in the / folder?

1 Like

yeah i have done up to now i am an idiot flag.txt is not a file but a folder… :slight_smile:

1 Like

thanks a lot