OSCP Notes

HTB Write-up: Brain*uck

This box was labeled as "insane" and I couldn't have completed without the IppSec's walkthrough video but I still learned a lot from it. https://youtu.be/CYeVUmOar3I
What I learned today:
HTTPs Enum:
  • Check for alternate names & emails in certificates
Wordpress Enum:
  • wpscan --url https://brainfuck.htb --disable-tls-checks
  • Register your API token to see vuln
WordPress Dashboard Enum:
  • we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.
  • go to Easy WP SMTP and get the credentials if available.
SMTP enum:
  • use application like "Evolution" to set up SMTP client and see if there's any valuable info.
Encrypting ciphers:
Decrypting encrypted RSA key file:
  • Use ssh2john to decrypt
  • once decrypted, save the output and try to crack the pass with
john --wordlist=/home/kali/rockyou.txt
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed ENABLE more LOGIN-REFERRALS have LITERAL+ IMAP4rev1 post-login capabilities SASL-IR OK IDLE AUTH=PLAINA0001 ID Pre-login
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
| tls-nextprotoneg:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTPS enum:
Looking at the certificate, I found some alternate DNS names.
Registered these in /etc/hosts file.
One is wordpress so let's do some wordpress enum with wpscan:
wpscan --url https://brainfuck.htb --disable-tls-checks
Wordpress version detected.
With this scan, it didn't show me any vulns
So I registered and got the API token.
Now I got 57 vulnerabilities!!

Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation

host it on python -m server.
go to localhost:80 and click the html and try to login.
Got in.
This exploit successfully implanted admin cookies and got us logged in as admin.
We've got a admin dashboard page.
For WP dashboard we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.
Next, go to Easy WP SMTP and get the credentials.
Logged into the mail account via the Evolution app.
Used SMTP creds we found & port information.
Try the orestis forum.
Found the encrypted thread that was originated from SSH thread.
How do we encrypted.
Orestis - Hacking for fun and profit ->
Pieagnm - Jkoijeg nbw zwx mle grwsnn
Decrypt it using this.
put "p" in your message and "O" in pad and so on.
key is fuckmybrain,
desipher all the messages with the Vigenere Cipher.
Got the RSA key but it's encrypted.
use ssh2john
ssh2john.py id_rsa (encrypted private key file)
Save the output to a file and crack it by:
john --wordlist=/home/kali/rockyou.txt
When trying to ssh, it showed the file was too open. chmod 600 it.
We are finally in!
it's some kind of rsa thing
enter p,q,e and ct values that you obtained from the debug.txt and output.txt (each for each line) and run the python script.
we got the plain text in pt value. convert it to hex and then to ASII
python > pt = VALUE > str(hex(pt)[2:-1]) strip out the unneeded text
Now I got the root.txt content!