HTB Write-up: Brain*uck
This box was labeled as "insane" and I couldn't have completed without the IppSec's walkthrough video but I still learned a lot from it. https://youtu.be/CYeVUmOar3I
What I learned today:
HTTPs Enum:
Check for alternate names & emails in certificates
Wordpress Enum:
wpscan --url https://brainfuck.htb --disable-tls-checksRegister your API token to see vuln
WordPress Dashboard Enum:
we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.
go to Easy WP SMTP and get the credentials if available.
SMTP enum:
use application like "Evolution" to set up SMTP client and see if there's any valuable info.
Encrypting ciphers:
First you want to see if you can find keys with this , http://rumkin.com/tools/cipher/otp.php
Once you find the key, go to http://rumkin.com/tools/cipher/vigenere.php and decipher the encrypted text
Decrypting encrypted RSA key file:
Use ssh2john to decrypt
once decrypted, save the output and try to crack the pass with
HTTPS enum:
Looking at the certificate, I found some alternate DNS names.
Registered these in /etc/hosts file.
One is wordpress so let's do some wordpress enum with wpscan:
wpscan --url https://brainfuck.htb --disable-tls-checks
Wordpress version detected.
With this scan, it didn't show me any vulns
So I registered and got the API token.
Now I got 57 vulnerabilities!!
Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
https://packetstormsecurity.com/files/140413/
host it on python -m server.
go to localhost:80 and click the html and try to login.
Got in.
This exploit successfully implanted admin cookies and got us logged in as admin.
We've got a admin dashboard page.
For WP dashboard we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.
Next, go to Easy WP SMTP and get the credentials.
Logged into the mail account via the Evolution app.
Used SMTP creds we found & port information.
Try the orestis forum.
Found the encrypted thread that was originated from SSH thread.
How do we encrypted.
Orestis - Hacking for fun and profit ->
Pieagnm - Jkoijeg nbw zwx mle grwsnn
http://rumkin.com/tools/cipher/otp.php
Decrypt it using this.
put "p" in your message and "O" in pad and so on.
key is fuckmybrain,
desipher all the messages with the Vigenere Cipher.
Got the RSA key but it's encrypted.
use ssh2john
ssh2john.py id_rsa (encrypted private key file)
Save the output to a file and crack it by:
john --wordlist=/home/kali/rockyou.txt
When trying to ssh, it showed the file was too open. chmod 600 it.
We are finally in!
it's some kind of rsa thing
enter p,q,e and ct values that you obtained from the debug.txt and output.txt (each for each line) and run the python script.
we got the plain text in pt value. convert it to hex and then to ASII
python > pt = VALUE > str(hex(pt)[2:-1]) strip out the unneeded text
3665666331613564626238393034373531636536353636613330356262386566
Now I got the root.txt content!
Last updated
