HTB Write-up: Brain*uck

This box was labeled as "insane" and I couldn't have completed without the IppSec's walkthrough video but I still learned a lot from it.

What I learned today:

HTTPs Enum:

  • Check for alternate names & emails in certificates

Wordpress Enum:

  • wpscan --url https://brainfuck.htb --disable-tls-checks

  • Register your API token to see vuln

WordPress Dashboard Enum:

  • we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.

  • go to Easy WP SMTP and get the credentials if available.

SMTP enum:

  • use application like "Evolution" to set up SMTP client and see if there's any valuable info.

Encrypting ciphers:

Decrypting encrypted RSA key file:

  • Use ssh2john to decrypt

  • once decrypted, save the output and try to crack the pass with

john --wordlist=/home/kali/rockyou.txt 

22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
110/tcp open  pop3     Dovecot pop3d
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: listed ENABLE more LOGIN-REFERRALS have LITERAL+ IMAP4rev1 post-login capabilities SASL-IR OK IDLE AUTH=PLAINA0001 ID Pre-login
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
| tls-nextprotoneg: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTPS enum:

Looking at the certificate, I found some alternate DNS names.

Registered these in /etc/hosts file.

One is wordpress so let's do some wordpress enum with wpscan:

wpscan --url https://brainfuck.htb --disable-tls-checks

Wordpress version detected.

With this scan, it didn't show me any vulns

So I registered and got the API token.

Now I got 57 vulnerabilities!!

Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation

host it on python -m server.

go to localhost:80 and click the html and try to login.

Got in.

This exploit successfully implanted admin cookies and got us logged in as admin.

We've got a admin dashboard page.

For WP dashboard we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.

Next, go to Easy WP SMTP and get the credentials.

Logged into the mail account via the Evolution app.

Used SMTP creds we found & port information.

Try the orestis forum.

Found the encrypted thread that was originated from SSH thread.

How do we encrypted.

Orestis - Hacking for fun and profit ->

Pieagnm - Jkoijeg nbw zwx mle grwsnn

Decrypt it using this.

put "p" in your message and "O" in pad and so on.

key is fuckmybrain,

desipher all the messages with the Vigenere Cipher.

Got the RSA key but it's encrypted.

use ssh2john id_rsa (encrypted private key file)

Save the output to a file and crack it by:

john --wordlist=/home/kali/rockyou.txt

When trying to ssh, it showed the file was too open. chmod 600 it.

We are finally in!

it's some kind of rsa thing

enter p,q,e and ct values that you obtained from the debug.txt and output.txt (each for each line) and run the python script.

we got the plain text in pt value. convert it to hex and then to ASII

python > pt = VALUE > str(hex(pt)[2:-1]) strip out the unneeded text


Now I got the root.txt content!

Last updated