!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING — This walkthrough contains offensive language if you are easily offended, please do not continue. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Difficulty: Hard Machine Creator: ch4p Tools Used:
NMAP WPScan SearchSploit Python SMTP Cryptography John
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.17

HTTP





WPScan
We will probably have better luck exploiting WordPress, so let’s start there.
wpscan –url https://brainfuck.htb –disable-tls-checks
Since we are scanning an HTTPS webpage, we had to enable the “disable-tls-check” to ignore the SSL cert error.


Searchsploit
searchsploit “responsive Ticket System”

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .


python -m SimpleHTTPServer
Start a python web server to host the HTML file.
WordPress Exploit






SMTP Client
For the mail client, I’m using evolution.
Create a new account and configure.






Secret Forum






Encryption
This encryption is called Vigenere which requires adding and subtracting the ASCII values for the characters. We can use online decryptor for this.
http://rumkin.com/tools/cipher/vigenere.php

The output is not clear, but after some trial and error, the passphrase is fuckmybrain.


John
ssh2john id_rsa > id_john

john id_john –wordlist=/usr/share/wordlists/rockyou.txt

User SSH

User.txt

RSA Decryption

In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)
https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
A google search for RSA decryption gave me a page containing a script for decrypting RSA data.


Root.txt
python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef
