!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING — This walkthrough contains offensive language if you are easily offended, please do not continue. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Difficulty: Hard Machine Creator: ch4p Tools Used:
NMAP WPScan SearchSploit Python SMTP Cryptography John
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with an NMAP scan.
nmap -sV -sC 10.10.10.17
HTTP
WPScan
We will probably have better luck exploiting WordPress, so let’s start there.
wpscan –url https://brainfuck.htb –disable-tls-checks
Since we are scanning an HTTPS webpage, we had to enable the “disable-tls-check” to ignore the SSL cert error.
Searchsploit
searchsploit “responsive Ticket System”
cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .
python -m SimpleHTTPServer
Start a python web server to host the HTML file.
WordPress Exploit
SMTP Client
For the mail client, I’m using evolution.
Create a new account and configure.
Secret Forum
Encryption
This encryption is called Vigenere which requires adding and subtracting the ASCII values for the characters. We can use online decryptor for this.
http://rumkin.com/tools/cipher/vigenere.php
The output is not clear, but after some trial and error, the passphrase is fuckmybrain.
John
ssh2john id_rsa > id_john
john id_john –wordlist=/usr/share/wordlists/rockyou.txt
User SSH
User.txt
RSA Decryption
In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)
https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
A google search for RSA decryption gave me a page containing a script for decrypting RSA data.
Root.txt
python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef
