HTB Write-up: Brain*uck — HTTPS enum, Wordpress exploitation, Encrypting Ciphers & RSA key file

This box was labeled as “insane” and I couldn’t have completed without the IppSec’s walkthrough video but I still learned a lot from it.

What I learned today:

HTTPs Enum:

• Check for alternate names & emails in certificates

Wordpress Enum:

• wpscan — url https://brainfuck.htb — disable-tls-checks
  Register your API token to see vuln

WordPress Dashboard Enum:

• we always want to check if theme codes can be changed to upload a malicious code
• go to Easy WP SMTP and get the credentials if available.

SMTP enum:

• use application like “Evolution” to set up SMTP client and see if there’s any valuable info.

Encrypting ciphers:

• First you want to see if you can find keys with this , http://rumkin.com/tools/cipher/otp.php
• Once you find the key, go to http://rumkin.com/tools/cipher/vigenere.php and decipher the encrypted text

Decrypting encrypted RSA key file:

• Use ssh2john to decrypt
• once decrypted, save the output and try to crack the pass with
  john — wordlist=/home/kali/rockyou.txt

Chmod 600 for ssh key file

• the minimum permissions should allow read and write access only for the user itself, i.e. -rw------- which translates to (octal) 0600.

Nmap result:

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn’t establish connection on port 25
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL USER SASL(PLAIN) RESP-CODES AUTH-RESP-CODE CAPA TOP PIPELINING
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed ENABLE more LOGIN-REFERRALS have LITERAL+ IMAP4rev1 post-login capabilities SASL-IR OK IDLE AUTH=PLAINA0001 ID Pre-login
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017–04–13T11:19:29
|_Not valid after: 2027–04–11T11:19:29
| tls-nextprotoneg:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTPS enum:

Looking at the certificate, I found some alternate DNS names.

Registered these in /etc/hosts file.

secret forum found:

WP page found:

One is wordpress so let’s do some wordpress enum with wpscan:

wpscan --url https://brainfuck.htb --disable-tls-checks

Wordpress version detected.

With this scan, it didn’t show me any vulns

So I registered and got the API token.

Now I got 57 vulnerabilities!!

WordPress WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation ≈ Packet Storm (packetstormsecurity.com)

host it on python -m server.

go to localhost:80 and click the html and try to login.

Got in.

This exploit successfully implanted admin cookies and got us logged in as admin.

We’ve got a admin dashboard page.

For WP dashboard we always want to check if theme codes can be changed to upload a malicious code -> in this case, we cannot edit them.

Next, go to Easy WP SMTP and get the credentials.

Logged into the mail account via the Evolution app.

Used SMTP creds we found & port information.

Login as admin in orestis forum.

Found the encrypted thread that was originated from SSH thread.

How do we encrypt it?

Plaintext: Orestis — Hacking for fun and profit

Encrypted: Pieagnm — Jkoijeg nbw zwx mle grwsnn

http://rumkin.com/tools/cipher/otp.php

Decrypt it using this.

put “p” in your message and “O” in pad and so on.

key is fuckmybrain,

desipher all the messages with the Vigenere Ciphe with the key.

One message was saying, https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

Got the RSA key by going into the URL but it’s encrypted.

use ssh2john

ssh2john.py id_rsa (encrypted private key file)

Save the output to a file and crack it by:

john — wordlist=/home/kali/rockyou.txt

When trying to ssh, it showed the file was too open. chmod 600 it.

We are finally in!

it’s some kind of rsa thing

RSA given q, p and e?

Cryptography Stack Exchange

enter p,q,e and ct values that you obtained from the debug.txt and output.txt (each for each line) and run the python script.

we got the plain text in pt value. convert it to hex and then to ASII

python > pt = VALUE > str(hex(pt)[2:-1]) strip out the unneeded text

3665666331613564626238393034373531636536353636613330356262386566

Now I got the root.txt content!