Checking SMTP service:

https port:

Based on nmap scan I am checking https with domain name:

There is an additional domain name
It revels a forum
Users: admin, orestis
Orestis user doesn’t work, but admin admin administrator does
I selected shell.phtml

Unfortunately I couldn’t really find the uploaded file, probably server has diffrent time zone than me.

I checked another vulnerability which was found by wpscan

https://security.szurek.pl/en/wp-support-plus-responsive-ticket-system-713-privilege-escalation/

After sending this payload, I was redirectred to blank page

After refreshing default page I am logged as admin

After sending exploit, server sent response with set-cookie of user mentioned in the payload (above blank page response) – html exploit that’s funny one

php files are not writeable, so I need to find other way to get the shell

I used SMTP client to get access to this account:

After logging to secret forum I can read the calm conversation:

Soo I can notice it some kind of Cipher. There is also a URL

mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr

“mnvze” can be “https”

but next thing which I noticed is that orestis has a footer in previous conversation:

“Orestis – Hacking for fun and profit”. Probably it is encrypted using rotating passcode

Simple python code
  GNU nano 6.0                                                                                 charcode.py                                                                                          
plain = "Orestis - Hacking for fun and profit"
encoded = "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
encoded2 = "Wejmvse - Fbtkqal zqb rso rnl cwihsf"

value = plain
list=[ord(ch) for ch in value]
print(list)

print()

value = encoded
list=[ord(ch) for ch in value]
print(list)

print()

value = encoded2
list=[ord(ch) for ch in value]
print(list)

So this are 3 lists of hex numbers of characters. There is a regular difference between numbers if you calculate carefully. I have modified my script to be more precise:

plain = "Orestis - Hacking for fun and profit"
encoded = "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
encoded2 = "Wejmvse - Fbtkqal zqb rso rnl cwihsf"

value = plain
list=[ord(ch) for ch in value]
print(list)

print()

value = encoded
list2=[ord(ch) for ch in value]
print(list2)

print()

value = encoded2
list3=[ord(ch) for ch in value]
print(list3)

#Check for the charcode difference
difference=[]
zip_object = zip(list, list2)
for list1_i, list2_i in zip_object:
        difference.append(list1_i-list2_i)

print(difference)
-1, 9, 0, 18, 13, -5, 6, 0, 0, 0, -2, -10, -12, 2, -1, 9, 0, 0, -8, 13, -5, 0, -20, -2, -10, 0, -12, 2, -1, 0, 9, 0, -8, -13, -5, 6

If there is a zero – it means that symbol is not being encrypted or changed e.g. “-“

-1, 9, 18, 13, -5, 6, -2, -10, -12, 2, -1, 9, -8, 13, -5, -20, -2, -10, , -12, 2, -1, 9, , -8, -13, -5, 6

So I modify script again to get rid of “0”

From results I can notice that the technique used to encrypt this message is “one time pad”

MYBRAINFUCK is the key
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

It looks like RSA

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e

And it is a root flag 🙂

By Marceli

Leave a Reply

Your email address will not be published. Required fields are marked *