Checking SMTP service:
https port:
Based on nmap scan I am checking https with domain name:
Unfortunately I couldn’t really find the uploaded file, probably server has diffrent time zone than me.
I checked another vulnerability which was found by wpscan
After sending this payload, I was redirectred to blank page
After refreshing default page I am logged as admin
After sending exploit, server sent response with set-cookie of user mentioned in the payload (above blank page response) – html exploit that’s funny one
I used SMTP client to get access to this account:
After logging to secret forum I can read the calm conversation:
Soo I can notice it some kind of Cipher. There is also a URL
mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr
“mnvze” can be “https”
but next thing which I noticed is that orestis has a footer in previous conversation:
“Orestis – Hacking for fun and profit”. Probably it is encrypted using rotating passcode
GNU nano 6.0 charcode.py
plain = "Orestis - Hacking for fun and profit"
encoded = "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
encoded2 = "Wejmvse - Fbtkqal zqb rso rnl cwihsf"
value = plain
list=[ord(ch) for ch in value]
print(list)
print()
value = encoded
list=[ord(ch) for ch in value]
print(list)
print()
value = encoded2
list=[ord(ch) for ch in value]
print(list)
So this are 3 lists of hex numbers of characters. There is a regular difference between numbers if you calculate carefully. I have modified my script to be more precise:
plain = "Orestis - Hacking for fun and profit"
encoded = "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
encoded2 = "Wejmvse - Fbtkqal zqb rso rnl cwihsf"
value = plain
list=[ord(ch) for ch in value]
print(list)
print()
value = encoded
list2=[ord(ch) for ch in value]
print(list2)
print()
value = encoded2
list3=[ord(ch) for ch in value]
print(list3)
#Check for the charcode difference
difference=[]
zip_object = zip(list, list2)
for list1_i, list2_i in zip_object:
difference.append(list1_i-list2_i)
print(difference)
If there is a zero – it means that symbol is not being encrypted or changed e.g. “-“
-1, 9, 18, 13, -5, 6, -2, -10, -12, 2, -1, 9, -8, 13, -5, -20, -2, -10, , -12, 2, -1, 9, , -8, -13, -5, 6
So I modify script again to get rid of “0”
From results I can notice that the technique used to encrypt this message is “one time pad”
It looks like RSA
https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e