- Port scanning
- Service enumeration
- Wordpress user enumeration
- IMAP commands
- Python coding
- HTTP Proxy: Intercept, modify, repeat
- nmap
- gobuster OR dirbuster OR dirb
- wpscan
- ncat OR openssl
- ncat OR nc
- base64
- curl
- Burp
- Scan for ports and services
# Use nmap to find available TCP ports quickly $ ports=$( \ nmap 10.10.10.120 \ -p- \ --min-rate=1000 \ -T4 \ | grep ^[0-9] \ | cut -d '/' -f 1 \ | tr '\n' ',' \ | sed s/,$// \ ) # Scan found ports for services $ nmap 10.10.10.120 \ -p ${ports} \ -sV \ -sC \ -T4
- Notice we can't hit port 80 by IP, so likely name based virtual hosting going on
$ curl 10.10.10.120 <h1><center><font color="red">Direct IP not allowed</font></center></h1>
- Add an entry to the hosts file to allow for name based virtual hosting
echo '10.10.10.120 chaos.htb' >> /etc/hosts
- Naivgate to http://chaos.htb and notice the site is now served
- Let's dry dirbuster/gobuster to look for other endpoints
$ gobuster -u http://10.10.10.120/ \ -w directory-list-2.3-medium.txt \ -t 100 \ -x php $ gobuster -u http://chaos.htb/ \ -w directory-list-2.3-medium.txt \ -t 100 \ -x php
- We find a /wp endpoint on http://10.10.10.120, so browse to it and notice a wordpress site with a password field
- Because it is a wordpress site, let's run wpscan against it
$ wpscan --url http://10.10.10.120/wp/wordpress/ --enumerate
- A single username was enumerated by wpscan named
human
. Enterhuman
as the password to the wordpress page and it works! - The first post we see shows credentials for a user named ayush. Record them somewhere.
- Let's use ncat OR openssl to try to connect to the IMAP service we found with nmap ealier
# Either use ncat (like nc/netcat but with ssl support) $ ncat --ssl 10.10.10.120 993 # Use openssl $ openssl s_client -connect 10.10.10.120:993
- Use IMAP commands to find an email sitting in the Drafts folder
a login ayush jiujitsu b select inbox c list "" * d select Drafts e FETCH 1 BODY[TEXT]
- Copy and paste both base64 strings from the attachments of the draft email into 2 files
$ vim en.py.base64 $ vim enim_msg.txt.base64
- Decode the base64 into 2 new files
$ base64 -d en.py.base64 | tee en.py $ base64 -d enim_msg.txt.base64 | tee enim_msg.txt
- Notice that the .txt file is an encrypted file and the .py file was likely used to encrypt it.
- Edit the
en.py
script and add a decrypt method:
Add a method like the following$ vim en.py
And add this to the bottom of thedef decrypt(key, fileName): # Read in the file fileContents = open(fileName).read() # Grab first 16-bytes which contain the file size fileSize = fileContents[:16] # Grab next 16-bytes which contain the initialization vector (IV) IV = fileContents[16:32] # The rest of the bytes represent the encrypted content encrypted = fileContents[32:] # Create an AES decryption object and call decrypt on the encrypted content decryptor = AES.new(key, AES.MODE_CBC, IV) print decryptor.decrypt(encrypted)
en.py
script to call the new decrypt method, using sahay as the key (based on the email body)decrypt(getKey("sahay"), "enim_msg.txt")