Skip to content

Instantly share code, notes, and snippets.

@jeremypruitt

jeremypruitt/HackTheBox-Chaos.md

Last active June 2, 2019 20:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jeremypruitt/ba03a889faa9507104aff927aee644f7 to your computer and use it in GitHub Desktop.
Save jeremypruitt/ba03a889faa9507104aff927aee644f7 to your computer and use it in GitHub Desktop.
Download ZIP
Hack The Box - Chaos
Raw
HackTheBox-Chaos.md

Techniques

  • Port scanning
  • Service enumeration
  • Wordpress user enumeration
  • IMAP commands
  • Python coding
  • HTTP Proxy: Intercept, modify, repeat

Tools

  • nmap
  • gobuster OR dirbuster OR dirb
  • wpscan
  • ncat OR openssl
  • ncat OR nc
  • base64
  • curl
  • Burp

Walkthrough

  1. Scan for ports and services 
    # Use nmap to find available TCP ports quickly
$ ports=$( \
    nmap 10.10.10.120 \
         -p- \
         --min-rate=1000 \
         -T4 \
    | grep ^[0-9] \
    | cut -d '/' -f 1 \
    | tr '\n' ',' \
    | sed s/,$// \
  )

# Scan found ports for services
$ nmap 10.10.10.120 \
       -p ${ports} \
       -sV \
       -sC \
       -T4
  2. Notice we can't hit port 80 by IP, so likely name based virtual hosting going on 
    $ curl 10.10.10.120
<h1><center><font color="red">Direct IP not allowed</font></center></h1>
  3. Add an entry to the hosts file to allow for name based virtual hosting 
    echo '10.10.10.120 chaos.htb' >> /etc/hosts
  4. Naivgate to http://chaos.htb and notice the site is now served
  5. Let's dry dirbuster/gobuster to look for other endpoints 
    $ gobuster -u http://10.10.10.120/ \
           -w directory-list-2.3-medium.txt \
           -t 100 \
           -x php

$ gobuster -u http://chaos.htb/ \
           -w directory-list-2.3-medium.txt \
           -t 100 \
           -x php
  6. We find a /wp endpoint on http://10.10.10.120, so browse to it and notice a wordpress site with a password field
  7. Because it is a wordpress site, let's run wpscan against it 
    $ wpscan --url http://10.10.10.120/wp/wordpress/ --enumerate
  8. A single username was enumerated by wpscan named human. Enter human as the password to the wordpress page and it works!
  9. The first post we see shows credentials for a user named ayush. Record them somewhere.
  10. Let's use ncat OR openssl to try to connect to the IMAP service we found with nmap ealier 
    # Either use ncat (like nc/netcat but with ssl support)
$ ncat --ssl 10.10.10.120 993

# Use openssl
$ openssl s_client -connect 10.10.10.120:993
  11. Use IMAP commands to find an email sitting in the Drafts folder 
    a login ayush jiujitsu
b select inbox
c list "" *
d select Drafts
e FETCH 1 BODY[TEXT]
  12. Copy and paste both base64 strings from the attachments of the draft email into 2 files 
    $ vim en.py.base64

$ vim enim_msg.txt.base64
  13. Decode the base64 into 2 new files 
    $ base64 -d en.py.base64 | tee en.py

$ base64 -d enim_msg.txt.base64 | tee enim_msg.txt
  14. Notice that the .txt file is an encrypted file and the .py file was likely used to encrypt it.
  15. Edit the en.py script and add a decrypt method: 
    $ vim en.py
    Add a method like the following 
    def decrypt(key, fileName):
  # Read in the file
  fileContents = open(fileName).read()
  
  # Grab first 16-bytes which contain the file size
  fileSize = fileContents[:16]
  
  # Grab next 16-bytes which contain the initialization vector (IV)
  IV = fileContents[16:32]
  
  # The rest of the bytes represent the encrypted content
  encrypted = fileContents[32:]
  
  # Create an AES decryption object and call decrypt on the encrypted content
  decryptor = AES.new(key, AES.MODE_CBC, IV)
  print decryptor.decrypt(encrypted)
    And add this to the bottom of the en.py script to call the new decrypt method, using sahay as the key (based on the email body) 
    decrypt(getKey("sahay"), "enim_msg.txt")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment