[HackTheBox] Brainfuck

This Box is really twisted but very interesting.

Reconnaissance:

Initial scan gave subdomains and vulnrable ssh version.

Enumeration:

WEB → https://brainfuck.htb

Wordpress Yay.

possible user found.

Lets run a quick wpscan.

An unusual plugin found.

We found “admin” and “administrator” users but their brute force led to nowhere.

This gets us into the admin dashboard and we can look at mail password of orestis.

Lol…

pop3 → Has 2 mails for orestis one of which gives some hint

Now we move to sup3rs3cr3t.brainfuck.htb and login

Now this is really weird.

Since we can see that orestis has a signature i.e. “ Orestis: Hacking for fun and profit” we can try manipulating the words to get a clear cipher.

Many rounds of custom Caesar cipher didn’t give anything, then a hint from a HTB hacker led me to vignerre cipher.

Finally got the id_rsa file.

Foothold:

Irritating af…

ssh2john.py id_rsa > hash ; john hash — wordlist=/usr/share/wordlists/rockyou.txt

finally a low privilege shell.

Privilege Escalation:

OOOOOO. lxd vulnerable. PWNED.

All in all this box has a lot of stuff that's not the optimum when it comes to preparing for OSCP but It has intuitive stuff there.