2 :443

https://brainfuck.htb/
Brainfuck Ltd.
| wordpress site

# exploring links on page
https://brainfuck.htb/?author=1
Dev Update
SMTP Integration is ready. Please check and send feedback to orestis@brainfuck.htb

# usernames
admin
orestis

https://brainfuck.htb/wp-login.php
wp login page

$ gobuster dir -u https://brainfuck.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80 -k
===============================================================
/index.php            (Status: 301) [Size: 0] [--> https://brainfuck.htb/]
/wp-content           (Status: 301) [Size: 194] [--> https://brainfuck.htb/wp-content/]
/wp-login.php         (Status: 200) [Size: 2244]
/license.txt          (Status: 200) [Size: 19935]
/wp-includes          (Status: 301) [Size: 194] [--> https://brainfuck.htb/wp-includes/]
/readme.html          (Status: 200) [Size: 7433]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 194] [--> https://brainfuck.htb/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-signup.php        (Status: 302) [Size: 0] [--> https://brainfuck.htb/wp-login.php?action=register]

# other domain sup3rs3cr3t.brainfuck.htb
https://sup3rs3cr3t.brainfuck.htb/
Super Secret Forum

# existing discussion development
https://sup3rs3cr3t.brainfuck.htb/d/1-development
2 commments
| admin, orestis

# there is register and login
# defaullt creds not working

# registering kashz@kashz.com:iamkashz

POST /register HTTP/1.1
Host: sup3rs3cr3t.brainfuck.htb
Cookie: flarum_session=pi2vc0upqig1uls5m1dff7tp50
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Csrf-Token: kmbAQ0T26Ohc7UzoN53nvTP95S8tgaXxBsKejXd9
Content-Length: 68
Origin: https://sup3rs3cr3t.brainfuck.htb
Dnt: 1
Referer: https://sup3rs3cr3t.brainfuck.htb/
Te: trailers
Connection: close

{"username":"kashz","email":"kashz@kashz.com","password":"iamakshz"}

# success
HTTP/1.1 201 Created
Server: nginx/1.10.0 (Ubuntu)
Date: Sat, 02 Oct 2021 02:24:59 GMT
Content-Type: application/vnd.api+json
Content-Length: 778
Connection: close
X-CSRF-Token: kmbAQ0T26Ohc7UzoN53nvTP95S8tgaXxBsKejXd9
Set-Cookie: flarum_remember=FaTWyG0roRpAjzxhVtHokt3juNeczScKolB0k1TN; Path=/; Max-Age=1209600; HttpOnly
Set-Cookie: flarum_session=n5smdiul4dqau2f8vhc9fs3fd5; Path=/; HttpOnly

{"data":{"type":"users","id":"4","attributes":{"username":"kashz","avatarUrl":null,"bio":null,"joinTime":"2021-10-02T02:24:59+00:00","discussionsCount":0,"commentsCount":0,"canEdit":false,"canDelete":false,"lastSeenTime":null,"isActivated":false,"email":"kashz@kashz.com","readTime":null,"unreadNotificationsCount":0,"newNotificationsCount":0,"preferences":{"notify_discussionRenamed_alert":true,"notify_postLiked_alert":true,"notify_discussionLocked_alert":true,"notify_postMentioned_alert":true,"notify_postMentioned_email":false,"notify_userMentioned_alert":true,"notify_userMentioned_email":false,"notify_newPost_alert":true,"notify_newPost_email":true,"followAfterReply":false,"discloseOnline":true,"indexProfile":true,"locale":null},"newFlagsCount":0,"canSuspend":false}}}

# probably 3 ids so admin, orestis, ONE MORE?

# exploring the website,
| we can change bio of user
| upload new image

# both are reflected back - can investigate into images as location of image is specified in response

# updating php
POST /api/users/4/avatar HTTP/1.1
Host: sup3rs3cr3t.brainfuck.htb
Cookie: flarum_session=n5smdiul4dqau2f8vhc9fs3fd5; flarum_remember=FaTWyG0roRpAjzxhVtHokt3juNeczScKolB0k1TN
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Csrf-Token: kmbAQ0T26Ohc7UzoN53nvTP95S8tgaXxBsKejXd9
Content-Type: multipart/form-data; boundary=---------------------------140070120911179074503241017767
Content-Length: 2793
Origin: https://sup3rs3cr3t.brainfuck.htb
Dnt: 1
Referer: https://sup3rs3cr3t.brainfuck.htb/settings
Te: trailers
Connection: close

-----------------------------140070120911179074503241017767
Content-Disposition: form-data; name="avatar"; filename="5.png"
Content-Type: image/png

png image-data
-----------------------------140070120911179074503241017767--

# response
HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Sat, 02 Oct 2021 02:29:28 GMT
Content-Type: application/vnd.api+json
Content-Length: 400
Connection: close
X-CSRF-Token: kmbAQ0T26Ohc7UzoN53nvTP95S8tgaXxBsKejXd9
Set-Cookie: flarum_session=n5smdiul4dqau2f8vhc9fs3fd5; Path=/; HttpOnly

{"data":{"type":"users","id":"4","attributes":{"username":"kashz","avatarUrl":"https:\/\/sup3rs3cr3t.brainfuck.htb\/assets\/avatars\/ipccz8xhnpnckdvx.jpg","bio":"${7*7} {{7*7}}","joinTime":"2021-10-02T02:24:59+00:00","discussionsCount":0,"commentsCount":0,"canEdit":false,"canDelete":false,"lastSeenTime":"2021-10-02T02:29:28+00:00","isActivated":false,"email":"kashz@kashz.com","canSuspend":false}}}

# in burp, seeing request being made to 
POST /api/users/4 HTTP/1.1 and POST /api/users/4/avatar HTTP/1.1

# maybe we can issue GET to /api/users and obtain users list 
GET /api/users HTTP/1.1
# with the cookies and x-csrf-token 
{"links":{"first":"https:\/\/sup3rs3cr3t.brainfuck.htb\/api\/users"},"data":[{"type":"users","id":"1","attributes":{"username":"admin","avatarUrl":null,"bio":null,"joinTime":"2017-04-17T18:33:48+00:00","discussionsCount":2,"commentsCount":5,"canEdit":false,"canDelete":false,"lastSeenTime":"2017-04-29T11:48:49+00:00","canSuspend":false},"relationships":{"groups":{"data":[{"type":"groups","id":"1"}]}}},{"type":"users","id":"2","attributes":{"username":"orestis","avatarUrl":null,"bio":null,"joinTime":"2017-04-17T19:24:49+00:00","discussionsCount":1,"commentsCount":6,"canEdit":false,"canDelete":false,"lastSeenTime":"2021-10-02T01:20:23+00:00","canSuspend":false},"relationships":{"groups":{"data":[{"type":"groups","id":"5"}]}}},{"type":"users","id":"3","attributes":{"username":"kostas","avatarUrl":null,"bio":null,"joinTime":"2017-04-17T19:33:56+00:00","discussionsCount":0,"commentsCount":0,"canEdit":false,"canDelete":false,"lastSeenTime":"2017-04-17T19:34:10+00:00","canSuspend":false},"relationships":{"groups":{"data":[]}}},{"type":"users","id":"4","attributes":{"username":"kashz","avatarUrl":"https:\/\/sup3rs3cr3t.brainfuck.htb\/assets\/avatars\/ipccz8xhnpnckdvx.jpg","bio":"${7*7} {{7*7}}","joinTime":"2021-10-02T02:24:59+00:00","discussionsCount":0,"commentsCount":0,"canEdit":false,"canDelete":false,"lastSeenTime":"2021-10-02T02:33:42+00:00","isActivated":false,"email":"kashz@kashz.com","canSuspend":false},"relationships":{"groups":{"data":[]}}}],"included":[{"type":"groups","id":"1","attributes":{"nameSingular":"Admin","namePlural":"Admins","color":"#B72A2A","icon":"wrench"}},{"type":"groups","id":"5","attributes":{"nameSingular":"Privileged","namePlural":"Privileged","color":"","icon":"key"}}]}

# id 1:admin, id 2:oestris, id 3:kostas, id 4:kashz
# gid 1: is group:admin - admin
# gid 5: is group: privileged - orestis

Previous3 :443 wpscan Next1 recon

Last updated 4 years ago