Brainfuck

Type: Linux

Difficuility: Insane

Link: https://app.hackthebox.com/machines/brainfuck

IP Address: 10.10.10.17

Enumeration

• Run nmap: sudo nmap -sC -sV -p- -Pn -oA Brainfuck 10.10.10.17

Nmap Results

• 22/tcp is SSH and is secure by default (not many CVEs) so skip it

• 25/tcp & 110/tcp 143/tcp are related to SMTP.

• 443/tcp is HTTPS, started enumration the website manually.

Index Page

• There is also another domain (https://sup3rs3cr3t.brainfuck.htb/) But there is no much information in it (for now).

• Notice that it's a WordPress website, run WPScan (wpscan --url https://brainfuck.htb/ --disable-tls-checks --api-token <Token> The token can be acquired by registering a free account on the WPScan website.).

WPScan Results

• As we can see from the WPScan results there are multiple CVEs related to this WordPress version. (There are many more vulnerabilities in this website, around 83 other vulnerabilities were found by WPScan)

• There is also a user that we can verify using SMTP name Orestis (telnet 10.10.10.17 25 then VRFY Orestis) (Not sure if it's important or not but I just learned how to do this in the PEN-200 course so why not c: )

Exploitation

• This is the CVE, I started with (https://wpscan.com/vulnerability/b1808005-0809-4ac7-92c7-1f65e410ac4f/) This CVE can login us in as any user without knowing the password but first we need to know the username, I did the enumration manually by going to https://brainfuck.htb/wp-login.php and trying different users like admin, administrator, root, orestis, etc.. But the better way to automate this is by using wpscan --url https://brainfuck.htb --disable-tls-checks --enumerate u

Invalid Username

Correct Username

WPScan User Enum

• Now that we have the username, we can procced to using the CVE.

• I saved the PoC into an html file and edited the link to brainfuck, then I opened the html file.

CVE PoC

• After running the HTML file, I refreshed the page and now I am logged in as administrator.

Administrator Logged In

• After playing around for a while with administrator there wasn't much to be done so I logged out and reran the PoC but for admin.

Users

• After logging in as admin, we can access the dashboard, plugins, etc..

Plugins

• One of the plugins is Easy WP SMTP, which includes in its settings the password of the SMTP for the user Orestis.

• The password is not shown but can be easily revealed by going to the page source.

SMTP Password Hidden

SMTP Password from Source Code

• Now that we have the password of the user orestis, we can logging into his account and check his emails

Login Orestis

Email 1

Email 2

• In the 2nd email, we find the password for the "secret" forum, now that we have the password for the secret forum, we need to find the forum itself.

• During our Nmap scan, there was a link for that secret forum (https://sup3rs3cr3t.brainfuck.htb/)

• Using the credentials we acquired from the email we can log in to the secret forum.

Secret Forum Login

• After examining the forum, we can find these 2 conversations:

Conversation 1

Conversation 2

• After messing around with the 2nd conversation trying to decrypt it, I found out it was encrypted using Vigenere cipher with the key "FUCKMYBRAIN".

Decryption

• To be able to use the key, first change the permissions using chmod 600 id_rsa

• When I tried to ssh to the server (ssh -i id_rsa oresties@10.10.10.17) using the key and the passwords from before (SMTP and Forum) it didn't work so we have to crack the password of the key.

• First we have to convert the file to JtR format to be able to use john the ripper on it (I used sshng2john.py).

Converting File Format

• After converting the file we can now use JohnTheRipper to crack the password (john JtRKey --wordlist=/usr/share/wordlists/rockyou.txt)

John Password Crack

• Now that we have the password, we can SSH into the server.

• In the directory of orestis, there are multiple interesting files, encrypt.sage, debug.txt, and output.txt.

encrypt.sage

debug.txt

output.txt

• I used this python script to decrypt the encrypted password (which is the hash of the file root)

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y

def main():

    p = 1090660992520643446103273789680343
    q = 1162435056374824133712043309728653
    e = 65537
    ct = 299604539773691895576847697095098784338054746292313044353582078965

    # compute n
    n = p * q

    # Compute phi(n)
    phi = (p - 1) * (q - 1)

    # Compute modular inverse of e
    gcd, a, b = egcd(e, phi)
    d = a

    print( "n:  " + str(d) );

    # Decrypt ciphertext
    pt = pow(ct, d, n)
    print( "pt: " + str(pt) )

if __name__ == "__main__":
    main()

Python Script

• When we run the python script we get the plain text in decimal, to convert it to ASCII, we can use this command, python -c "print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, 'x').decode('hex')"

• After doing this we get the root flag.

Flags:

User Flag

Root Flag