Linux Boxes

brainfk

  1. nmap
  2. http
    1. certficate
      1. General
      2. Details
        1. email
        2. /etc/hosts
  3. brainfuck.htb is wordpress
    1. wpsscan
      1. enumerate users
      2. Report
      3. ticket response searchsploit
        1. vi exploit.html
        2. host exploit.html
        3. burp suite
        4. admin login page
          1. cannot edit template files
  4. SMTP Integration is ready
    1. Easy WP-SMTP
      1. smtp password
    2. thunderbird email
      1. sup3rs3cr3t creds
  5. Sup3rs3cr3t.htb
    1. SSH Access Forum
    2. key thread
      1. orestis cipher
      2. rumkin one time pad
      3. keyed vigenere cipher
        1. decoded convo
  6. id_rsa
    1. bruteforce with ssh2john
  7. ssh orestis
    1. debug.txt
    2. output.txt
    3. encrypt.sage
      1. rsa with p q and e
        1. decrypt
      2. script
    4. decrypt.sage
      1. python
      2. decode root.txt
  8. user/root
  9. lessons learned

brainfk

images/438-1.png
images/438-2.png

nmap

images/439-1.png
Take note of the services running
ssh on port 22
smtp on port 25
imap on port 143
https on port 443



http


images/1949-1.png

images/1949-2.png

certficate

images/441-1.png

General

images/442-1.png

Details

images/443-1.png

email

We have an email to take note of in the Subject certificate field orestis@brainfuck.htb
images/445-1.pnga

/etc/hosts

images/444-1.png
Adding the DNS hosts we found out about from our Certificate Details:

images/444-2.png

brainfuck.htb is wordpress

https://brainfuck.htb
Brainfuck Ltd. is running on wordpress and there is a note that that the smtp mail server integration is finished, lets run wordpress scan from here and keep note of the smtp service

images/446-1.png
images/446-2.png
images/446-3.png

wpsscan

images/447-1.png

Get an error claiming peer cert or SSH key was not OK, lets try disabling tls checks to bypass this...
wpscan --url https://www.brainfuck.htb --disable-tls-checks

images/447-2.png

wpscan finds the ticket system is out of date, lets see if theres a vuln searchable on searchsploit...
searchsploit wp support plus
images/447-3.png

enumerate users

we can also use wpscan to enumerate user accounts attached to the website with
wpscan --url https://www.brainfuck.htb -e u --disable-tls-checks
where -e u stands for enumerate users
images/450-1.png

wpscan found users admin and administrator!

Report

images/448-1.png+
images/448-2.png
images/448-3.png

ticket response searchsploit

Since the WPScan reported that images/449-1.png
was out of date, lets use searchsploit and see if there's anything interesting:

images/449-2.png

There's a priv esc exploit that matches with the version we enumerated through WPScan images/449-3.png, lets take a look at the exploit

images/449-4.png

vi exploit.html

We use Orestis@brainfuck.htb email we found from the certificate:

images/451-1.png
Since it's a form post through html we need to host the file

host exploit.html

spin up a webserver with
python -m SimpleHTTPServer
images/452-1.png

and navigate to your webpage and try plugging in the 2 usernames we found
images/452-2.png

burp suite

We can see from the server response that the exploit simply sets our cookies identical to that of a webpage admin

images/453-1.png

admin login page

Navigate back to the brainfk webpage and like magic, we're logged in as admin!

images/454-1.pngimages/454-2.png
images/454-3.png

If we can edit any PHP file we have a direct SHELL or call back a reverse shell!!!

lets look at the admin dashboard: We can edit template files in Appearance->Editor:

images/454-4.png

from here if we have privilege to manipulate the template php files on the webpage we would easily be able to run a reverse shell back to our attacking machine so lets check that first...

cannot edit template files

Unfortunately this is a dead end because the template files are only readable:

images/455-1.png
images/455-2.png

SMTP Integration is ready

images/456-1.png
there is a mail server set up that we can also look into:

There is an EASY WP-SMTP tab under the settings tab in the admin panel:
images/456-2.png

Easy WP-SMTP

images/457-1.png

smtp password

The password on the webpage is obfuscated, however, We can inspect the smtp password with our browser's web tools to reveal orestis' smtp password by inspecting the SMTP variable!

images/458-1.png

Lets take these credentials and see if theres anything interesting in his emails...
images/458-2.png
Password is: kHGuERB29DNiNE

thunderbird email

im going to use thunderbird to log into orestis' account, feel free to follow along with any mail application of your choosingimages/459-1.png

sup3rs3cr3t creds

Voila! We see an email with credentials to the s3cr3t.brainfuck.htb forum!

Orestis
kIEnnfEKJ#9UmdO
images/460-1.png

Sup3rs3cr3t.htb

Remember the sup3rs3cr3t webpage we saw while inspecting brainfk's ssl certificate? Time to navigate there and test our newly discovered credentials from orestis' email:

images/461-1.png
images/461-2.png

SSH Access Forum

images/462-1.png

key thread

unfortunately we see the discussion between orestis and admin is in unreadable cipher text
images/463-1.png

But Notice how Orestis uses the same sign-off in all his posts that also never changes... we use what we know to reverse engineer it

orestis cipher

images/464-1.pngimages/464-2.png



Notice these have same characters:
Orestis - Hacking for fun and profit
Pieagnm - Jkoijeg nbw zwx mle grwsnn


rumkin one time pad

Rumkin.com has a one-time-pad decipher tool that can be found here, lets take Orestis' encoded signoff and his plaintext signoff and plug them in

images/466-1.png
You'll notice the key is just “fuckmybrain” repeated over and over

Note: decoding these conversations is eerily reminiscent of how the allies broke the german enigma code during ww2

keyed vigenere cipher

now that we have the Passphrase, we can use the keyed vigenere cipher to decode their conversation
images/467-1.png

decoded convo


Oretis: images/468-1.png

Admin: images/468-2.png


Oretis: images/468-3.png


Admin: images/468-4.png

Orestis: images/468-5.png


We find out admin stored orestis' key at
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
images/468-6.png


id_rsa

Encrypted key!
images/469-1.png

bruteforce with ssh2john

download jumbojohn into /opt folder if you haven't already, I like to save repo's from the internet into the /opt directory for organization purposes
images/470-1.png
images/470-2.png

use ssh2john on the id-rsa file downloaded images/470-3.png



output to brainfk-crack
images/470-4.png

now run john on the crack
images/470-5.png

Eureika! we have our password, time to ssh in
3poulakia!

ssh orestis

images/471-1.png

have to change permissions on key in order for it to be accepted:
chmod 600 <key file>
images/471-2.png

images/471-3.png

checking the directory we see a few interesting files
images/471-4.png



debug.txt

file containing 3 large numbers, potentially p,q and e
images/475-1.png

P = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307

Q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079

E = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

output.txt

images/476-1.png

ct (ciphertxt) = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

encrypt.sage

seems to be an rsa_encryption algorithm on root.txt, we'll have to decode it to get our root flag...no wonder this box is insane.

images/474-1.png
nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

rsa with p q and e

Let's see if google can help us find the sage code that will decrypt our rsa ciphertext


images/477-1.png

lets search google
images/477-2.png

decrypt

images/480-1.png

images/480-2.png

the decrypt function has the same variables p q e from our encrypt script and happens also to be a sage file!

images/480-3.png

script

images/478-1.png
sub P, Q and E in from debug.txt and CT for ciphertext from output.txt:

images/478-2.png

decrypt.sage



images/479-1.png

python

number string will be too long so we need to convert to hex and then to ASCII
images/481-1.png

decode root.txt


First we need to shave off the ‘0x’ and the L from the output before we decode it with
str(hex(pt)[2:-1])
images/482-1.png


now we have to decode the number out of the hex we encoded it in with
str(hex(pt)[2:-1]).decode('hex')
images/482-2.png


there we have it! root.txt is
6efc1a5dbb8904751ce6566a305bb8ef

user/root

images/483-1.png
2c11cfbc5b959f73ac15a3310bd097c9

images/483-2.png
6efc1a5dbb8904751ce6566a305bb8ef

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1951-1.png