HTB: Brainfuck Writeup w/o Metasploit
Here we go, the first thing I typically do is conduct a variety of nmap scans. If you have read my previous walkthroughs, you know I have a script named nmap jutsu (the name comes from naruto) that kicks off a full scan, basic scan, ping sweep, version scans, and vulnerability scans using nmap nse scripts.
Recon
Here are the results from our nmap jutsu.
So, we do not overwhelm ourselves, let us just focus on the version scan for now. We see ports 22, 25, 110, 14, and 443 are open on this box. Let us start from the web service that is available. Why this one first? Well, no particular reason other than it is easier for me to enumerate web services than any other service. So, I am playing to my strengths here. Before launching a web browser to visit the webpage, take a look at the certificate information that the nmap version scan provides us. It looks like there are other domain names assigned to this IP address.
Enumeration
We will enumerate that in a bit. Ok, let us launch 10.10.10.17 (brainfuck’s IP address) in a web browser. Since it is using port 443, you will need to launch it with https://10.10.10.17. It brings us to a default nginx web page. I checked the source code for anything interested, nothing found there. Now let us take a look at the certificate to see if we find anything interesting, such as the domain names we saw in the nmap scans.
After looking at the certificate details, we find interesting information. To open up the certificate, click on the lock icon to the left of “https://10.10.10.17,” then select the left arrow on the connection tab, then select more information, then select view certificate, then select the details tab. There is an email address, and the same domain names we observed from the nmap scans.
Let us edit our /etc/hosts file to see if we can view those alternative domains.
After editing the host file, let us launch https://www.brainfuck.htb from a web browser. After enumeration we can confirm this webpage is hosted by word press. The login button towards the bottom right takes us to a word press login page. Since it is word press, let us use wps to enumerate for vulnerabilities.
wpscan — url https://brainfuck.htb — disable-tls-checks -e vp,u returns two users (admin, administrator) and interesting findings regarding the version and themes in use.
I used searchsploit to find exploits that matched the WordPress version. I tried using most of the exploits provided from searchsploit but none of them gave me access. I went back and ran the wps scan again but added an API token (you can get this for free). This was the scan I ran “wpscan --url https://brainfuck.htb --disable-tls-checks -e vp --api-token.” This returned a few vulnerable plugins, the one that stood out the most was the “WP Support Plus Responsive Ticket System.”
Exploitation
A quick google search on this returns a few exploits such as this. This exploit in particular is abusing how WordPress handles cookies. There is not much information here on how to launch the exploit. But you are creating an html file using the proof of concept they provided. You do need to alter it a bit. For instance, you will have to update the address. I also added the email address we found from the certificate. After making these changes, I spun up a web server using python (python -m http.server 80) and then navigated to the html page from my web browser.
After navigating to this, you will see a login button with the account you have set in the html file. I have admin instead of administrator. Select login, then refresh the page you have https://brainfuck.htb/ open on. You should now be logged in as admin, you will see the account name at the top right of your window.
Once we are logged in as admin, we can navigate to the wps dashboard using the buttons towards the top left side of the page. If you are familiar with wps the first place you may check for further exploitation is the theme section. I tried to create/edit the themes, but I could not find a way to do so. Since we found some vulnerable plugins, I clicked the plugins tab and saw a few others there. The SMTP plugin was the jackpot, it had smtp credentials. The password was hidden but if you right click the password and select inspect element you can view the hidden password.
The password is “kHGuERB29DNiNE.” Do not add the quotations or the period to the password. Now that we have credentials to a mail server let us try and use it.
I am sure you can do this in other ways, but I will do this using netcat. First, we are going to connect to the server using the open port 110 with the following command nc -nv 10.10.10.17 110. Now we will have to use POP3 commands to authenticate and retrieve emails if there are any present. Here is the document I used to quickly learn some POP3 commands.
Here are the commands (USER, PASS) I used to authenticate and then list (list) out the number of emails here.
There are two emails. I used the “retr” command to retrieve the first email (1).
This email looks like an auto-generated email you would get after successfully setting up an account. It shows the username we used to access WordPress, but it does not show a password.
The second email is from root@brainfuck.htb, and it is credentials to a secret forum.
Earlier we did find another domain that had the name secret in it, it was sup3rs3cr3t.brainfuck.thb. Let us navigate to that web page and see if we can use these credentials to log in. Do not forget to add https:// as a prefix. The credentials we found from the mail server were successful and I was able to login. After logging in, we find three different threads. One is “Key,” and it appears to be encrypted. The other is “SSH Access” which unencrypted.
When Orestis write back to the admin in the “SSH Access” thread, he/she has a signature. I noticed that the “Key” thread has something that looks similar under Orestis’s messages. The number of characters and dashes line up with the signature in the “SSH Access” thread and the signature in the “Key” thread. Initially I thought Orestis was using his signature “Orestis — Hacking for fun and profit” as a key to encrypt his messages using a Caesar cipher, but I was wrong. Orestis was using something similar called the Vigenère cipher.
I used this site to decrypt the key Orestis was using to encrypt the messages. It appears to be “fuckmybrain.” Not including the quotes or period.
After finding what we believe to be the encryption key, we try to use it to decode the other messages, and it works. One of the messages that stands out is a link to download a private key.
When you go to that url, it downloads a ssh key. I tried to use it to login into the box as orestis, but it is protected by a password. Before using the key, you will have to change the permissions to 600.
This means we have to try and crack the password in order to use the key. To do this we can use ssh2john to convert the private key into a hash file, and then use john the ripper to crack the password.
John was able to find the password, and we were able to successfully log in to the box using orestis account.
Privilege Escalation
I always try to do some manual enumeration before pulling in linpeas/winpeas. If you run the groups command you can see that we are a part of the lxd group. lxd is a container application for Linux servers. You can read more about lxd here. Using lxd we can create a container with the root directory mounted. I used this document as a reference for mounting paths to containers via lxd . All we have to do is clone this repo. Afterwards run the “./build-alpine” script (may or may not have to do this part. Spin up a webserver using python (python3 -m http.server 8000) and then transfer the tar.gz file to your target using wget from orestis ssh session.
There is another way to get the root flag without using containers. The encrypt.sage file looks like it is using the contents of the root.txt file as a password to encrypt contents. We can reverse engineer this using a script found here. You will have to change the p,q,e, and ct variables to what we have in the debug.txt file. The values of p,q,e are in the debug.txt file (the encrypt.sage script shows that's where it is storing those variables.) The ct variable, which I believe stands for cipher text can be found in the output.txt file.
Once you have these set, you can run the script (this can be done on your host machine). It will give you the pt (plaintext) value of the cipher text we stored in the file. Once you covert that plaintext to ASCII you will reveal the contents under root.txt.
Conclusion:
I think the name explains this box perfectly. At least for me it does. There were many pivots that we had to make to find the root flag. We started with the vulnerable WordPress site. From there we found the vulnerable plugin that gave us access as admin. Eventually we were able to gather smtp credentials from the WordPress server’s smtp plugins. We used those credentials to access a mail server via pop3. The mail server revealed some credentials we used to access a secret forum which had encrypted messages. After decrypting the messages, we stumbled upon a private key which we had to crack using ssh2john and john the ripper. Eventually we cracked the key, logged into the box, and retrieved the root flag by configuring a container with the root directory mounted to it.
