HackTheBox: Brainfuck Write-up #2

In reference to TJ null guide to OSCP, I attempted the second box to be spawned from the linux list. A very demanding box that requires more digging but worth the time.

Reconnaissance

As usual , I will start by scanning the box for open ports to identify which services are running on it.

After a careful review of the output, We can say that our box runs a webserver hosted on linux OS, with mail ports open, which we shall see how exploitable. it can be.

If we observe closely, we will find an ssl certificate detailing DNS names for the server,

We will add the above DNS to our local DNS file (/etc/hosts), and try to access them.

Before allowing access, I verified the certificate details ,I came across a certain email (orestis@brainfuck.htb) with the same domain name as the server, confirming that our box is running a mail service .

Arriving on the web, One of the things We notice is that our web is made out of wordpress. Knowing how exploitable wordpress is , we will try to scan the present vulnerabilities on our url.

Using wpscan tool which covers most scanning of wordpress vulnerabilities,I will start by scanning the url . But scanning with WPSCAN, we will have some requirement as an extra layer of keeping track of scans from wpscan developers.

We will need a token to scan our our target, To obtain it, we need to register on wpscan to have which is generated for every 24 scans you run.

Enumeration

Now we proceed with scanning as following,

At this time, we need a way to have access to the server, Two things that comes to my mind is finding an RCE or proceeding with PrivEsc. I found two corresponding vulnerabilities to that, in which I tried.

Going through the vulnerabilities, we find that the site has a plugin (WP Support Plus Responsive Ticket System Version 7.1.3 ) provided by wordpress, which also presents vulnerabilities.

I will focus on the two above as per my objective, After many trial to run the RCE , I haven’t been successful, prompting me to run the PrivEsc vulnerability.

Below is the link to the exploit codes

WPScan: WordPress Security

From the sited vulnerability, You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().

Run the below code to escalate your priviledge.

<form method="post" action="http://example.com/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="admin">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Before going any further, We will need to know which user to be escalated to. I used the wpscan tool again to enumerate the users.

Enumerating Users from the WordPress site:

sudo wpscan — url https://www.brainfuck.htb — disable-tls-checks — enumerate

after running the script, refresh the brainfuck url , and you will be logged as admin

Since I have the admin priviledge, I can now navigate throughout the url to see if I can find something interesting.

Exploitation

After looking back and forth the settings, I found out the SMTP credentials which relates the notice on the home page which cited about its integration.

I noticed that among plugins installed beside WP ticketing support system, there is the SMTP plugin (Easy WP SMT version 1.2.5 )Pwhich prompt the admin to have his mail credentials stored. Through that way , we shall snatch them and try to see what we can find in his mailbox, I used the inspect element of the browser to obtain the password.

Using an email application (MS outlook for windows, Evolution for kali,Roundcube, etc) we can navigate through his mailbox. I used Evolution as follows to read his mails.

IMAP Ports must be as per our nmap scan results

SMTP ports also has to be the same as from our nmap scans

Our Findings fall on finding that the secret forum credentials were shared through email, taking a guess from our previous scan, we had enumerated 2 DNS in which there were “sup3rs3cr3t.brainfuck.htb”, we will access it with the obtained credentials.

Running through the discussion on the forum, we notice that there has been changes that SSH Access has been shifted to the use of keys instead of the password, and the admin is sharing it with orestis , but their discussion is encrypted, How will we obtain the key ?

Now comparing two sentences(encrypted one & decrypted)that orestis uses as his signature, we can notice that the cipher was based on substitution. Which prompt for a key to encrypt . Going through all substitution enciphering, we find that everytime a different output is found, resulting in a variation of caesar substitution , making it a Vigenere cipher . Using the rukim platfom , I used an inverse techniques, which I used to find the pattern of the key . I tried decrypting taking orestis signature as a key passphrase and using it against its encrypted cipher, and we get a repetitive pattern of a text “fuckmybrain” on all encrypted ciphers. And it happened to be the one.

P.S: it took me the whole day to get it :)

Per the url shared, we can download the rsa key, After downloading it, the key happens to be encrypted, Which also will require a password to open ssh connection , huhmmm :-(

Private key content

We will use John the ripper which helps to crack password used to encrypt the key. But before that , the key must be turned into JTR format which john understands, using a python script .

/usr/share/john/ssh2john.py id_rsa > id_john

Now, We crack the key

The password appears to be weak to a point where john was able to find it in seconds . After finding the passkey , we use it to ssh into targeted box, but after granting 600 perm to the key ( chmod 600 id_rsa ).

Finally we are in the Goddamn box,

Grab the user.txt flag

Proceeding to have the root.txt flag, Something terrible came up .

We assess the present file, and we find a file encrypt.sage originating from a mathematical software using python scripts to make different calculations.

From the look of it , We notice that it is an RSA encryption which base its encryption techniques on factoring random prime numbers. And per the script, we have our inputs from the root.txt, our parameters(p, q, e) used in debug.txt and our our output into output.txt .

From the given data , we can use a script to decrypt the content of output.txt.

From the script , we can decrypt the key if we pass it the value given in debug.txt and output.txt .

Finally we’re done

Remarks acquired:

The Box had several vulnerabilities:

1. WordPress had its vulnerability due to non-compliance of using the updated product which has been patched against many common vulnerabilities that has been found.
2. The email credentials saved inside the hosted facing the internet ,
3. Sharing of of passwords(fixed, just in case they could be expiring ones) through emails as plaintext.

Lesson Learned :

This boxes made me go back to encryption studies with practical experiences.