HacktheBox - Brainfuck Writeup
1. Nmap Scan
Let's start with a scan of the target ip address:
nmap -sC -sV -oA nmap/initial.tcp 10.10.10.17
From the nmap scan we see that we have port 22 open for SSH, 3 ports open that are associated with email protocols, ports 23, 110 and 143 and also we have a web server on port 443. A point to note here is that port 80 is not open which is unusual for a box with a web server, so port 443 is what im going to enumerate first.
2. Port 443 - Web Server Enumeration
From the nmap scan we can see that there are is a common name and a couple DNS alternative names associated with this machine, we will add these to our /etc/hosts file.
When I browse to all three hostnames added, I get a 'connection is not secure' message from my browser.
When viewing the SSL certificate in detail, I found that the issuer tab has what looks like an email address of a user from 'brainfuck Ltd' called orestis.
Once I added the SSL cert exception, We eventually get access to brainfuck.htb and the 'Super Secret' forum, sup3rs3cr3t.brainfuck.htb
Brainfuck.htb seems to be running wordpress as the hint in the title gives it away...
I ran WPScan on the webpage too see if we find anything of interest. Because we are getting SSL/TLS cert warnings, we need to use the following syntax for the command:
wpscan --url https://brainfuck.htb --disable-tls-checks
The results of the scan show that the webpages WordPress plugin may be vulnerable to exploitation.
Let's see if searchsploit has any of the vulnerabilities in its database:
searchsploit WP Support Plus
Searchsploit has two exploits in which we are interested in, the 7.1.3 Priv Esc and the 7.1.3 SQL Injection.
Comparing the wpscan and the searchsploit results, it seems that the wpscan authenticated SQLi vulnerability may not actually be an accurate description.
Let's take a more in depth look at the priv esc exploit:
searchsploit -x 41006.txt
So this exploits wp_set_auth_cookie(). This allows us unauthenticated access to admin-ajax.php by setting a username, email and logging us in as a guest through facebook.
This is where we can now use the email address found from the SSL cert, but we still dont know a valid username, we can try wpscan again, this time to enumerate users.
wpscan --url https://brainfuck.htb --disable-tls-checks --enumerate u
We now have 2 valid users from the brainfuck.htb WordPress site!
Exploitation - User
3. Wordpress Plugin Exploitation
We can now edit the priv esc exploit and create a new html file with the valid URL, username and email address.
In order to run the html file, we need to start a http server on our machine then browse to our local host address.
python -m SimpleHTTPServer 8000
We need to execute the file, wpexploit.html by clicking on it.
The username that we entered in the html file script is already populated, we just need to click login.
The page will seem like it is continuously loading, but if we go back to brainfuck.htb and refresh the page, we see that we are now logged in as admin!
A common method to gain a shell through wordpress is to edit the themes, but it seems that every theme is not writeable due to our current user permissions. So a different method is needed to gain a shell.
After looking at the installed Plugins, I see that Easy WP SMTP is installed.
In the settings, the SMTP password is already completed so we can use the browsers 'inspect element' option to find the value of the SMTP password.
Now that we have a valid email address and SMTP password, lets load an email client to login to the user orestis' mailbox!
I will be using the email client, evolution.
We now need to enter the name and email address we want to configure:
As we know that the port for IMAP is open from our nmap scan, we will use IMAP as the server type. Add brainfuck.htb as the server and the username to orestis with no encryption.
Although I dont think that we need to send an emails from orestis' account, lets configure it anyway with the server type as SMTP, the server as brainfuck.htb and again, no encryption.
Once we have gone through the configuration wizard, we are prompted to enter the password for orestis, this is where the SMTP password we found earlier is entered.
And just like that, we have access to orestis mail account which contained an email from root with crentials for the 'Super Secret Forum' we found at the start of our enumeration!
Lets try the creds we found then...
So the creds worked! We find that we have three discussion posts, lets check them out.
Development is just a test discussion:
SSH Access is a discussioin regarding orestis needing access via an SSH key rather than a password to login with, as that has been disabled:
The Key discussion is encrypted, which seems to include a URL which may be useful to us:
4. Decrypt the forum discussion thread
In order to decrypt the discussion thread, we need to figure out what type of cipher is being used.
If we look at the last sentence of the encrypted orestis posts, it looks exactly like the footer of every cleartext orestis post, 'Orestis - Hacking for fun and profit' as it has the same characters and spacings only these messages are encrypted with a cipher that changes the characters on every post. To decrypt the messages, we need to figure out the key used to encrypt the messages.
I will use the cleartext footer and the first encrypted footer of the key discussion and attempt to decrypt the key with the One Time Pad on rumkin.com
So set the OTP to decrypt, and enter the first letter of the cleartext in the 'The Pad' box and the encrypted letter in the 'Your Message' box, and we see that the first letter our decrypted key is 'b'.
Once we have done that for every letter, we find that the decrypted key looks like this:
Now that we have the key used to encrypt the messages, we can use another cipher decryptor on rumkin.com called Keyed Vigenere which enables us to enter the passphrase (key), our encrypted message and it will decrypt it.
The decrypted message gives us a URL which directs us to download an RSA private key file.
5. RSA key passphrase cracking
So because the RSA key is encrypted, we will need to crack the key's passphrase.
There's a tool called john which we will use to crack the passphrase but because we cannot directly crack the encrypted RSA key we have to first convert it into the john format.
Firstly to do this we require a python script called sshng2john.py. Copy the contents of the script from the github page and save it as sshng2john.py on your machine and give it execute permissions.
chmod +x sshng2john.py
Now that we have the python script ready to execute, we need to use it to change the name of the id_rsa file on our machine.
python sshng2john.py id_rsa > ssh_key
As the ssh_key file is in a format that can be used with john, we can now try and crack the rsa key passphrase:
john ssh_key --wordlist=/usr/share/seclists/Passwords/rockyou.txt
John managed to decrypt the RSA private key passphrase!
We can now try logging in to SSH with the id_rsa key and cracked passphrase!
Firstly, we need to edit the permissions of the id_rsa file to 600.
chmod 600 id_rsa
Login with the user orestis via SSH:
ssh -i id_rsa email@example.com
Once we are logged in, we can check our current user, uid and hostname:
We can now access the user.txt file!
Privilege Escalation - Root
Inside orestis' home directory, we find several files that are of interest.
Lets take a closer look at encrypt.sage:
So this sage script is taking the contents of root.txt and outputting it into output.txt with what looks like encryption. Infact with a bit of googling the encryption method is infact RSA.
This leads me to think that the way root is via an RSA attack.
The contents of the file debug.txt has three seperate strings, which is the p, q and e characters which represent the (str(p/q/e) inside the encrypt.sage script.
This is where google is useful! After googling RSA attack decrypt with p,q and e i found this blog post which detailed the steps taken on a previous CTF to decrypt RSA.
It contained a script that can perform RSA decryption with the p,q and e and ct character values obtained from the encrypt.sage and output.txt files:
6. RSA Decrypt Attack
I copied the script contents to a new file on my machine and named it rsa_root_decrypt.py
For the script to work, we have to change the default values of p,q and e to the values from our encrypt.sage script whilst also having to enter the cipher text value, which can be found from the output.txt file:
So once the script is edited correctly, all 4 values should look like this:
We can now run the created python script, rsa_root_decrypt.py:
And there we have it, the decrypted root.txt flag!