Today we’re going to solve another CTF machine “Brainfuck”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, SMTP, POP3, IMAP, SSL
  • IP Address: 10.10.10.17
  • Difficulty: Hard

Weakness

  • Exploitation
  • RSA Decryption

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

From the above screenshot we can observe many opened ports and we have DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb subdomains on 443 Port.

Let’s point these domains to IP address on /etc/hosts

Now let’s access these domains and see what we can find.

https://brainfuck.htb/

https://sup3rs3cr3t.brainfuck.htb/

So we have two different CMS installed let’s enumerate both.

Enumerate WordPress

We have a wordpress installed at https://brainfuck.htb and if you take a look at first post there is a email address which we have to keep in mind because brainfuck has smtp and pop3 ports opened so this might comes handy.

[email protected]

Let’s run wpscan to see if we can find something interesting.

We found two users from wpscan “admin & administrator” and we have one plugin installed which is vulnerable to exploit.

Exploitation

In our case we’re gonna test “WP Support Plus Responsive Ticket System 7.1.3 – Privilege Escalation”.

We have to modify our POST request in order to make it work.

We know the email which we found in one of the article.

We changed these values username: admin | email: [email protected] and the action url to https://brainfuck.htb.

Now to send a POST request we have to create a index.html and paste our modified exploit and run python HTTP server.

After clicking on login this comes up a blank white page.

Now just simply remove /wp-admin/admin-ajax.php from the url and go back to https://brainfuck.htb you will see the admin toolbar.

Getting reverse shell is easy through wordpress but we don’t have write access :/ so we have another challenge waiting for us to get to reverse shell.

After searching things i found another plugin installed which wpscan didn’t find i don’t know why but let’s take a look at it.

This is the information which we found at the smtp plugin settings.

If we inspect at the SMTP Password field we can see the password “kHGuERB29DNiNE“.

Since we found an SMTP password we can try connecting through: telnet 10.10.10.17 110 We was able to establish connection.

User: orestis Password: kHGuERB29DNiNE

After successfuly login we can use list command to display messages.

We can read them using retr command.

To read 2 message.

If you take a look we found something interesting which is,

username: orestis password: kIEnnfEKJ#9UmdO

If you read the description of the second message it says credentials for “secret” forum 🙂 so let’s try login.

Let’s take a look at ‘Key‘ thread first.

Now take a look at ‘SSH Access’ thread.

Key‘ thread is encrypted somehow because if you take a look at the conversation between admin and orestis inside ‘SSH Access‘ thread orestis is asking admin for SSH key which he lost after that then orestis created another thread named it ‘Key‘ and there both admin and orestis talked about something which is not possible to understand.

It’s some kind of encryption which we don’t know yet. Since we don’t have any clue to decrypt the text let’s copy both threads text and place them under each to take a closer look.

We took both thread reply which was posted by orestis.

If you look closer.

We have to consider cipher text is encrypted information and plain text as a decrypting key.

Tool: http://rumkin.com/tools/cipher/vigenere.php

This is the output which we got!

Let’s remove spaces and read it again 😉

This is the decipher text we got.

And it you remember there’s a cipher text of url but there’s no decrypting key in ‘SSH Access‘ thread so that means we have to find another way to decrypt that.

Since we decrypted our first text and it keeps repeating a phrase ‘fuckmybrain‘ we can assume it can be a decrypting key for next encrypted cipher.

And we got an actual URL for id_rsa key 🙂

We found a key but upon opening it we found that it is locked.

There’s a tool called john the ripper which we’ll use to crack the password. We cannot directly crack the id_rsa key we have to first convert it into john the ripper format.

Upon doing research you’ll find a tool called: sshng2john.py

Now we’re ready to crack the password.

And after few seconds we got the password: 3poulakia!

Let’s try to login to SSH using a key and password.

Privilege Escalation

Now that we have found our user.txt flag we’re going after root.txt. Apart from user.txt we found another 3 uncommon files inside /home/orestis/ debug.txt, encrypt.sage, output.txt

Since we don’t know what’s inside those files so i reached Google for answers and i found a RSA Decryption tools.

http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e/19530#19530

It appears that the file output.txt file contains an encrypted root flag and the file debug.txt contains the P, Q and E values used to do the encryption. By using the above tool it is possible to decrypt the ciphertext and get the root flag.

After running the script we found our root.txt flag.