Brainfuck Writeup w/o Metasploit
Reconnaissance
First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.
-sC: run default nmap scripts
-sV: detect service version
-O: detect OS
-oA: output all formats and store in file initial
We get back the following result showing that five ports are open:
Port 22: running OpenSSH 7.2p2 Ubuntu 4ubuntu2.1
Port 25: running Postfix smtpd
Port 110: running Dovecot pop3d
Ports 143: running Dovecot imapd
Ports 443: running nginx 1.10.0
Before we start investigating these ports, let’s run more comprehensive nmap scans in the background to make sure we cover all bases.
Let’s run an nmap scan that covers all ports.
No other ports are open. Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
We get back the following result showing that no ports are open.
Before we move on to enumeration, let’s make a few mental notes about the nmap scan results.
The version of SSH being used is not associated with any critical vulnerabilities, so port 22 is unlikely to be our point of entry. We’ll need credentials for this service.
Port 443 is running HTTPS. The index page gives us the title “Welcome to nginx!”. This is likely a configuration issue where the IP address doesn’t know what hostname it should map to in order to serve a specific site and so instead it’s serving the ngnix default page. To fix this issue we’ll need to first figure out the list of hostnames that resolve to this IP address and then add these hostnames to our /etc/hosts file. From the nmap scan, we get three possible hostnames: brainfuck.htb, www.brainfuck.htb and sup3rs3cr3t.brainfuck.htb.
Ports 25, 143 and 110 are running mail protocols. We might need to find a valid email address to further enumerate these services.
Enumeration
Add the following hostnames to the /etc/hosts file on your attack machine.
I always start off with enumerating HTTP first. In this case only port 443 is open so we’ll start there.
First, let’s visit the site brainfuck.htb. After adding a security exception, we get the following page.
This is a WordPress site and we all know that WordPress is associated with SO MANY vulnerabilities. However, before we run a WordPress vulnerability scanner on this site, let’s look at the certificate information to see if it leaks any useful information.
To do that, click on the lock icon > Show Connection Details.
Then click More Information > View Certificate > Details. There, we see that the Issuer field gives us the email address orestis@brainfuck.htb that might be useful when enumerating the open mail protocol ports. This email can also be found on the website.
Next, let’s run the WordPress vulnerability scanner on the site.
— url: The URL of the blog to scan.
— disable-tls-checks: Disables SSL/TLS certificate verification.
— api-token: The WPVulnDB API Token to display vulnerability data
The following is a summary of the results found by the wpscan.
The WordPress version identified is 4.7.3.
The identified version of WordPress contains 44 vulnerabilities.
The WP Support Plus Responsive Ticket System plugin is installed.
The identified version of WP Support Plus Responsive Ticket System plugin contains 4 vulnerabilities.
Out of all the vulnerabilities identified, one particular vulnerability does stand out.
I tried this vulnerability, however, it did not work out. So, let’s check if searchsploit generates any other vulnerabilities.
We get back the following result.
Let’s look at the privilege escalation vulnerability.
According to the documentation, this vulnerability allows you to bypass authentication by logging in as anyone without knowing the password. You do however need a valid username for the attack to work. Therefore, let’s use wpscan to enumerate usernames.
— enumerate u: enumerates usernames.
We get back the following result.
Both “admin” and “administrator” are valid usernames. Now that we have a valid username, let’s attempt to exploit the vulnerability.
Gaining an Initial Foothold
Copy the POC code from the vulnerability entry on searchsploit and save it in the file priv-esc.html. Change the URL to the name of the machine.
Get the location of the exploit file on the attack machine.
Run it in the browser and login as administrator.
Refresh the brainfuck.htb page and we’re logged in as administrator!
There doesn’t seem to be much functionality available for this user. Therefore, let’s try the ‘admin’ user next. Perform the same exploit again except with the username being ‘admin’.
On the top tab click on Brainfuck Ltd. > Themes. Then click on Plugins > Settings on the Easy WP SMTP plugin. There, we find the SMTP configuration settings with the SMTP username and SMTP masked password.
Right click on the password field and view page source.
The user’s password is kHGuERB29DNiNE. Let’s use the mail client Evolution to log into orestis’s email. If you don’t have Evolution installed on your kali, you can install it using the following command.
Open up the Evolution mail client. Click on File > New > Mail Account. On the Welcome page click Next. There, enter the name orestis in the Full Name field and orestis@brainfuck.htb in the Email Address field.
Click Next. In the Receiving Email window, add brainfuck.htb as the Server, 143 as the Port and orestis as the Username.
Click Next > Next. In the Sending Email window, add brainfuck.htb as the Server, 25 as the Port and No encryption as the Encryption method.
Click Next > Next. You’ll be prompted with an authentication request. Add the password kHGuERB29DNiNE and click OK. Now we can see orestis’s mail!
The Form Access Details email gives us another set of credentials.
Remember that in the enumeration phase, we had three hostnames that we added to our hosts file. Since the email mentions a “secret” forum, let’s check out the sup3rs3cr3t.brainfuck.htb website. On the website, when you click on Log In, you’re presented with a login page. Enter our newly found credentials there.
We’re logged in as orestis! Click on the SSH Access thread.
Based on the comments made there, orestis seems to have lost his SSH key and wants the admin to send it to him on an encrypted thread. One other thing we notice is that orestis always signs his message with the “Orestis — Hacking for fun and profit” phrase.
The encrypted thread orestis is referencing is the Key thread.
There, you’ll notice that orestis’s comments are signed with the same message we saw above except the message is in encrypted form. However, with each comment, the generated cipher text for the phrase is different. Therefore, the admin might be using the Vigenère cipher which is a variation of a Caesar substitution cipher that uses a keyword and repeats it until it matches the length of the plaintext. Then the equivalent letter of the keyword is used to encrypt its corresponding plaintext letter. Therefore, the same plaintext can generate multiple different cipher texts.
Since we do have the plaintext and its corresponding cipher text, we can deduce the key since this cipher is vulnerable to a known plaintext attack. This page explains it really well, therefore I won’t explain how to do it.
I wrote a python script to automate the process of finding the key.
The script loops through the cipher text string and takes each character in order and converts it to the integer representation of that character. Then it subtracts that value from the integer representation of the corresponding character in the plaintext string and applies the modulus of 26 since there are 26 alphabets. This gives you a value between 0 and 25 inclusive. However, since the “chr” function that turns an integer to its character value depends on the ASCII table where 97 represents “a”, 98 represents “b”, etc. I had to add 97 to the integer value. After it loops through the entire cipher text it prints the key.
Let’s run the script.
We get back the following result.
As mentioned earlier, the Vigenère cipher uses a keyword and repeats it until it matches the length of the plaintext. Therefore, we can deduce that the key is fuckmybrain. Now that we have the key, we can use it to decrypt the admin’s statement using this online tool.
We get back the following text.
We’re one step closer! We have a link to the RSA private key that seems to be encrypted since the admin mentions a “key password” in the comment. Visit the link to download the RSA key. We get back the following encrypted key.
Before we use John the Ripper (JtR) to crack the password used to encrypt the private key, we need to convert the file into JtR format. To do that I use the sshng2john.py script.
Now we can use JtR to crack the password.
We get back the following result.
It cracked the password! Let’s use the key and password to SSH into orestis’s machine.
First change the permissions on the encrypted RSA private key.
Then SSH into the machine.
We finally gained an initial foothold!
Grab the user.txt flag.
We need to escalate privileges.
Privilege Escalation
List the files in orestis’s home directory.
View the content of encrypt.sage.
It seems to be performing RSA encryption. First, it opens the root.txt file and uses its value as a parameter in the encryption. The encrypted password is written in the output.txt file. It also logs parameters in the debug.txt file.
Parameters p, q and e are logged in the debug file which we have read/write access to. Since we have both p and q, we can calculate n=p*q, phi=(p-1)(q-1). We also have c since it’s written in the output.txt file which we have read/write access to. So we can calculate m from the equation c = pow(m,e,n).
Instead of doing that by hand, someone already wrote a script for it. First modify the script to include our values.
I also added code that converts the string to ASCII. Run the script.
The output gives you the content of the root.txt file.
Lessons Learned
To gain an initial foothold on the box we exploited five vulnerabilities.
A known vulnerability in the WordPress version that is being used to host the website. This could have been easily avoided if the patched version was installed.
A password saved in the SMTP configuration settings. Although the password is masked, the plaintext password can be easily viewed in the source code. If the configuration settings does not require that the password be saved on the website, then the user should clear the password and enter the password every time they use the service.
A password stored in plaintext in the email. Again, if it is necessary that the password be transmitted by email, the user should have been prompted to change the password upon the first login.
The forums used the Vigenère Cipher which is known to be vulnerable to a known plaintext attack. Since we had both the cipher text and the corresponding plaintext, we were able to figure out the encryption key.
A weak password was used to encrypt the RSA private key. Since the password was really weak, it only took JtR a couple of seconds to decrypt it. The user should have used a sufficiently long password that is difficult to crack. Similarly, the user should have used a password manager to store the RSA private key instead of having to ask the admin to post it on the website.
To escalate privileges I exploited one vulnerability.
A file that was executed by root was used to encrypt the root.txt file using the RSA algorithm. However, the file outputted the “p”, “q” and “e” parameters used in the RSA encryption and therefore we were able to decrypt the cipher text. So this technically exploited two vulnerabilities: (1) sensitive information disclosure of RSA parameters and (2) security misconfiguration that gave a non-privileged user the ability to read the debug.txt file which contained sensitive information.
Last updated