twitter

Hack The Box: Brainf#@k

 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING — This walkthrough contains offensive language if you are easily offended, please do not continue.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

Difficulty: Hard
Machine Creator: ch4p
Tools Used:

NMAP
WPScan
SearchSploit
Python
SMTP
Cryptography
John

 

Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.17


Looking at the nmap scan, we can see a few mail services SMTP, pop3, and IMAP along with SSL. From the SSL cert we can see three DNS names this may be helpful. Let’s start with SSL web pages are my favorite starting point.

HTTP


When we visit the HTTPS page using the IP, we get the default page. Let’s see if the domain names we found from the SSL cert helps us out.


SSL cert does give us a possible email address.

 


I’ve added the domain names into the “/etc/hosts” file.


brainfuck.htb and www.brainfuck.htb gives us a WordPress page.


sup3rs3cr3t.brainfuck.htb gives us a website Super Secret Forum.

WPScan

We will probably have better luck exploiting WordPress, so let’s start there.

wpscan –url https://brainfuck.htb –disable-tls-checks

Since we are scanning an HTTPS webpage, we had to enable the “disable-tls-check” to ignore the SSL cert error.


It looks like we may have a username.


The WPScan results give us a possible SQL injection against the “WP Support Plus Responsive TIcket System” plugin this has the potential to bypass the login.

Searchsploit

searchsploit “responsive Ticket System”


We want to copy the SQL Injection exploit to our local folder so we can edit

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .


We need to copy the highlighted area and put it into a new HTML file.


Edit the url add in the new domain name. I’ve also added the email address from the SSL cert and admin user from the wpscan.

python -m SimpleHTTPServer

Start a python web server to host the HTML file.

WordPress Exploit


We need to open the browser and access the local exploit file that is being hosted on our python HTTP server.


After running the exploit and we refresh the WordPress page we are now logged in as admin.


Going through the settings, we find this SMTP page with an email address, username, and a masked password.



In the developer toolbar that opens, we can see the clear text password that was masked.

SMTP Client

For the mail client, I’m using evolution.

Create a new account and configure.

 

 


Configure the Name and Email address.

 


Set the server name, port 143, username, and change encryption to no encryption.


Configure the sending settings with port 25 SMTP.

 


Verify account

 


When prompted add the password that we received from the developer toolbar in WordPress.


When we view the emails, we can see one with new credentials to “secret.” We did find a secret page during Gobuster scan.

 

Secret Forum


We can now access the secret page using the new credentials.


Looking at the SSH Access page, we can see some arguing and talk about another thread.

 


On the key page, it appears that all the info is encrypted.

 


If we view Orestis signature on the two pages, we can see that is similar and encrypted.


Looking at multiple signatures for Orestis we can see they do not match. The encryption is most likely a rolling cipher.

Encryption

This encryption is called Vigenere which requires adding and subtracting the ASCII values for the characters. We can use online decryptor for this.

http://rumkin.com/tools/cipher/vigenere.php


In the decryption page, we put in the clear text into the passphrase and the encrypted content we get the result key.

The output is not clear, but after some trial and error, the passphrase is fuckmybrain.


If we use the new encryption key and decrypt the post that the admin made we get an url.
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa


The url gives us an encrypted key download called id_rsa.

John

ssh2john id_rsa > id_john


To brute force the SSH key with John we need to convert to john format. We can use ssh2john to make this conversion.

john id_john –wordlist=/usr/share/wordlists/rockyou.txt


John was able to brute force the password.

User SSH


After changing the permissions on the key file, we can log in using the RSA key and the password.

User.txt


With our user SSH session, we can read the user.txt file.

RSA Decryption

In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt
After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e

A google search for RSA decryption gave me a page containing a script for decrypting RSA data.


I’ve loaded this script with the three prime numbers and also needed the ciphertext from the output.txt file.


After running the python script, we are given a long number.

Root.txt

python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)”
6efc1a5dbb8904751ce6566a305bb8ef


Finally, we need to convert the long number to hex, and we have the decrypted root.txt file.