Hello friends!! Today we are going to solve another CTF challenge “Brainfuck” which is retired vulnerable lab presented by Hack the Box for making online penetration testing practices according to your experience level. Although in this challenge you can test your expertise by WordPress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will get in this lab.
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.17
From given below image, you can observe we found so many ports are open such as 22,25 and so on in victim’s network and moreover I got three domain names as highlighted in below image.
Now the next option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb brainfuck.htb as host name.
Then I explored all three domain names one by one in web browser but when I explored https://brainfuck.htb found following webpage page which was indicating that it is a wordpress site and pointing toward SMTP mail Id [email protected] as highlighted in below image.
Now we decided to use wpscan –u http://brainfuck.htb/ –disable-tls-checks –enumerate p –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.
From wpscan result I grabbed the vulnerability in wordpress plug-in “support plus responsive ticket system” for Remote code execution as highlighted below.
Moreover it dumped two login user name “admin & administrator”
With help of Google I search associated exploit for compromising victim’s credential and found exploit 41006 as shown below.
Inside this I saw html form code for remote code execution, now copy it and paste it into a text document.
Here please notice the changes I had made by adding “value: admin as username and [email protected] as email and target URL in action https://brainfuck” and saved it as wp.html on desktop.
Then I run Python script for file transfer via port 80.
python -m SimpleHTTPServer 80
Then explore wp.html file in localhost server as shown below and click on login tab.
By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck once again.
You will get admin panel of wordpress and start penetrating it for getting a clue.
Inside admin dashboard I looked at plugin for further step where I found SMTP plug-in.
It was terrific moment when I saw user authentication login are filled in text field. So I read username “orestis” but password was in bold character, which I need to convert in plain text using inspect element.
Wonderful!! Here is orestis plain text password value as shown below in highlighted text, let’s use them for smtp login.
Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I ran retr 1 command but didn’t get any useful message and move to another message by running retr 2.
Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realized this credential could be connected to sup3rs3cr3t.brainfuck.htb which I had explored in web browser.
Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.
It showing super-secret forum which is pointing towards any secret discussion chat inside “Key” and “SSH Access”
Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it looked like he is secretly sharing any encrypted URL.
Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).
Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.
Now you’re Question: How it become possible?
And my answer is: observe the given below step carefully:
From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.
- Pieagnm – Jkoijeg nbw zwx mle grwsnn (message in cipher text)
- Orestis – Hacking for fun and profit (decrypt key in plain text)
Considering cipher text is encrypted information and plaintext as decrypting key.
With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message “BrainfuCkmybrainfuckmybrainfu”
If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we have successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.
From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.
After downloading id_rsa when I tried to open this file, then found that it required password to view its content.
Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.
python sshng2john.py id_rsa > ssh_login
Then we used john the ripper for cracking this ssh_login file.
john ssh_login –wordlist=/usr/share/wordlists/rockyou.txt
“3poulakia!” we got as result from executing above command.
And without wasting time I executed following command for login into SSH using 3poulakia! as password.
ssh -i id_rsa [email protected]
Great!! I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I checked for available files in current directory which are inside it. Good to see user.txt in present location and then I open it using cat.
Apart from user.txt I found three more files in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.
When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt
When I open debug.txt and output.txt, here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/ and after that copied entire script into text file for decryption.
As describe in crypto150 algorithm I placed 1st, 2nd & 3rd line of debug.txt equal to p, q, e respectively. Ct is equal to content of output.txt as shown below and saved it as decrypt.py
Then run our decrypt.py through python and capture the root flag!!
Huhhhhh!!!!!! Such a hectic Lab it was but we have completed the challenge successfully.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here