Skip to main content

Hack the Box Challenge: Brainfuck Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Brainfuck” which is retired vulnerable lab presented by Hack the Box for making online penetration testing practices according to your experience level. Although in this challenge you can test your expertise by WordPress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will get in this lab.
Level: Hard
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.17                  
From given below image, you can observe we found so many ports are open such as 22,25 and so on in victim’s network and moreover I got three domain names as highlighted in below image.
Now the next option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb  brainfuck.htb as host name.
Then I  explored all three domain names one by one in web browser but when I explored https://brainfuck.htb found following webpage page which was indicating that it is a wordpress site and pointing toward SMTP mail Id orestis@brainfuck.htb as highlighted in below image.
Now we decided to use wpscan –u http://brainfuck.htb/ –disable-tls-checks –enumerate p –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.
From wpscan result I grabbed the vulnerability in wordpress plug-in “support plus responsive ticket system” for Remote code execution as highlighted below.
Moreover it dumped two login user name “admin & administrator
With help of Google I search associated exploit for compromising victim’s credential and found exploit 41006 as shown below.
Inside this I saw html form code for remote code execution, now copy it and paste it into a text document.
Here please notice the changes I had made by adding “value: admin as username and orestis@brainfuck as email and target URL in action https://brainfuck” and saved it as wp.html on desktop.
Then I run Python script for file transfer via port 80.
python -m SimpleHTTPServer 80
Then explore wp.html file in localhost server as shown below and click on login tab.         
By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck once again.
You will get admin panel of wordpress and start penetrating it for getting a clue.
Inside admin dashboard I looked at plugin for further step where I found SMTP plug-in.
It was terrific moment when I saw user authentication login are filled in text field. So I read username “orestis” but password was in bold character, which I need to convert in plain text using inspect element.
Wonderful!! Here is orestis plain text password value as shown below in highlighted text, let’s use them for smtp login.

Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I ran retr 1 command but didn’t get any useful message and move to another message by running retr 2.
Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realized this credential could be connected to sup3rs3cr3t.brainfuck.htb which I had explored in web browser.
Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.
It showing super-secret forum which is pointing towards any secret discussion chat inside “Key” and “SSH Access”
Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it looked like he is secretly sharing any encrypted URL.
Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).
Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.
Now you’re Question: How it become possible?
And my answer is: observe the given below step carefully:
From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.
  • Pieagnm – Jkoijeg nbw zwx mle grwsnn (message in cipher text)
  • Orestis – Hacking for fun and profit (decrypt key in plain text)
Considering cipher text is encrypted information and plaintext as decrypting key.
With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message “BrainfuCkmybrainfuckmybrainfu”
If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we have successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.
From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.
After downloading id_rsa when I tried to open this file, then found that it required password to view its content.
Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.
python sshng2john.py id_rsa > ssh_login                    
Then we used john the ripper for cracking this ssh_login file.
john ssh_login –wordlist=/usr/share/wordlists/rockyou.txt
3poulakia!” we got as result from executing above command.
And without wasting time I executed following command for login into SSH using 3poulakia! as password.
ssh -i id_rsa orestis@10.10.10.17                
Great!!  I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I checked for available files in current directory which are inside it. Good to see user.txt in present location and then I open it using cat.
cat user.txt
Apart from user.txt I found three more files in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.
When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt
When I open debug.txt and output.txt, here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/ and after that copied entire script into text file for decryption.
As describe in crypto150 algorithm I placed 1st, 2nd & 3rd line of debug.txt equal to p, q, e respectively. Ct is equal to content of output.txt as shown below and saved it as decrypt.py
Then run our decrypt.py through python and capture the root flag!!
python decrypt.py
Huhhhhh!!!!!! Such a hectic Lab it was but we have completed the challenge successfully. 
Author:hackingarticles

Comments

Post a Comment

Popular posts from this blog

Top 20 Tools for hacking 2018

What are Hacking Tools? Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution. In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks 1)  Netsparker Netsparker  is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution. Features Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC, bug tracking systems etc. Fully scalable solution.
Post a Comment
Read more

EMBEDDED BACKDOOR WITH IMAGE USING FAKE IMAGE EXPLOITER

In this article we are introducing a newly launched hacking tool “ Fake Image Exploiter ”. It is design so that it becomes easier for attackers to perform phishing or social engineering attacks by generating a fake image with hidden malicious .bat/.exe file inside it. Let’s start! Open the terminal inside your kali Linux and type following command to download it from github. Git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git Once it gets downloaded then opens the folder and selects the file “ settings ” for configuration before running the program as shown the given screenshot. Now made some changes inside setting file as shown the screenshot: Here you have to declare the type of payload extension you will use to hide it inside the image. You can set any exetension among these four : ps1, bat, txt, exe.  I had set  PAYLOAD_EXETNSION=bat  similarly set  BYPASS_RH=NO   and scroll down for next configration. In same way set these two values also as show
Post a Comment
Read more

Wifi Post Exploitation on Remote PC

Hello readers! Today you will be learning about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. First Hack the Victim PC Using Metasploit ( tutorial how to hack remote pc ) after that get admin access through Bypassuac ( click here ), once you have victim’s meterpreter session run given below post exploit  one-by-one.  Get BSS information of a remote user’s Wi-Fi connection This module gathers information about the wireless Basic Service Sets available to the victim machine. e.g. this will give you SSID and other important  information regarding wireless connection. msf > use post/windows/wlan/wlan_bss_list msf post( wlan_bss_list ) > set session 5 msf post( wlan_bss_list ) > exploit From given below image you can observe that here it has found “5 networks” suc
Post a Comment
Read more