Hello friends!! Today we are
going to solve another CTF challenge “Brainfuck” which is retried vulnerable
lab presented by Hack the Box for making online penetration practices
according to your experience level. Although in this challenge you can test
your expertise by Wordpress penetration testing and how much knowledge you have
in cryptography by decrypting any encryption that you will saw in this lab.
Level: Hard
Task: find user.txt and root.txt file
in victim’s machine.
Since these labs are online
available therefore they have static IP and IP of sense is 10.10.10.17 so
let’s begin with nmap port enumeration.
nmap -A 10.10.10.17
From given below image, you
can observe we found portso many port s are open such as 22,25 and so on in
victim’s network and moreover I got three domain names as higlighted in image.
Now the last option was to add target IP inside /etc/host file
since port 443 was open containing three domain names obtained from scanning
result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb brainfuck.htb as host name.
Then I exploring all three domain names one by one in web
browser but when I explore https://brainfuck.htb found following webpage
page which is indicating it is a wordpress site and pointing toward SMTP mail
Id orestis@brainfuck.htb as
highlighted in below image.
Now we decided to use wpscan –u http://brainfuck.htb/
--disable-tls-checks –enumerate p –enumerate t –enumerate u command on the
URL that we have entered in the browser. To check if there are any kind of
vulnerable themes, plugins, username and etc.
From wpscan result I grabbed the vulnerability in wordpress
plug-in “support plus responsive ticket system” for Remote code execution as
highlighted below.
Moreover it dumped two login user name “admin & administrator”
With help of Google I search associated exploit for
compromising victim’s credential and found exploit
41006 as shown below.
Inside this I saw html form code for remote code execution,
now copy it and paste it into a text document.
Here please notice the changes I had made by adding “value: admin as username and orestis@brainfuck as email and target
URL in action https://brainfuck” and
saved it as wp.html on desktop.
Then I run Python script for file transfer via port 80.
python -m
SimpleHTTPServer 80
Then explore wp.html file in
localhost server as shown below and click on login tab.
By doing so You can login as anyone without knowing
password because of incorrect usage of wp_set_auth_cookie().Then you can go to
admin panel by visiting https://brainfuck
once again.
You will get admin panel of wordpress and start penetrating
it for getting a clue.
Inside admin dashboard I look at plugin for further step
where I found SMTP plug-in.
It was terrific moment when I saw user authentication login are filled in text filed. So I read username
“orestis” but password was in bold character which I need to convert in plain
text using inspect element.
Wonderful!! Here is orestis plain text password value as
shown below in highlighted text, let’s use them for smtp login.
Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I run retr 1 but didn’t get any useful message and move to another message by running retr 2.
Here I found something very crucial that there is username
and password for any “Secret” forum for login and after deep-thinking I realize
this credential could be connected to sup3rs3cr3t.brainfuck.htb
which I had explored in web browser.
Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got
successful login.
It showing super-secret forum which is pointing towards any
secret discussion chat inside “Key” and “SSH Access”
Inside “Key” I notice chatting between admin and orestis
which was going beyond my sense. Might be orestis and admin are sharing some
confidential information in this secret chat but in last reply of admin it look
like he is secretly sharing any encrypted
URL.
Then I open “ssh access” Ahhhh!!! It was an English
conversation where admin is giving suggestion to use Key for login instead of simple
password. And by reading all conversation I concluded that orestis has lost SSH
login key and asking admin to send the key in an encrypted chat that we saw
above “Key” (secret discussion).
Time to decrypt their conversation for getting ssh login
key but don’t know from where to start. After spending so much time and efforts
at last I successfully decrypted and
found ssh login key.
Now you’re Question: How it become possible?
And my answer is: observe the given below step carefully:
From both chat “Key” and “ssh access” I copied following
text into a text file respectively and removed the space provided between the
word as shown in below.
·
Pieagnm - Jkoijeg nbw zwx mle grwsnn (message in
cipher text)
·
Orestis - Hacking for fun and profit (decrypt
key in plain text)
Considering cipher text is encrypted information and
plaintext as decrypting key.
With help of online decipher I had pasted above cipher
text inside encipher textbox and decryption key inside decipher textbox and
received decipher message “BrainfuCkmybrainfuckmybrainfu”
If you remember we had obtained encrypted URL from inside
“Key” discussion, go for its decryption using above decipher message
“fuckmybrain” as decrypting key. It took much time to identify proper
encryption algorithm used for encrypting URL and we successfully decrypt it
with the help Vigerner cipher. It
gave a plaintext URL for downloading id_rsa for ssh login as orestis.
From given below image you can observe that I have added
encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and
obtain Plain text URL.
After downloading id_rsa when I try to open this file, it
required password to view its content.
Formerly I download a python script from here for
cracking the password of this file. Then I ran following command and got
desired output.
python sshng2john.py id_rsa >
ssh_login
Then we used john the ripper for cracking this ssh_login
file.
john ssh_login –wordlist=/usr/share/wordlists/rockyou.txt
“3poulakia!” we
got as result from executing above command.
And without wasting time I execute following command for
login into SSH using 3poulakia! as
password.
ssh -i id_rsa orestis@10.10.10.17
Great!! I logged in successfully, now
let’s finish the task by grabbing user.txt and root.txt file. First I check
available files in current directory inside it. Good to see user.txt in present
location and then I open it using cat.
cat user.txt
Apart from user.txt I found three more file in
this directory and when I open these file I got hint for Root Flag! Now follow
below steps if you are also looking for root flag.
When I read content of encrypt.sage, it was pointing towards
encrypted password within debug.txt and output.txt
When I open debug.txt and output.txt and here I saw
encrypted information then again I chased towards Google for any help in such
type of encryption and luckily found a decrypting
script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/
and after that copied entire script into text file for decryption.
As describe in crypto150 algorithm I placed 1st, 2nd & 3rd
line of debug.txt equal to p, q, e
respectively. Ct is equal to content
of output.txt as shown below and
saved it decrypt.py
Then run our decrypt.py
through python and capture the root flag!!
python decrypt.py
Huhhhhh!!!!!! Such a hectic Lab it was but we have completed
the challenge successfully.
0 comments:
Post a Comment