Hack The Box: Brainf#@k




!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING — This walkthrough contains offensive language if you are easily offended, please do not continue. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Difficulty: Hard Machine Creator: ch4p Tools Used:

NMAP WPScan SearchSploit Python SMTP Cryptography John

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.17

HTTP






WPScan

We will probably have better luck exploiting WordPress, so let’s start there.

wpscan –url https://brainfuck.htb –disable-tls-checks

Since we are scanning an HTTPS webpage, we had to enable the “disable-tls-check” to ignore the SSL cert error.



Searchsploit

searchsploit “responsive Ticket System”

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .


python -m SimpleHTTPServer

Start a python web server to host the HTML file.

WordPress Exploit






SMTP Client

For the mail client, I’m using evolution.

Create a new account and configure.








Secret Forum








Encryption

This encryption is called Vigenere which requires adding and subtracting the ASCII values for the characters. We can use online decryptor for this.

http://rumkin.com/tools/cipher/vigenere.php

The output is not clear, but after some trial and error, the passphrase is fuckmybrain.



John

ssh2john id_rsa > id_john


john id_john –wordlist=/usr/share/wordlists/rockyou.txt

User SSH


User.txt


RSA Decryption


In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)

https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e

A google search for RSA decryption gave me a page containing a script for decrypting RSA data.



Root.txt

python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef