Hack The Box: Brainf#@k

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING — This walkthrough contains offensive language if you are easily offended, please do not continue. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Difficulty: Hard Machine Creator: ch4p Tools Used:

NMAP WPScan SearchSploit Python SMTP Cryptography John

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC



We will probably have better luck exploiting WordPress, so let’s start there.

wpscan –url https://brainfuck.htb –disable-tls-checks

Since we are scanning an HTTPS webpage, we had to enable the “disable-tls-check” to ignore the SSL cert error.


searchsploit “responsive Ticket System”

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .

python -m SimpleHTTPServer

Start a python web server to host the HTML file.

WordPress Exploit

SMTP Client

For the mail client, I’m using evolution.

Create a new account and configure.

Secret Forum


This encryption is called Vigenere which requires adding and subtracting the ASCII values for the characters. We can use online decryptor for this.


The output is not clear, but after some trial and error, the passphrase is fuckmybrain.


ssh2john id_rsa > id_john

john id_john –wordlist=/usr/share/wordlists/rockyou.txt

User SSH


RSA Decryption

In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large)


A google search for RSA decryption gave me a page containing a script for decrypting RSA data.


python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef