HackTheBox — Brainfuck (Difficulty-INSANE)

Brainfuck is an Insane Level Difficult Linux machine on HackTheBox which is OSCP like.I ended up taking an unintended path for privilege escalation as there were multiple. I used CVE-2021–4034 which allows an attacker to craft environment variables in a way that’ll induce pkexec to execute arbitrary code as a privileged user.

I skipped the writeup of this box since it was too long.The information in this writeup has been taken from Dw3ll3r’s writeup as a part of my notekeeping for oscp. SOURCE-(https://medium.com/@dw3113r/hack-the-box-brainfuck-writeup-4a4512af623b) so all credits go out to him.

Recon

I always start my recon with the same NMAP scan: nmap -n -v -sT -A <box IP>
Breakdown of the command:
-n : Skip DNS Resolution
-v : Increase Verbosity (amount of output)
-sT : TCP Connect Scan
-A : Enable OS Detection, Version Detection, Script Scanning, and Traceroute

┌──(kali㉿kali)-[~/HTB]
└─$ sudo nmap -n -v -sT -A 10.10.10.17
Discovered open port 25/tcp on 10.10.10.17
Discovered open port 22/tcp on 10.10.10.17
Discovered open port 443/tcp on 10.10.10.17
Discovered open port 110/tcp on 10.10.10.17
Discovered open port 143/tcp on 10.10.10.17
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) RESP-CODES TOP PIPELINING UIDL USER AUTH-RESP-CODE CAPA
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE more ENABLE SASL-IR have Pre-login LOGIN-REFERRALS post-login ID listed capabilities IMAP4rev1 OK LITERAL+ AUTH=PLAINA0001
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Issuer: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2017–04–13T11:19:29
| Not valid after: 2027–04–11T11:19:29
| MD5: cbf1 6899 96aa f7a0 0565 0fc0 9491 7f20
|_SHA-1: f448 e798 a817 5580 879c 8fb8 ef0e 2d3d c656 cb66
| tls-nextprotoneg:
|_ http/1.1
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NMAP output summarized for brevity*

The NMAP output indicates that this is a Linux box with several ports open:

• 22 (SSH)
• 25 (SMTP)
• 110 (POP3)
• 143 (IMAP)
• 443 (HTTPS)

It also found several subdomains:

• brainfuck.htb
• www.brainfuck.htb
• sup3rs3cr3t.brainfuck.htb

From all of this we can conclude that there’s a web server running, there’s a “secret” subdomain on the webserver, and there is a possibility that we will need to mess around with the mail services.

Let’s start our enumeration.

Port/Service Enumeration

Mail services typically need at least an email address, if not an email and a password, to do anything with it so I’m going to start by enumerating the primary domain.

Port 443 — HTTPS
To start, I’ll add the domains to my / etc / hosts file.

sudo nano / etc / hosts

My / etc / hosts file

For some reason, Medium’s editor doesn’t like when I provide the full path to the hosts file (above). It disables me from being able to save my story, so exclude the spaces if you’re following along with me.

Visiting the site
On the way to the site I figured I’d take a look at the SSL certificate, and it gave me an email address: orestis@brainfuck.htb

Brainfuck SSL Cert

The Homepage
The homepage confirms a few things: the site is running wordpress, there’s a user named admin, and SMTP is fully functional.

Brainfuck Ltd. Homepage

Obviously, there’s more to the enumeration than I’m showing. But, for brevity I’m going to run through this without showing all of the enumeration that provided nothing.

wpscan
I’m running wpscan to get a feel for the integrity of the WP site (i.e. whether or not there are vulnerable plugins/themes or maybe old backups stored somewhere).

wpscan — url https://brainfuck.htb/ — disable-tls-checks

wpscan — out of date ticket system plugin

searchsploit reveals a few exploits for this plugin, I am going to use the privilege escalation one: 41006.txt.

searchsploit responsive ticket system

Web Server Exploitation

41006.txt
This exploit is pretty cut and dry. I just have to paste the POC into my own notepad document, update the URL and the username, save it as a .html file, open it in my browser, and refresh the Brainfuck webpage.

41006.txt Exploit POC

My POC For This Exploit

Saved it as ‘payload.html’ and loaded it into my browser, and clicked ‘Login’.

Choose a username to log into

Navigate back to https://brainfuck.htb and now I’m admin!

You’re an admin, Harry

Website Enumeration as admin
After navigating to ‘Edit My Profile → Plugins’ I saw a plugin called ‘Easy WP SMTP’ so I figured I’d check it out.

SMTP Plugin

I went to ‘Settings’ and found the SMTP creds for orestis.

SMTP Plugin Settings

To get around blanked out passwords, view it in the HTML inspector [Right-click the password box → Inspect]

SMTP Password

Now we have SMTP creds!
Username: orestis
Password: kHGuERB29DNiNE

Port 25 — SMTP Server Enumeration
Now that we have creds for the SMTP server let’s start up our email client of choice. I’m using Thunderbird, feel free to choose your own.
If you want to download Thunderbird:

sudo apt install thunderbird

Open the client: enter the name, email, password, and the rest of the information requested. You may have to hit a button that says ‘Configure Manually’ if you are using Thunderbird. Fill out the information the same way you see it below.

SMTP Configuration

Hit Re-test to ensure it’s working, then hit done to go to our inbox.

Looking through the inbox we can see two emails: A standard one from WordPress, and one in regards to the secret forum. Read the ‘Forum Access Details’ email.

Forum Access Details Email

Now we have a set of creds for the secret forum!
Username: orestis
Password: kIEnnfEKJ#9UmdO

Secret Forum
Let’s travel to the secret forum at https://sup3rs3cr3t.brainfuck.htb and log in with the newly found creds.

Logging In

Now that we are logged in, we can see several forum posts. The two we are focused on are ‘Key’ and ‘SSH Access’.

Forum Threads

SSH Access tells us that we can only use SSH keys instead of basic authentication, and that the key will be in the encrypted key thread.

SSH Thread

The Key thread has a bunch of gibberish. Judging by the fact that the bottom line of gibberish in orestis’ posts look the same as his signature in the SSH thread, but are also changing each time, this looks like a Vigenere Cipher.

Luckily, we have both the ciphertext and plaintext, so decrypting this should be cake.

I’m terrible at explaining cryptography but I’ll give it a whirl..

A Vigenere Cipher takes a plaintext word/phrase and a key that constantly repeats to match the number of characters in the plaintext word/phrase. (i.e. my phrase is “I want a cookie” which has 12 letters, and my key is “milk”. The key might look like “ilkmilkmilkm”). Each letter in the plaintext is added to each letter in the key (i.e — i (9th letter in the alphabet) + i(9) = r(18); r would be the ciphertext letter for the first letter in this phrase).

That probably made zero sense, and that’s okay. I’ll show you an easy way to do it. The method I mentioned above is called a Vernam Cipher (or a One Time Pad). I’m going to take the orestis signature and match it with one of the ciphertext signatures and throw it into a Vernam Cipher decoder on one of my favorite Cipher sites: https://www.dcode.fr/

Ciphertext and Plaintext Signatures

FUCKMYBRAIN

As you can see, it looks as if the key to the Vigenere Cipher is ‘FUCKMYBRAIN’. So now I can use the Vigenere Cipher decoder on the same site (dcode.fr) and decode each forum post.

Post 1

Post 2

Post 3

Post 4

Post 5

So, from that bit of banter we found the link to the SSH key for orestis and we found that we’ll probably have to brute force the password for it.

SSH Key Decryption
I got the encrypted key from:
https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

Encrypted SSH Key

Time to decrypt it. I like to use ssh2john to put it in a crackable format. Save the output into a file for John to crack.

ssh2john id_rsa

Now time to crack it:

John doing his thing

Now we have a password for the SSH Key: 3poulakia!

Initial access time!

Initial Exploitation

To access brainfuck via SSH Key:
chmod 600 id_rsa
ssh orestis@10.10.10.17 -i id_rsa

I’m in!

I’m in!

Let’s grab the first flag.

user.txt

Now, there were multiple ways to achieve privilege escalation here.. And I went with the unintended path. If you’d like me to post another writeup with the intended way let me know and I’ll be happy to do it again.

Post Exploitation

Aside from the files that are in the orestis home directory that were intended for privesc, we’ll use linpeas.sh to find other vectors. If you haven’t used linpeas or winpeas yet I highly suggest it. You can get it at: https://github.com/carlospolop/PEASS-ng

I’m starting a python web server in the directory I have linpeas.sh in on my Kali box:

python3 -m http.server

Now on the target box I’ll cd to /tmp and wget linpeas from Kali:

linpeas.sh transfer

Change the linpeas.sh permissions and execute it:

Happy Pea!

Looking through the output it didn’t take long to find multiple privesc vectors. In linpeas.sh, a RED/YELLOW box has a 95% chance at being a viable privesc vector.

lxd privesc

CVE privesc

PATH privesc

I decided to go with CVE-2021–4034.

Privilege Escalation

After some Googling, I found a viable exploit for CVE-2021–4034:
https://github.com/berdav/CVE-2021-4034

It seems simple enough: type ‘make’ then execute the program.

The brainfuck box doesn’t have internet connectivity so I had to download the files onto my host then transfer them to the box.

I downloaded it using git clone:

Download the exploit

Then I transferred the files to brainfuck’s /tmp directory using SCP:

SCP all of the files over

Lastly, it’s time to compile and exploit:
cd into CVE-2021–4034
type ‘make’
type ‘./cve-2021–4034’

Exploit Success

Grab the root.txt flag:

SOURCE- https://medium.com/@dw3113r/hack-the-box-brainfuck-writeup-4a4512af623b