Abhishek Rautela

Feb 15, 2021

15 min read

Hack The Box BrainFuck writeup [LXD group Privesc]

BrainFuck is an insane rated box that required a WordPress exploit for initial foothold and LXD group privilege escalation(unintended) for root.

Let’s just jump in.

Recon

Let’s start with a quick Nmap scan to discover open ports

  • -sC: Specifies Nmap to run default scripts
  • -sV: Specifies Nmap to run service and version detection

Nmap returns the following output:

We have the following ports open:

  • Port 22 — SSH OpenSSH 7.2p2 Ubuntu
  • Port 25 — SMTP Postfix SMTPD
  • Port 110 — POP3
  • Port 143 — IMAP(Dovecot IMAPD)
  • Port 443 — HTTPS

The nmap scan reveals three possible hostnames: brainfuck.htb, www.brainfuck.htb and sup3rs3cr3t.brainfuck.htb.

Add the domains to /etc/hosts file.

Enumeration

Let’s begin enumerating the box. We will start with SSH.

  • Port 22 SSH

We have OpenSSH 7.2p2 running on an Ubuntu box. A simple google search reveals that the box is probably Ubuntu Xenial.

The SSH version is not associated with some serious vulnerability and SSH being a comparatively secure service, there is a very low probability of it being an attack vector.

  • Port 25 SMTP

SMTP stands for Simple Mail Transfer Protocol, which is a communication protocol for electronic mail transmission. You can read more about SMTP here:

SMTP can be used to enumerate usernames or read emails of a valid user. As we do not have any username at the moment we will leave this port for the time being. You can run a python script in the background to automate the process of username enumeration. The following python script takes a filename(containing usernames) as input and then brute-forces the SMTP port to enumerate usernames via the VRFY command.

  • Port 110 — POP3

POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. As we do not have valid credentials, we will leave this port for now. You can read more about POP3 here:

  • Port 143 — IMAP

IMAP (Internet Message Access Protocol) is a standard email protocol that stores email messages on a mail server but allows the end-user to view and manipulate the messages as though they were stored locally on the end user’s computing device. As we do not have valid credentials at the moment, we will leave this port for now.

  • Port 443 — HTTPS

This leaves us with a single port to enumerate. Everyone has their own methodology and I personally prefer checking HTTP & HTTPS at last as it has a wide range of attack vectors and I want to be dead sure that I do not have anything else to enumerate besides the web service.

Let’s visit the webpage in a browser. We get a default Welcome to Nginx page. Let’s check the SSL certificate as it might reveal hostnames and emails.

We have three hostnames and an email orestis@brainfuck.htb. As we had already added the hostnames to the /etc/hosts file from our NMAP results, we can now visit them in a web browser.

First, let’s visit brainfuck.htb. After adding a security exception, we get the following webpage.

The website is built on WordPress and WordPress is infamous for a lot of vulnerable plugins and themes. We can scan it with wpscan if required, but first, let’s check the other hostname.

sup3rs3cr3t.brainfuck.htb returns following webpage.

As we do not have anything interesting it’s time to bring up wpscan. I used tee to create a log file so that I have the output available for later use. Tee is a command-line utility that uses standard streams that read standard input and write it to both standard output and one or more files.

  • — disable-tls-checks skips SSL TLS checks
  • — enumerate u is used for enumerating usernames

Wpscan returns a few interesting things. We have two usernames admin and administrator. We have also identified a vulnerable plugin Wp support plus Version: 7.1.3.

Exploitation

Let’s check if the vulnerable plugin has any public exploits available.

We have a SQL injection exploit but the exploit requires authentication. We also have a Privilege escalation exploit. To copy the exploit to our current working directory use the -m flag of searchsploit.

The vulnerable plugin allows us to steal a WordPress cookie. We can log in as anyone without knowing the password because of incorrect usage of wp_set_auth_cookie() function.

The exploit consists of an HTML POC code. Copy the POC to an HTML file and change the website to brainfuck.htb, username to admin and email to orestis@brainfuck.htb.

Open the HTML file in a browser and hit Login. Refresh the brainfuck.htb webpage.

We are Logged In…!!!

WordPress is a CMS based on PHP. The first thing I checked was if I had the permissions to modify the theme files(PHP files). Go to Appearance->Editor to check if we can edit PHP files included with the theme to get code execution. We do not.

Since we do not have permissions to alter the PHP code we cannot use this to add a PHP reverse shell. Next, we should check what plugins are installed.

We have Easy WP SMTP installed. Let’s check its configurations by clicking on Settings.

We have the SMTP password for ‘Orestis’ user. We can easily unhide the characters by inspecting the password field and removing the type= “password” from the input tag or We can simply check the source code with CTRL + u.

As we have valid credentials now, let’s Login to POP3. This can be done with telnet or netcat.

POP3 allows a SMTP user to login with USER and PASS commands.

We can view emails for Orestis user with the LIST command.

We have two emails in the mailbox. To read an email, use the RETR command followed by the mail id/number.

The second mail contains credentials to the secret forum.

Login to https://sup3rs3cr3t.brainfuck.htb/ with the credentials(orestis/kIEnnfEKJ#9UmdO).

We are logged in as Orestis. Looking around the forum we find a heated conversation regarding SSH keys. Based on the comments made, Orestis seems to have lost his SSH key and wants the admin to send it to him in an encrypted thread. One important thing to notice is that Orestis always signs his message with the “Orestis — Hacking for fun and profit” phrase.

We also have another conversation that seems to be encrypted. The encrypted thread also has the signing message of Orestis user but the characters seem to be replaced. This is probably some replacement cipher. Cryptography is not my forte and it took me several hours to identify the cipher. The cipher used here is called Vigenere Cipher.

Crack the cipher with https://cryptii.com. Remove any spaces and hyphens from the message ‘Orestis — Hacking for fun and profit’. Paste the line to the key field and the ciphered version to cyphertext as follows.

We get the cipher key as fuckmybrain. We can use this key to decrypt all the messages.

Change the key to fuckmybrain and decrypt the conversation that seems to be containing a URL.

CRACKED…!!! We have a URL. Opening the URL provides us a SSH private key.

Copy the SSH key and save it to a file. We have a private SSH key that can be used to login to Orestis user. You can read more about SSH keys here:

We still have one more hurdle to pass. The SSH key is encrypted and to log in, as Orestis we need to provide a passphrase. Thankfully we can crack the SSH key with john. To convert the SSH key to John The Ripper format we will use a tool called ssh2john.

We get a long hash. We can crack the hash with John The Ripper.

Success. We have cracked the key. The passphrase is 3poulakia!

Login with SSH. Don’t forget to change the permission of the key file.

Enter the passphrase 3poulakia!

We are in. Finally. We are Orestis user.

Privilege Escalation

The intended path required cracking a file in the home directory of Orestis to get the root flag, but I decided to go down the unintended way for two reasons. Number 1: I suck at crypto and finding the type of cipher would be a pain. Number 2: There is no fun in retrieving the root flag, I want a root shell on the box.

So let’s walk down the unintended path. For the intended path you can check IPPSEC’s video.

I like to check for low hanging fruits like SUID, SUDO, Cron Jobs and Groups, before running automated tools.

We do get something interesting while checking for Groups. We are a member of lxd group, which can be used to mount the entire filesystem.

We will have to create a lxc image to escalate. We will build an alpine image on our attack machine and then transfer the image to brainfuck box.

Let’s begin the process of building the image. Update the repositories and install the requirements.

Clone the distrobuilder repository with golang.

Once the repo is cloned, use the following commands to make the distrobuilder.

Now we need to create an alpine image. Use the following commands to create an alpine image.

Create the alpine container with following command.

We now have a working alpine container. We need to transfer the lxd.tar.xz and rootfs.squashfs to victim machine.

Spawn a Python webserver in the directory containing our lxd.tar.xz and rootfs.squashfs and download on victim machine with wget.

In victim machine type in the following commands to add the alpine image.

We must see our image with the last command. Now we need to create a container and add the root path.

Our alpine container has been created. Execute the container as follows.

The file system has been mounted to /mnt/root. Navigate to the /mnt directory.

We can see the entire filesystem here. We have mounted the entire filesystem but remember we are root within the container and exiting the container would result in dropping privileges to the Orestis user. There are a lot of ways to gain root shell. We can modify the /etc/sudoers file or write a SSH public key to /mnt/root/root/.ssh/authorized_keys. I would like to add a new user.

In our attack machine, create a salted hash with openssl.

Add the hack user to the /etc/passwd file. Remember the /etc/passwd file will be located at /mnt/root/etc/passwd. We can transfer the passwd file to our attack machine and add the user as follows.

Alternatively we can use cat to write to the /etc/passwd file at /mnt/root/etc/passwd.

We have now added our user. Exit the container and switch to hack user.

Enter password pass123. We get a root shell…!!!!

We can now grab the user and root flags. I personally believe that retrieving flags should not be our end goal and we should always try to get a root shell on the box. With that being said, Thank You for reading.

For suggestions/queries reach out to me on Twitter @accesscheck.