Brainfuck — HTB Machine
Hello everyone, Today we are going to solve an old insane machine …… Brainfuck from the retired machines list of HTB.
let’s get started with firing up the machine and scanning the IP ….
let’s run this IP to hack scanner to quickly scan evrything..
Ok so scan ran gave me some ports as open and one of them was 443/https
since i have only included dirsearch scan for http ports in my script, the scan did not start on it’s own but i will include it in my script.
here are the scans ….
I also enumerated the smtp first … but was unable to do it manually later on fired up msfconsole and did a enumeration to find several users …
but it was of no use…
later i started a dir search scan on the domain..
We can see there is wordpress here so first thing that i fired up was wpscan
so upon looking it up in the searchsploit i found this
I copied it on my directory .. using the command
searchsploit -m php/webapps/41006.txt
I changed the exploit to my usage and then i hit
firefox exploit.html
Which opened up a webpage like this
upon hitting login it will take me to /wp-admin/ajax….
upon removing wp-admin/admin-ajax.php…. I got the access to the admin panel …..
navigate to the dashboard on the admin panel ..
in the easy wp SMTP find the password to the SMTP user…. let’s try our luck again with SMTP after a lot of trial and errors I succeeded in getting data on the INBOX mails
https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap
LINK to the Resource .!!!!! I used to navigate in IMAP
NOW that I have this it is time to login to the secret server which was shown in the nmap output
Logged in to the forum as orestis ……
In the encrypted text we can find that it is some sort of Vigenère cipher
and
OrestisHackingforfunandprofit — seems to be a key
let’s try it on
it does seem like we have stumbled on something important
upon trying it here we are unable to make sense of the plaintext so i tried
So now we have the id_rsa file with us
let’s try to login with this as orestis
It seems like encrypted let do ssh2jhon here for easily decrypting it..
Using the key i have successfully logged in as orestis
after moving around in the user directory i found files with
p,q and e value | ciphertext | a code with RSA encryption
so next thing i did is to write a python script to decrypt using these values
import math
import randomdef inverse(a, n):
return pow(a, -1, n)def decrypt_rsa(ciphertext, n, p, q, e):
# Step 1: Calculate the totient of N
phi = (p — 1) * (q — 1)# Step 2: Find the private exponent d
d = inverse(e, phi)# Step 3: Decrypt the message
plaintext = pow(ciphertext, d, n)
return plaintextdef lcm(a, b):
return abs(a*b) // math.gcd(a, b)ciphertext = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
n = p*qe = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
decrypted_message = decrypt_rsa(ciphertext, n, p, q, e)
print(“Decrypted message:”, decrypted_message)
After running the code i got this :
if you see the encryption code we can see that the main text is converted to hex then RSA is performed on it so lets do HEX -> Decimal
I added some extra lines in the code to aid further process
upon submission of this flag I finally rooted the machine!!!!
🎉🎉🎉😁 HAPPY HACKING !!!!
My review:
Overall I think the room is old hence it should be transitioned to HARD not INSANE as the amount of resources have increased now.. Other than that getting the user access is a little tricky as it requires a little trial and error. And talking about the root access it is not that tough if you are familiar with a little scripting and RSA algorithm. Overall the room was fun and CRYPTIC mostly. THIS room will require you to put on your CRYPTO cap…
