Brainfuck — HTB Machine

Rishabh Rai
5 min readMar 24, 2024

--

Hello everyone, Today we are going to solve an old insane machine …… Brainfuck from the retired machines list of HTB.

let’s get started with firing up the machine and scanning the IP ….

let’s run this IP to hack scanner to quickly scan evrything..

Ok so scan ran gave me some ports as open and one of them was 443/https

since i have only included dirsearch scan for http ports in my script, the scan did not start on it’s own but i will include it in my script.

here are the scans ….

I also enumerated the smtp first … but was unable to do it manually later on fired up msfconsole and did a enumeration to find several users …

but it was of no use…

later i started a dir search scan on the domain..

We can see there is wordpress here so first thing that i fired up was wpscan

so upon looking it up in the searchsploit i found this

I copied it on my directory .. using the command

searchsploit -m php/webapps/41006.txt

I changed the exploit to my usage and then i hit

firefox exploit.html

Which opened up a webpage like this

upon hitting login it will take me to /wp-admin/ajax….

upon removing wp-admin/admin-ajax.php…. I got the access to the admin panel …..

navigate to the dashboard on the admin panel ..

in the easy wp SMTP find the password to the SMTP user…. let’s try our luck again with SMTP after a lot of trial and errors I succeeded in getting data on the INBOX mails

https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap

LINK to the Resource .!!!!! I used to navigate in IMAP

NOW that I have this it is time to login to the secret server which was shown in the nmap output

Logged in to the forum as orestis ……

In the encrypted text we can find that it is some sort of Vigenère cipher
and
OrestisHackingforfunandprofit — seems to be a key

let’s try it on

it does seem like we have stumbled on something important

upon trying it here we are unable to make sense of the plaintext so i tried

So now we have the id_rsa file with us

let’s try to login with this as orestis

It seems like encrypted let do ssh2jhon here for easily decrypting it..

Using the key i have successfully logged in as orestis

after moving around in the user directory i found files with
p,q and e value | ciphertext | a code with RSA encryption

so next thing i did is to write a python script to decrypt using these values

import math
import random

def inverse(a, n):
return pow(a, -1, n)

def decrypt_rsa(ciphertext, n, p, q, e):
# Step 1: Calculate the totient of N
phi = (p — 1) * (q — 1)

# Step 2: Find the private exponent d
d = inverse(e, phi)

# Step 3: Decrypt the message
plaintext = pow(ciphertext, d, n)
return plaintext

def lcm(a, b):
return abs(a*b) // math.gcd(a, b)

ciphertext = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182

p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
n = p*q

e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997

decrypted_message = decrypt_rsa(ciphertext, n, p, q, e)
print(“Decrypted message:”, decrypted_message)

After running the code i got this :

if you see the encryption code we can see that the main text is converted to hex then RSA is performed on it so lets do HEX -> Decimal

I added some extra lines in the code to aid further process

upon submission of this flag I finally rooted the machine!!!!

🎉🎉🎉😁 HAPPY HACKING !!!!

My review:

Overall I think the room is old hence it should be transitioned to HARD not INSANE as the amount of resources have increased now.. Other than that getting the user access is a little tricky as it requires a little trial and error. And talking about the root access it is not that tough if you are familiar with a little scripting and RSA algorithm. Overall the room was fun and CRYPTIC mostly. THIS room will require you to put on your CRYPTO cap…

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.