[HackTheBox] Brainfuck

Siddharth Johri

3 min readOct 7, 2021

--

This Box is really twisted but very interesting.

Reconnaissance:

Initial scan gave subdomains and vulnrable ssh version.

Enumeration:

WEB → https://brainfuck.htb

Wordpress Yay.

possible user found.

Lets run a quick wpscan.

An unusual plugin found.

We found “admin” and “administrator” users but their brute force led to nowhere.

This gets us into the admin dashboard and we can look at mail password of orestis.

Lol…

pop3 → Has 2 mails for orestis one of which gives some hint

Now we move to sup3rs3cr3t.brainfuck.htb and login

Now this is really weird.

Since we can see that orestis has a signature i.e. “ Orestis: Hacking for fun and profit” we can try manipulating the words to get a clear cipher.

Many rounds of custom Caesar cipher didn’t give anything, then a hint from a HTB hacker led me to vignerre cipher.

Finally got the id_rsa file.

Foothold:

Irritating af…

ssh2john.py id_rsa > hash ; john hash — wordlist=/usr/share/wordlists/rockyou.txt

finally a low privilege shell.

Privilege Escalation:

OOOOOO. lxd vulnerable. PWNED.

All in all this box has a lot of stuff that's not the optimum when it comes to preparing for OSCP but It has intuitive stuff there.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Written by Siddharth Johri

To hack the world, first you need to make coffee

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams