Brainfuck

Dec 10, 2020 TJNull's List NOSQL Injection Mongo SUID
Share on:

Brainfuck Introduction:

Recon

nmap scan -

 1nmap -sS -sV -sC -T4 -Pn -oN brainfuck.nmap.txt 10.10.10.17
 2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 3Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-14 22:07 EST
 4Nmap scan report for 10.10.10.17
 5Host is up (0.014s latency).
 6Not shown: 995 filtered ports
 7PORT    STATE SERVICE  VERSION
 822/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
 9| ssh-hostkey: 
10|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
11|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
12|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
1325/tcp  open  smtp     Postfix smtpd
14|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
15110/tcp open  pop3     Dovecot pop3d
16|_pop3-capabilities: USER SASL(PLAIN) CAPA UIDL AUTH-RESP-CODE PIPELINING RESP-CODES TOP
17143/tcp open  imap     Dovecot imapd
18|_imap-capabilities: more ENABLE have ID Pre-login post-login LITERAL+ AUTH=PLAINA0001 IMAP4rev1 LOGIN-REFERRALS SASL-IR capabilities OK IDLE listed
19443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
20|_http-server-header: nginx/1.10.0 (Ubuntu)
21|_http-title: Welcome to nginx!
22| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
23| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
24| Not valid before: 2017-04-13T11:19:29
25|_Not valid after:  2027-04-11T11:19:29
26|_ssl-date: TLS randomness does not represent time
27| tls-alpn: 
28|_  http/1.1
29| tls-nextprotoneg: 
30|_  http/1.1
31Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
32
33Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
34Nmap done: 1 IP address (1 host up) scanned in 55.20 seconds
35

Port scanner -

 1------------------------------------------------------------
 2        Threader 3000 - Multi-threaded Port Scanner          
 3                       Version 1.0.6                    
 4                   A project by The Mayor               
 5------------------------------------------------------------
 6Enter your target IP address or URL here: 10.10.10.17
 7------------------------------------------------------------
 8Scanning target 10.10.10.17
 9Time started: 2020-12-14 22:06:15.454170
10------------------------------------------------------------
11Port 25 is open
12Port 22 is open
13Port 143 is open
14Port 443 is open
15Port scan completed in 0:01:39.128239
16

Notes:

  1. We have SSH port open ( OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 ) and the host is Ubuntu linux machine
  2. There is a mail server running and we can see the smtp, pop and imap ports open (Dovecot is the mail server)
  3. Also, there is a webserver running on port 443 and the SSL certificate indicates that there is a subdomain. (DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb)

Lets enumerate these services.

Enumeration

Create a /etc/hosts entry with these domain names.

110.10.10.17 brainfuck.htb www.brainfuck.htb sup3rs3cr3t.brainfuck.htb

Found Additional information from SSL cert and wordpress post -

[email protected]

searchsploit wordpress 4.7

Exploit Title | Path

WordPress Core 4.7.0/4.7.1 - Content Injection (Python) | linux/webapps/41223.py WordPress Core 4.7.0/4.7.1 - Content Injection (Ruby) | linux/webapps/41224.rb WordPress Core < 4.7.1 - Username Enumeration | php/webapps/41497.php WordPress Core < 4.7.4 - Unauthorized Password Reset | linux/webapps/41963.txt WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion | php/webapps/44949.txt WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md WordPress Core < 5.3.x - ‘xmlrpc.php’ Denial of Service | php/dos/47800.py WordPress Plugin Cforms 14.7 - Remote Code Execution | php/webapps/35879.txt WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit) | php/remote/47187.rb WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure | php/webapps/43872.html WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities | php/webapps/38176.txt WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt WordPress Plugin ProPlayer 4.7.7 - SQL Injection | php/webapps/17616.txt WordPress Plugin ProPlayer 4.7.9.1 - SQL Injection | php/webapps/25605.txt WordPress Plugin Quiz And Survey Master 4.5.4/4.7.8 - Cross-Site Request Forgery | php/webapps/40934.html WordPress Plugin RB Agency 2.4.7 - Local File Disclosure | php/webapps/40333.txt WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities | php/webapps/38869.txt WordPress Plugin User Role Editor < 4.25 - Privilege Escalation | php/webapps/44595.rb WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass | php/webapps/43117.txt WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation | php/webapps/46083.txt

Shellcodes: No Results