Open in app

Sign in

Write

Sign in

RSA cracking and Cipher Breaking: a ‘real-world’ example.

Max Register
11 min readOct 25, 2020

In this writeup, we will explore RSA Cracking, Cipher Breaking, and WordPress exploitation in a ‘real-world’ capture the flag lab machine: Brainfuck on HacktheBox.eu. This is an Insane level Linux machine.

Hack the box is an online host of virtual machines used to safely practice hacking and penetration testing methods. This writeup is being posted on medium.com/@zexpher along with a collection of other writeups.

Executive Summary

This exercise involves the importance of email security, RSA private key cracking, and WordPress exploitation culminating in the compromise of a web server and its host machine.

The machine is running two web servers, one a WordPress website, and the other, a web forum. The initial exploitation involves the use of a WordPress plugin vulnerability which results in Administrator access to the web interface. This leads to the discovery of an email password stored in an SMTP implementation. Once the email credentials are utilized, the login credentials of the web forum are compromised.

On the forum, a discussion about SSH keys leads to a thread encoded with a Keyed Vigenere cipher. This cipher is broken with a ‘known plaintext’ attack. Resulting in the compromise of an RSA private key. This private key is cracking using the tool John the Ripper. Utilizing the RSA private key and the associated cracked password, we are able to gain access to an SSH shell on the host machine.

With access to the machine using the compromised credentials, a script is discovered which encrypts the root.txt final flag using RSA. This encryption is broken by using the known values of P, Q, and E in the encryption process.

Initial Information Gathering and Enumeration

Initial information gathering starts with a Nmap scan of the host using the following command nmap -sC -sV -oA nmap 10.10.10.17 -sC for safe scripts -sV to enumerate versions, and -oA to output this in all formats.

# Nmap 7.80 scan initiated Tue Oct  6 12:31:30 2020 as: nmap -sV -sC -oA nmap 10.10.10.17
Nmap scan report for 10.10.10.17
Host is up (0.050s latency).
Not shown: 995 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
|   256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_  256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL TOP AUTH-RESP-CODE USER RESP-CODES CAPA SASL(PLAIN)
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: ENABLE SASL-IR IMAP4rev1 have more LOGIN-REFERRALS post-login listed capabilities Pre-login OK IDLE LITERAL+ AUTH=PLAINA0001 ID
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct  6 12:32:22 2020 -- 1 IP address (1 host up) scanned in 51.65 seconds

In the section about port 443, we see two DNS names: www.brainfuck.htb and sup3rs3cr3t.brainfuck.htb adding these to our /etc/hosts file we can pull them up in the web browser. Note: because these machines are running on port 443 SSL we must use https and accept self-signed certificates in the browser.

We see that www.brainfuck.htb is hosting a WordPress site and sup3rs3cr3t.brainfuck.htb is a forum. Because there is more known about WordPress vulnerabilities let’s use a tool to enumerate the version and plugin vulnerabilities. The tool we will use is WPScan and it can be found on GitHub.

We must use the --disable-tls-checks option to ignore self-signed SSL certificates. From this scan, we see that WordPress is version 4.7.3

There were 50 vulnerabilities found. We will only be focusing on one today.

At the bottom of the scan, we see WP Support Plus Responsive Ticket System has two vulnerabilities.

Exploiting WordPress

We can search for exploits using searchsploit in the terminal.

There are two exploits that are listed with plugin version 7.1.3, these are the ones we want to focus on.

To open the file type the following: searchsploit -x 41006

This exploit utilizes the incorrect usage of thewp_set_auth_cookie() to allow us to login as any user. Saving this proof of concept as an HTML file to test if this works.

Add our target URL into the action field with https for TLS before saving. Now let’s host this file using a simple HTTP python server and open it in the browser.

After clicking the Login button, we are left waiting for a response from the server. In a few minutes, we are redirected to this screen.

We might have gotten in, so let's navigate back to brainfuck.htb home page to see if we have admin privileges.

As shown at the top of the page, we have been logged in as the user admin.

To understand what is happening more clearly let’s send this request to the Burp Suite repeater.

Launch Burp and set the proxy to on. Then use the foxy proxy plugin to easily redirect the traffic to Burp. Click login and Burp will pop up.

Click CTL+R to send this request to the repeater.

Navigate to the Repeater tab to view the request.

Now let’s send this and view the request.

We see that the wp_set_auth_cookie() sends us the cookie for the requested username without any verification that we are the user. Thus, when we navigate back to the web page home, we have to cookie for the admin user without ever needing the password.

Enumerating Information in the WordPress Admin Dashboard

Now that we have access to the WordPress admin dashboard, we could use it to edit a PHP file and upload a reverse shell. If we navigate to the Appearance tab on the toolbar and down to Editor to see if we have privileges to edit the PHP files.

We do not have access to edit any of these PHP files, so let’s see if we can get any more information out of the Dashboard. Earlier we saw that there was SMTP implemented as mentioned in one of the blog posts. Let’s see if we can get any information out of this. Navigating to the Settings, then down to Easy WP SMTP we find this screen.

There is a password stored here, but it is in marked characters. Inspecting the element can sometimes yield a plaintext password.

In the highlighted region of the inspector, we see that we do in fact have a plain text password. Let’s save this password in a credentials file for future use.

Email Compromise and Enumeration

We can log in to the email with the found password and the listed email orestis@brainfuck.htb in our email client of choice.

Here we have two emails. One of which is of importance to us.

This email contains access to the forum we found at the beginning of this exercise. Saving these credentials with the others, then we can explore the forum.

Sup3rs3cr3t Forum Enumeration

Now that we have login credentials for the forum we can view the private post.

Right off the bat, the SSH Access thread catches my eye. We will look through all posts to see if they yield any useful information.

Starting with the SSH Access thread:

Here we see our user ‘orestis’ talking to the admin about getting an SSH key on another thread. This is probably the Key thread we saw earlier. Looking there we find the following encrypted:

We see that this ‘encrypted’ thread is a conversation between the admin and the user orestis. We can assume from the SSH thread that this is about the SSH key orestis requested. It appears that this text is subjected to a cipher of some sort because modern cryptography yields a much more scrambled ciphertext. It looks as if the formatting of this text remains intact.

One thing to note, the signature line looks like it is still present in the encrypted thread. We can use a ‘known plaintext’ attack to break this cipher if we can figure out which cipher it is.

First, we must determine which type of cipher we are working with. A good resource I found for this is Practical Cryptography. After some time reading through this page and the page about Index of Coincidence I found this quote:

If we look at the frequency distributions of both of these ciphertexts, it seems the Vigenere ciphertext is flatter than the substitution cipher.

Using the javascript tool for Index of Coincidence on the above-mentioned site, I calculated the I.C. of our cipher signature to be 0.036 which is remarkably close to the 0.0385 I.C. for a flatter Vigenere Cipher. Flatter in this context refers to the frequency of each letter distribution in relation to all other letters. Thus, each letter appears at the same frequency as all other letters.

With this information, I was almost certain that the cipher we are dealing with is a Vigenere Cipher. Now I just used the following tool from rumkin to decipher it.

http://rumkin.com/tools/cipher/vigenere.php

Working backward with the plaintext as a password and the ciphertext as the message I started to notice a pattern in the output. It appears to be that the output is ‘fuckmybrain’ over and over and over. This could be our key!

To double-check and to understand how this cipher works better, let’s do this manually. We start by using the following algebraic equations.

Encryption
The plaintext(P) and key(K) are added modulo 26.
Ei = (Pi + Ki) mod 26

Decryption
Di = (Ei - Ki + 26) mod 26

In the Encryption equation, we see Ei = Pi + Ki thus, if we have the Encrypted text and the plaintext we can rearrange the equation so that we end up with:Ki = Pi — Ei. We can simply do this using a table of the alphabet:

Given Ki = Pi-Ei and our plaintext and encrypted text respectfully:

Pi: Orestis - Hacking for fun and profit
Ei: Pieagnm - Jkoijeg nbw zwx mle grwsnnO=15 and P=16 thus Ki=b
R=18 and I=9  thus Ki=r
E=5  and E=5  thus Ki=a
S=19 and A=1  thus Ki=i
T=20 and G=7  thus Ki=nand so on...

If the number ends up negative we go to the end of the alphabet and start again. This confirms our suspicion that the key is fuckmybrain.

Plugging our SSH key into our handy decrypter tool we get the following URL:

http://rumkin.com/tools/cipher/vigenere.php

Now we can download the SSH private key!

Cracking RSA Private Key

Logging in with an RSA Private key requires a password. We can use the well known cracking tool John the Ripper. For this tool, we must first convert the private key to a form that John can use. Using the tool SSH2John will do the trick.

After converting the file to use with John we simply feed the key to John and give it a wordlist. This cracked pretty quickly yielding the password: 3poulakia!

Logging in with the key and username orestis we get an SSH shell.

Getting Root.txt via RSA

We now have a secure shell on the machine. Let's see if there is anything interesting before we move on.

This encrypt.sage script looks interesting, let’s check it out.

This script looks like it opens the root.txt file and encrypts it somehow. To get a better understanding of this encryption method googling a random string in here yields these results.

Here it is stated that this is standard RSA. With this information, we can poke around a little more in the debug and output files to see if there is a way to break this encryption.

Debug.txt contains these random numbers and output.txt contains this:

Now looking back at the script we see that P, Q, and E are all written to the debug.txt and the output is in the output.txt file. Googling around to find if there is a method of breaking RSA with these known values is the next logical step.

Using this python script it appears that we can decrypt the text using these known values. Copying the script into our own script file and modifying the values looks like so:

Replacing P, Q, and E respectfully, along with ct for the output.txt file contents. Running this script yields the following results.

After running the script we are left with a decimal output. We must convert the text to hex then from hex we can decode to ASCII.

Conclusion: Lessons Learned

Always keep your systems and programs running on it up to date. With the outdated Worpress version and the Support Plus plugin, we were able to gain a foothold in the system. Never send or receive sensitive information over email. If someone compromises the email they will have access to that sensitive information. If using a cipher, avoid using any reoccurring signature or repeated text so that a ‘known plaintext’ attack is not viable. This ‘known plaintext’ attack is what broke the enigma machine in World War II.

--

--

Max Register

Written by Max Register

11 Followers

Information Security Writer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams