Hack the Box – Brainfuck Walkthrough

Today we’re going to solve another CTF machine “Brainfuck”. It is now retired box and can be accessible if you’re a VIP member.



  • Target OS: Linux
  • Services: SSH, SMTP, POP3, IMAP, SSL
  • IP Address:
  • Difficulty: Hard


  • Exploitation
  • RSA Decryption


  • Getting user
  • Getting root


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

From the above screenshot we can observe many opened ports and we have DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb subdomains on 443 Port.

Let’s point these domains to IP address on /etc/hosts

Now let’s access these domains and see what we can find.



So we have two different CMS installed let’s enumerate both.

Enumerate WordPress

We have a wordpress installed at https://brainfuck.htb and if you take a look at first post there is a email address which we have to keep in mind because brainfuck has smtp and pop3 ports opened so this might comes handy.


Let’s run wpscan to see if we can find something interesting.

wpscan --url https://brainfuck.htb --disable-tls-checks

We found two users from wpscan “admin & administrator” and we have one plugin installed which is vulnerable to exploit.

searchsploit WP Support Plus


In our case we’re gonna test “WP Support Plus Responsive Ticket System 7.1.3 – Privilege Escalation”.

We have to modify our POST request in order to make it work.


We know the email which we found in one of the article.


We changed these values username: admin | email: orestis@brainfuck.htb and the action url to https://brainfuck.htb.

Now to send a POST request we have to create a index.html and paste our modified exploit and run python HTTP server.

python -m SimpleHTTPServer 80

After clicking on login this comes up a blank white page.

Now just simply remove /wp-admin/admin-ajax.php from the url and go back to https://brainfuck.htb you will see the admin toolbar.

Getting reverse shell is easy through wordpress but we don’t have write access :confused: so we have another challenge waiting for us to get to reverse shell.

After searching things i found another plugin installed which wpscan didn’t find i don’t know why but let’s take a look at it.

This is the information which we found at the smtp plugin settings.

If we inspect at the SMTP Password field we can see the password “kHGuERB29DNiNE“.

Since we found an SMTP password we can try connecting through: telnet 110 We was able to establish connection.

User**: orestis** Password**: kHGuERB29DNiNE**

After successfuly login we can use list command to display messages.

list +OK 2 messages: 1 977 2 514

We can read them using retr command.

retr 1 +OK 977 octets Return-Path: www-data@brainfuck.htb X-Original-To: orestis@brainfuck.htb Delivered-To: orestis@brainfuck.htb Received: by brainfuck (Postfix, from userid 33) id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST) To: orestis@brainfuck.htb Subject: New WordPress Site X-PHP-Originating-Script: 33:class-phpmailer.php Date: Mon, 17 Apr 2017 17:15:40 +0000 From: WordPress wordpress@brainfuck.htb Message-ID: 00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb X-Mailer: PHPMailer 5.2.22 (GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Your new WordPress site has been successfully set up at: https://brainfuck.htb You can log in to the administrator account with the following information: Username: admin Password: The password you chose during the install. Log in here: https://brainfuck.htb/wp-login.php We hope you enjoy your new site. Thanks! --The WordPress Team https://wordpress.org/

To read 2 message.

retr 2 +OK 514 octets Return-Path: root@brainfuck.htb X-Original-To: orestis Delivered-To: orestis@brainfuck.htb Received: by brainfuck (Postfix, from userid 0) id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST) To: orestis@brainfuck.htb Subject: Forum Access Details Message-Id: 20170429101206.4227420AEB@brainfuck Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST) From: root@brainfuck.htb (root) Hi there, your credentials for our “secret” forum are below :slight_smile: username: orestis password: kIEnnfEKJ#9UmdO Regards

If you take a look we found something interesting which is,

username: orestis password: kIEnnfEKJ#9UmdO

If you read the description of the second message it says credentials for “secret” forum so let’s try login.

Let’s take a look at ‘Key‘ thread first.

Now take a look at ‘SSH Access’ thread.

Key‘ thread is encrypted somehow because if you take a look at the conversation between admin and orestis inside ‘SSH Access‘ thread orestis is asking admin for SSH key which he lost after that then orestis created another thread named it ‘Key‘ and there both admin and orestis talked about something which is not possible to understand.

It’s some kind of encryption which we don’t know yet. Since we don’t have any clue to decrypt the text let’s copy both threads text and place them under each to take a closer look.

We took both thread reply which was posted by orestis.

  • Cipher Text Mya qutf de buj otv rms dy srd vkdof :slight_smile: Pieagnm - Jkoijeg nbw zwx mle grwsnn - Plain Text Go fuck yourself admin, I am locked out!! send me my key asap! Orestis - Hacking for fun and profit

If you look closer.

  • Cipher Text Pieagnm - Jkoijeg nbw zwx mle grwsnn - Plain Text Orestis - Hacking for fun and profit

We have to consider cipher text is encrypted information and plain text as a decrypting key.

Tool: http://rumkin.com/tools/cipher/vigenere.php

This is the output which we got!

Brainfu - Ckmybra inf uck myb rainfu

Let’s remove spaces and read it again


This is the decipher text we got.

And it you remember there’s a cipher text of url but there’s no decrypting key in ‘SSH Access‘ thread so that means we have to find another way to decrypt that.

Since we decrypted our first text and it keeps repeating a phrase ‘fuckmybrain‘ we can assume it can be a decrypting key for next encrypted cipher.

And we got an actual URL for id_rsa key

We found a key but upon opening it we found that it is locked.

There’s a tool called john the ripper which we’ll use to crack the password. We cannot directly crack the id_rsa key we have to first convert it into john the ripper format.

Upon doing research you’ll find a tool called: sshng2john.py

python sshng2john.py id_rsa > ssh_key

Now we’re ready to crack the password.

john ssh_key --wordlist=/usr/share/wordlists/rockyou.txt

And after few seconds we got the password: 3poulakia!

Let’s try to login to SSH using a key and password.

ssh -i id_rsa orestis@

Privilege Escalation

Now that we have found our user.txt flag we’re going after root.txt. Apart from user.txt we found another 3 uncommon files inside /home/orestis/ debug.txt, encrypt.sage, output.txt

Since we don’t know what’s inside those files so i reached Google for answers and i found a RSA Decryption tools.

It appears that the file output.txt file contains an encrypted root flag and the file debug.txt contains the P, Q and E values used to do the encryption. By using the above tool it is possible to decrypt the ciphertext and get the root flag.

After running the script we found our root.txt flag.