Skip to main content

Logging in as development

Upon logging in, basic windows enumeration reveals that there is no special permissions provided to the development account.

However, in the root of the machine, we found an interesting development folder.

Obviously, it is hinting us to take a look at it.

Development folder in root#

Within the folder, we see that a Krypter_Linux binary is found. Similarly, we can copy the binary to the local machine using scp.

Ghidra disassembly#

undefined8 main(int param_1,long param_2)
{  size_t sVar1;  basic_ostream *this;  ulong uVar2;  basic_string local_58 [44];  undefined4 local_2c;  long local_28;  int local_20;  int local_1c;    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string();                    /* try { // try from 00101263 to 001013cf has its CatchHandler @ 001013e5 */  local_28 = curl_easy_init();  puts(      "Krypter V1.2\n\nNew project by Juliette.\nNew features added weekly!\nWhat to expect next update:\n\t- Windows version with GUI support\n\t- Get password from cloud and AUTOMATICALLY decrypt!\n***\n"      );  if (param_1 == 2) {    local_1c = 0;    local_20 = 0;    while( true ) {      uVar2 = SEXT48(local_20);      sVar1 = strlen(*(char **)(param_2 + 8));      if (sVar1 <= uVar2) break;      local_1c = local_1c + *(char *)((long)local_20 + *(long *)(param_2 + 8));      local_20 = local_20 + 1;    }    if (local_1c == 0x641) {      if (local_28 != 0) {        puts("Requesting decryption key from cloud...\nAccount: Administrator");        curl_easy_setopt(local_28,0x2712,"http://passmanager.htb:1234/index.php");        curl_easy_setopt(local_28,0x271f,"method=select&username=administrator&table=passwords");        curl_easy_setopt(local_28,0x4e2b,WriteCallback);        curl_easy_setopt(local_28,0x2711,local_58);        local_2c = curl_easy_perform(local_28);        curl_easy_cleanup(local_28);        puts("Server response:\n\n");        this = std::operator<<((basic_ostream *)std::cout,local_58);        std::basic_ostream<char,std::char_traits<char>>::operator<<                  ((basic_ostream<char,std::char_traits<char>> *)this,                   std::endl<char,std::char_traits<char>>);      }    }    else {      puts("Incorrect master key");    }  }  else {    puts("No key supplied.\nUSAGE:\n\nKrypter <key>");  }  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string            ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_58);  return 0;}

Explainations#

The binary expects a master key of which the ascii number of the characters sum up to 0x641. If true, it will proceed to make an API call to the passmanager.htb endpoint on port 1234.

Looking back at the windows machine, there is a process running at port 1234 locally.

Port forward#

To access the service, we would port forward it using SSH.

ssh -L 1234:127.0.0.1:1234 development@10.10.10.228