Logging in as development
Upon logging in, basic windows enumeration reveals that there is no special permissions provided to the development
account.
However, in the root of the machine, we found an interesting development
folder.
Obviously, it is hinting us to take a look at it.
Development folder in root
Within the folder, we see that a Krypter_Linux
binary is found. Similarly, we can copy the binary to the local machine using scp
.
Ghidra disassembly
undefined8 main(int param_1,long param_2)
{
size_t sVar1;
basic_ostream *this;
ulong uVar2;
basic_string local_58 [44];
undefined4 local_2c;
long local_28;
int local_20;
int local_1c;
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string();
/* try { // try from 00101263 to 001013cf has its CatchHandler @ 001013e5 */
local_28 = curl_easy_init();
puts(
"Krypter V1.2\n\nNew project by Juliette.\nNew features added weekly!\nWhat to expect next update:\n\t- Windows version with GUI support\n\t- Get password from cloud and AUTOMATICALLY decrypt!\n***\n"
);
if (param_1 == 2) {
local_1c = 0;
local_20 = 0;
while( true ) {
uVar2 = SEXT48(local_20);
sVar1 = strlen(*(char **)(param_2 + 8));
if (sVar1 <= uVar2) break;
local_1c = local_1c + *(char *)((long)local_20 + *(long *)(param_2 + 8));
local_20 = local_20 + 1;
}
if (local_1c == 0x641) {
if (local_28 != 0) {
puts("Requesting decryption key from cloud...\nAccount: Administrator");
curl_easy_setopt(local_28,0x2712,"http://passmanager.htb:1234/index.php");
curl_easy_setopt(local_28,0x271f,"method=select&username=administrator&table=passwords");
curl_easy_setopt(local_28,0x4e2b,WriteCallback);
curl_easy_setopt(local_28,0x2711,local_58);
local_2c = curl_easy_perform(local_28);
curl_easy_cleanup(local_28);
puts("Server response:\n\n");
this = std::operator<<((basic_ostream *)std::cout,local_58);
std::basic_ostream<char,std::char_traits<char>>::operator<<
((basic_ostream<char,std::char_traits<char>> *)this,
std::endl<char,std::char_traits<char>>);
}
}
else {
puts("Incorrect master key");
}
}
else {
puts("No key supplied.\nUSAGE:\n\nKrypter <key>");
}
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
((basic_string<char,std::char_traits<char>,std::allocator<char>> *)local_58);
return 0;
}
Explainations
The binary expects a master key of which the ascii number of the characters sum up to 0x641. If true, it will proceed to make an API call to the passmanager.htb
endpoint on port 1234
.
Looking back at the windows machine, there is a process running at port 1234
locally.
Port forward
To access the service, we would port forward it using SSH.
ssh -L 1234:127.0.0.1:1234 [email protected]