PortableKanban
ps c:\Users\jason> ls Downloads
ls Downloads
directory: C:\Users\jason\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/31/2021 2:36 AM node_modules
d----- 4/2/2021 8:21 PM PortableKanbanI found an unusual/interesting directory within the home directory of the jason user upon completing basic enumeration
It would appear that the user might have downloaded and been using another application other than the Heep application with the electron-builder package.
portable kanban appears to be a 3rd-party personal task management software available on Windows hosts. It seems to be a personal project as there isn’t much information available online.
ps c:\Users\jason> cd Downloads/PortableKanban ; ls
directory: C:\Users\jason\Downloads\PortableKanban
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/2/2021 7:44 AM Files
d----- 4/2/2021 7:17 AM Plugins
-a---- 2/27/2013 7:06 AM 58368 CommandLine.dll
-a---- 11/8/2017 12:52 PM 141312 CsvHelper.dll
-a---- 6/22/2016 9:31 PM 456704 DotNetZip.dll
-a---- 11/23/2017 3:29 PM 23040 Itenso.Rtf.Converter.Html.dll
-a---- 11/23/2017 3:29 PM 75776 Itenso.Rtf.Interpreter.dll
-a---- 11/23/2017 3:29 PM 32768 Itenso.Rtf.Parser.dll
-a---- 11/23/2017 3:29 PM 19968 Itenso.Sys.dll
-a---- 11/23/2017 3:29 PM 376832 MsgReader.dll
-a---- 7/3/2014 10:20 PM 133296 Ookii.Dialogs.dll
-a---- 4/2/2021 8:22 PM 5920 PortableKanban.cfg
-a---- 1/4/2018 8:12 PM 118184 PortableKanban.Data.dll
-a---- 1/4/2018 8:12 PM 1878440 PortableKanban.exe
-a---- 1/4/2018 8:12 PM 31144 PortableKanban.Extensions.dll
-a---- 4/2/2021 7:21 AM 172 PortableKanban.pk3.lock
-a---- 9/6/2017 12:18 PM 413184 ServiceStack.Common.dll
-a---- 9/6/2017 12:17 PM 137216 ServiceStack.Interfaces.dll
-a---- 9/6/2017 12:02 PM 292352 ServiceStack.Redis.dll
-a---- 9/6/2017 4:38 AM 411648 ServiceStack.Text.dll
-a---- 1/4/2018 8:14 PM 1050092 User Guide.pdf While there are just about only executables(EXE,DLL) and a PDF manual, there is also a configuration file; PortableKanban.cfg
Configuration File
PS C:\Users\jason\Downloads\PortableKanban> cat PortableKanban.cfg
{
"RoamingSettings": {
"DataSource": "RedisServer",
"DbServer": "localhost",
"DbPort": 6379,
"DbEncPassword": "Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb",
"DbServer2": "",
"DbPort2": 6379,
"DbEncPassword2": "",
"DbIndex": 0,
"DbSsl": false,
"DbTimeout": 10,
"FlushChanges": true,
"UpdateInterval": 5,
"AutoUpdate": true,
"Caption": "My Tasks",
"RightClickAction": "Nothing",
"DateTimeFormat": "ddd, M/d/yyyy h:mm tt",
"BoardForeColor": "WhiteSmoke",
"BoardBackColor": "DimGray",
"ViewTabsFont": "Segoe UI, 9pt",
"SelectedViewTabForeColor": "WhiteSmoke",
"SelectedViewTabBackColor": "Black",
"HeaderFont": "Segoe UI, 11.4pt",
"HeaderShowCount": true,
"HeaderShowLimit": true,
"HeaderShowEstimates": true,
"HeaderShowPoints": false,
"HeaderForeColor": "WhiteSmoke",
"HeaderBackColor": "Gray",
"CardFont": "Segoe UI, 11.4pt",
"CardLines": 3,
"CardTextAlignment": "Center",
"CardShowMarks": true,
"CardShowInitials": false,
"CardShowTags": true,
"ThickTags": false,
"DefaultTaskForeColor": "WhiteSmoke",
"DefaultTaskBackColor": "Gray",
"SelectedTaskForeColor": "WhiteSmoke",
"SelectedTaskBackColor": "Black",
"SelectedTaskFrames": false,
"SelectedTaskFrameColor": "WhiteSmoke",
"SelectedTaskThickFrames": false,
"WarmTasksThreshold": 0,
"WarmTaskForeColor": "WhiteSmoke",
"WarmTaskBackColor": "MediumBlue",
"WarmTaskFrameColor": "Goldenrod",
"HotTasksThreshold": 1,
"HotTaskForeColor": "WhiteSmoke",
"HotTaskBackColor": "Blue",
"HotTaskFrameColor": "Yellow",
"OverdueTaskForeColor": "WhiteSmoke",
"OverdueTaskBackColor": "OrangeRed",
"OverdueTaskFrameColor": "OrangeRed",
"WarmHotTaskFrames": false,
"WarmHotTaskThickFrames": false,
"BusinessDaysOnly": false,
"TrackedTaskForeColor": "WhiteSmoke",
"TrackedTaskBackColor": "Red",
"ShowSubtasksInEditBox": true,
"CheckForDuplicates": true,
"WarnBeforeDeleting": true,
"ProgressIncrement": 5,
"DisableCreated": false,
"DefaultPriority": "Low",
"DefaultDeadlineTime": "PT0S",
"ShowTaskComments": true,
"IntervalFormat": "Hours",
"WorkUnitDuration": 1,
"SelectAnyColumn": false,
"ShowInfo": true,
"CardInfoFont": "Segoe UI, 9pt",
"InfoTextAlignment": "Center",
"InfoShowPriority": true,
"InfoShowTopic": true,
"InfoShowPerson": true,
"InfoShowCreated": true,
"InfoShowDeadlineCompleted": true,
"InfoShowSubtasks": false,
"InfoShowEstimate": false,
"InfoShowSpent": false,
"InfoShowPoints": false,
"InfoShowProgress": true,
"InfoShowCommentsCount": false,
"InfoShowTags": false,
"InfoShowCustomFields": false,
"ShowToolTips": true,
"ToolTipShowText": true,
"ToolTipTextLimit": 200,
"ToolTipShowPriority": true,
"ToolTipShowTopic": true,
"ToolTipShowPerson": true,
"ToolTipShowCreated": false,
"ToolTipShowDeadlineCompleted": true,
"ToolTipShowSubtasks": true,
"ToolTipShowEstimate": true,
"ToolTipShowSpent": true,
"ToolTipShowPoints": true,
"ToolTipShowProgress": true,
"ToolTipShowCommentsCount": false,
"ToolTipShowTags": false,
"ToolTipShowCustomFields": false,
"TimerWorkInterval": 25,
"TimeShortBreakInterval": 5,
"TimerLongBreakInterval": 15,
"PlaySound": 1000,
"ActivateWindow": false,
"TaskBarProgress": true,
"EnableTimeTracking": true,
"AlertOnNewTask": false,
"AlertOnModifiedTask": false,
"AlertOnCompletedTask": false,
"AlertOnCanceledTask": false,
"AlertOnReassignedTask": false,
"AlertOnMovedTask": false,
"AlertOnDeletedTask": false,
"AlertMethod": "None",
"EmailLogon": true,
"EmailReviewMessage": true,
"EmailSmtpPort": 587,
"EmailSmtpDeliveryMethod": "Network",
"EmailSmtpUseDefaultCredentials": false,
"EmailSmtpEnableSSL": false,
"EmailSmtpTimeout": 5,
"EmailAttachFile": true,
"EmailNewTaskSubject": "PortableKanban Notification: New task has been created",
"EmailDeletedTaskSubject": "PortableKanban Notification: Task has been deleted",
"EmailEditedTaskSubject": "PortableKanban Notification: Task has been modified",
"EmailCompletedTaskSubject": "PortableKanban Notification: Task has been completed",
"EmailCanceledTaskSubject": "PortableKanban Notification: Task has been canceled",
"EmailReassignedTaskSubject": "PortableKanban Notification: Task has been reassigned",
"EmailMovedTaskSubject": "PortableKanban Notification: Task has been moved",
"EmailSignature": "This is automatic message.",
"PluginsSettings": {
"bd5d2026e1f7424eab8690a62ad05ad2": {},
"07a0d797c97c41f789af21ff4298754e": {
"SourceColumnId": "00000000000000000000000000000000",
"DestinationColumnId": "00000000000000000000000000000000",
"Age": 30
},
"2e470c79feb946f2b6e74b35245f8e80": {
"FromDate": "/Date(1617346800000-0700)/",
"ToDate": "/Date(1617346800000-0700)/",
"IncludeTopics": false,
"IncludeTags": false,
"IncludeComments": false,
"ReportType": "Html",
"SortByUser": true
},
"680986568fed41c381ef9f230feaa102": {
"RunOnStartup": false
},
"24b7acead7984f8ab16bdb0ae8559fb6": {
"TopicId": "00000000000000000000000000000000",
"ColumnId": "00000000000000000000000000000000",
"FromPersonId": "00000000000000000000000000000000",
"ToPersonId": "00000000000000000000000000000000"
}
},
"AutoLogon": false,
"LogonUserName": "",
"EncLogonPassword": "",
"ExitOnSuspend": false,
"DropFilesFolder": "Files",
"UseRelativePath": true,
"ConfirmFileDeleteion": true,
"DefaultDropFilesActionOption": "Copy",
"CreateNewTaskForEachDroppedFile": true,
"ParseDroppedEmails": true,
"RestoreWindowsLocation": true,
"DesktopShortcut": false,
"DailyBackup": false,
"BackupTime": "PT0S",
"BlockEscape": false,
"BlackWhiteIcon": true,
"ShowTimer": true,
"ViewId": "00000000000000000000000000000000",
"SearchInSubtasks": false,
"ReportIncludeComments": true,
"ReportIncludeSubTasks": true,
"ReportIncludeTimeTracks": true,
"ReportIncludeCustomFields": true
},
"LocalSettingsMap": {
"ATOM": {
"Left": 320,
"Top": 2,
"Width": 800,
"Height": 601,
"Minimized": false,
"Maximized": false,
"FullScreen": false,
"Hidden": false,
"AboutBoxLeft": 0,
"AboutBoxTop": 0,
"AboutBoxWidth": 0,
"AboutBoxHeight": 0,
"EditBoxLeft": 0,
"EditBoxTop": 0,
"EditBoxWidth": 0,
"EditBoxHeight": 0,
"EditBoxSplitterOrientation": 1,
"EditBoxSplitterDistance": 0,
"EditBoxFontSize": 0,
"EditBoxCommentsSortDirection": "Ascending",
"ReportBoxLeft": 370,
"ReportBoxTop": 27,
"ReportBoxWidth": 700,
"ReportBoxHeight": 551,
"SetupBoxLeft": 370,
"SetupBoxTop": 52,
"SetupBoxWidth": 700,
"SetupBoxHeight": 501,
"ViewBoxLeft": 0,
"ViewBoxTop": 0,
"ViewBoxWidth": 0,
"ViewBoxHeight": 0,
"LogonBoxLeft": 520,
"LogonBoxTop": 202,
"LogonBoxWidth": 400,
"LogonBoxHeight": 201
}
}
}Interestingly, PortableKanban seems to be used in conjunction with the target Redis server instance as the backend
There is also the DbEncPassword attribute populated with what appears to be an encrypted string; Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb
It doesn’t appear to be a regular base64 string or the Redis password.
End-User-Only
ps c:\Users\jason\Downloads\PortableKanban> Get-Service *PortableKanban*
ps c:\Users\jason\Downloads\PortableKanban> Get-Process *PortableKanban*Since there is not a single running service or process about the binary, I’d assume that this software is purely an end-user application much like notepad.exe
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ searchsploit PortableKanban
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval | windows/local/49409.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ searchsploit -X windows/local/49409.py
# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
# Date: 9 Jan 2021
# Exploit Author: rootabeta
# Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable.
# Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on.
# PortableKanBan stores credentials in an encrypted format
# Reverse engineering the executable allows an attacker to extract credentials from local storage
# Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials
[...REDACTED...]Looking further into the vulnerability, there is a single entry
It seems that the software has already been reverse-engineered for decryption
This would mean that I may be able to decrypt the encrypted password string; Odh7N3L9aVSeHQmgK/nj7RQL8MEYCUMb
The User Guide.pdf file contains the version information.
While it is clear that the development has ended during the year 2018, and the project appear to be no longer maintained
Thus, the instance is very much likely vulnerable