Hackthebox - Safe

From nmap, there are ssh and http opened.

I further scan all ports, and get port 1337 opened.

This is the web page.

In the source code, there is a comment associated with port 1337.

This is the 1337 port.

I downloaded myapp, and it seems like port 1337 will echo back what we gave.

I use ghidra to decompile it. There is a buffer overflow.

And there is a function test.

I create a python script to get the shell with ROP chain.

Execute it, and I get the shell as user. There is a .kdbx file and 6 images. They may be the keyfile of the KeePass file.

I create all the potential hashes.

One of them is cracked by hashcat.

Open the KeePass database, I get the root password.

I get permission denied to ssh as root. It may be the restriction from sshd_config. So I ssh as user, and switch to root successfully.