On a recent assessment I found a Pentaho webapp using default creds, which sent me down a rabbit hole. I return with a tool decrypt 'Encrypted' passwords from .KTR files and a method to recover non-default encryption keys.

RT @chompie1337: A few hours left - leaving it open until the morning on West Coast. Only 3 winners 🤭. Congrats @malware_owl and @_dru1d !!.

Join millions who have switched to Grok.

RT @hashcat: hashcat v7.0.0 released! . After nearly 3 years of development and over 900,000 lines of code changed, this is easily the larg….

RT @unsigned_sh0rt: Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: thanks to….

RT @winxp5421: Oh hey, #crackthecon is back @CypherCon this year. Come crack some passwords. .

RT @Blurbdust: It might be a bit rocky for the next couple days as I work out a couple issues with magnet links an….

@ZineaLLC

@ZineaLLC This was a fun bit of research and it got me a few privileged database user creds, which led to code exec. Thx to haicen for pointing out the XOR key recovery process. Have fun and good luck!.

@ZineaLLC Then use key_recovery.py to recover the key (aka 'seed') value. This seed can be passed to ktr_parse.py to decrypt any passwords that used the seed.

@ZineaLLC If you have valid creds for a pentaho webapp, you may have two options:.1. Create a new connection with creds that you set, then download the .KTR to obtain the ciphertext. 2. Modify an existing DB connection and execute a passback attack.

@ZineaLLC Since the 'Encryption' is just XOR, if we know a plain/ciphertext combo we can derive the key!. plain XOR key == ciphertext.plain XOR ciphertext == key. So how do we get a plain/ciphertext combo if we can't decrypt the password?.

@ZineaLLC ktr_parse.py handles parsing and decrypting passwords and related information. This the use of a default key, but admins can set their own if they want. It's set as an env variable and isn't accessible via the webapp. We can still get it though!.

@ZineaLLC While databases seem to be the most typical targets here, other service credentials may be used as well. I've seen LDAP and SMTP. Maybe other services are supported as well! Also, logins for other Pentaho servers can be stored as well.

@ZineaLLC put together a blog post a while ago about using a KTR to decrypt these encrypted values. It works, but requires you to install a bunch of stuff and is a GUI-only tool.

This info includes the DB type, port, hostname, DB name, username, and an 'Encrypted' password. The 'encryption' is XOR using a default key, which is published in their source code.

Pentaho publishes business intelligence software and .KTR files defome 'transforms', which as far as I can tell are a building block used to obtain data used for reports and dashboards. This data usually comes from a database, so the file contains DB info.

RT @Bandrel: I did not approve of the timing of this release but here it is. Blog coming soon.

RT @_dru1d: I can’t wait to finally submit this certipy PR.

RT @Blurbdust: And a small update, generation is over halfway and will actually finish! A release of a torrent should be out before the end….

RT @CrackMeIfYouCan: CMIYC 2024 has finished! HashMob won first place in Pro:.