En Pass


Save with Enpass Coupons. It’s no secret that shopping online saves you time and money. That’s why we’re always updating this page with the latest Enpass discounts. The best Enpass discount right now is for 60% off Individual Plan. Enpass Discount Deal. Our everyday life is filled with too many passwords and various types of credentials. Enpass takes care of your credit cards, identities, social security number, and all the credentials you need handy in your daily life. E-PASS for the Road Ahead. From free toll stickers to volume discounts, count on E-PASS for quick and easy toll travel that puts money back into your pocket – saving you time and money for more important things on your road ahead. Note that data export from Enpass is not possible on mobile devices, so make sure you have access to your computer. The export process for Mac users: Open and login to your Enpass account; Select File → Export; Choose JSON file format, select a file name and location for export and click Export. Enter your master password and get your data. Note that data export from Enpass is not possible on mobile devices, so make sure you have access to your computer. The export process for Mac users: Open and login to your Enpass account; Select File → Export; Choose JSON file format, select a file name and location for export and click Export. Enter your master password and get your data.

En-pass is a medium difficulty room, created by @kiransau

Directory busting reveals four paths: a recursive path that contains a passphrase-protected private SSH key, an input form where the correct input will print a password, a 403 status page that can be bypassed to reveal a username, and a file directory with a hundred archives.

Each path can be solved and each solution’s puzzle piece can be assembled together to achieve a low-privileged shell to the target.

Privilege escalation is possible due to a scheduled task that executes a python script as the root user. The script reads and executes the contents of a YAML file. Injecting malicious commands into the YAML file allows arbitrary code execution.

  • Port 22, SSH
    • No obvious usernames or passwords to try and brute force.
  • Port 8001, HTTP
    • The main page contains a slideshow with three pictures:
    • The first picture shows ciphertext; caesar cipher 3-shift reads “best of luck”.
    • The second picture reads: “Sad <newline> Z”, after base64 decryption.
    • The third picture has a quote about a mountain; I couldn’t find the source.
  • /web/ is interesting, and can be recursively directory busted to find anything interesting
  • /reg.php contains a POST submit form with little obvious information
  • /403.php responds with a 403 status, may be able to bypass?
  • /zip/ contains over 100 zip files

By recursively directory busting, the full path is found:


Attempt to crack the private key with JTR

Hashcat cannot crack RSA private keys so John the Ripper is used. Convert the private key into a format readable by john with ssh2john.py.

Tried to crack the private key using both rockyou.txt and the best64 rules but no luck.

Examining the source of the page shows php logic:

Notice the 'Congo' username in the source code.

If the input is correct, $result is printed. The logic is as follows:

  • The ‘title’ POST parameter is exploded; input is separated by ‘,’ and then placed into a list.
  • ‘sum’ is a counter variable and is incremented in a loop each time the conditions are met; the loop iterates 9 times. So if the conditions are true, then ‘sum’ will have the value of ‘9’ after the loop.
  • If ‘sum’ is 9 at the end of the loop, the $result will be printed.

What does the input need to be in order for the conditions to be true?

  • The input needs to be comma (,) separated like a list. The first index of the list will be [0].
  • The first condition is strlen($val[0]) 2. This means the length of the first item in the list needs to have a length of 2.
  • The next condition means the index [8] of the list needs to have a length of 3.
  • The index [5] value needs to be different than index [8]’s value.
  • The index [3] value needs to be different than index [7]’s value.
  • A proper input that meets all these conditions is:

This password is the passphrase for the private SSH key. Verifying with JTR:

Attempt to bypass this 403 with 403fuzzer.py:

  • $./403fuzzer.py -u http://target:8001/403.php

The one with a different length (917) is the path that can bypass this 403 status.

Can add ‘imsau’ to the list of potential usernames.

/zip/ is a file directory with 102 zip files. Files a0.zip – a100.zip are identical, each with a file named ‘a’ containing the string “sadman”.

The only file noteworth here is a.zip, who’s size (940B) is far larger than the other files. a.zip is an archive containing: a0.zip, a50.zip, and a100.zip. They are all the same, containing a file named ‘a’ containing the string “sadman”.

Add “sadman” to the list of potential usernames.

With a private SSH key in hand, and it’s passphrase, all that’s needed is a username.

The list of potential usernames is:

  • kiransau
  • kiran
  • sau
  • congo
  • imsau
En Pass

The correct username that successfully authenticates is imsau.

Identifying the Privilege Escalation Path

There is interesting folder in /opt/, called /scripts/ with a python script inside. file.py reads and executes the contents of /tmp/file.yml in the yaml.load() function. /tmp/file.yml doesn’t exist, so we can write it and hopefully insert malicious commands inside it.

The file.py script is owned by root, but imsau user can execute it in context of imsau. The script does not have SUID bit set so imsau user cannot run it as root.
So, if the ‘imsau’ user cannot manually run the script with elevated privileges, maybe there is a cron job or a scheduled task that runs the script as root.

  • Running linpeas.sh doesn’t show any jobs or scheduled tasks
  • Use pspy64; it monitors in real-time any processes that are created, with their command-line arguments.
  • Here it shows the file.py script being run with sudo and then /tmp/file.yml is deleted.
  • Goal is to determine what malicious commands we can write in /tmp/file.yml to have yaml.load() function execute those commands.

Malicious Payload

Initially found this link and followed the payload Alex Chan used: https://alexwlchan.net/2019/12/yaml-impossible/, but there was no ‘exec’ module on the system.

Another payload method was found and tested: https://xerosecurity.com/wordpress/exploiting-python-deserialization-vulnerabilities/

  • can successfully create a file named “swag.txt”

Write a malicious payload; copy bash to /tmp and set the SUID bit as root.

Why should you pay hard-earned cash for a password manager when you can take advantage of free services and use them without paying a single cent? Both Enpass and KeePass offer all of their features entirely for free. Although Enpass focuses its business model around its mobile app, it provides its services for desktop users at zero cost. Meanwhile, KeePass is a free open-source password manager with a loyal community that actively develops new ports and features. That being said, KeePass isn't the easiest software to work with, and you'll need to be tech-savvy to operate it. So, which one should you pick?

OverviewAppsAdd-onsData TypesSecurity & PrivacyFree VersionPricingPayment MethodsSupport
En passant
Main Features
Free VersionsFree VersionFree Versions
Form Filling
Cloud Syncing
Local Storage
Password Generator
Password Sharing
Import Browser Data
Import Competitor Data
Export Data
Mobile Apps
Browser App
Windows App
macOS App
iOS App
Android App
watchOS App
Linux App
Kindle App

Enpass Password Manager Share

Browser Extensions
Google Chrome
Internet Explorer
Microsoft Edge
Data Types
Payment Information
Secure Notes
Email Accounts
Wi-Fi Networks
Software Licenses
Security and Privacy Features
Fingerprint Login
Mobile App Pin Unlock
Two-Factor Authentication
Features of the Free Version
Password Sharing
# Credentials
  • Desktop: Unlimited
  • Mobile: 25
Pricing Plans
Lifetime License
Free Trial
Free Version
Money-Back Guaranteen/a
Available Payment Methods
American Expressn/a
Wire Transfern/a
Customer Service
Live Chat
On Call


There’s nothing you can’t store in Enpass’s vault. In addition to the dozens of pre-built data forms, this password manager offers you full flexibility by providing the ability to create personalized data forms with plenty of fields to select from. One of Enpass’s main strengths is that it offers all of its features for free on desktop. This means that if you’re looking for a password manager to only use on your computer, you can take full advantage of Enpass at zero cost. The software provides a password generator that goes up to 100 characters, an audit that warns you about weak and repeated passwords, and a browser extension that will autofill credentials for you. You can also synchronize your devices and share items with others, but it’s a little trickier as Enpass uses third-party cloud services to do so.

En Pass

Enpass Password Generator

The mobile free plan is far more limited, only providing space for up to 25 data entries. Despite this, since the password manager’s price starts at $0.99 per month, upgrading to a paid plan is quite cheap.


Use our special promotional code below and if you haven’t used RoboForm before you can enjoy RoboForm Everywhere or Family for as low as $1.16 per month, saving 30% on the subscription fees.


With the number of plugins and extensions developers have written for KeePass, this open-source password manager can do everything entirely for free. However, it’s not the easiest software to use, and one of the first things you’ll notice about KeePass is its dated interface. The password manager was developed in 2003 and it’s obvious that there hasn’t been a cosmetic update ever since.


Even without the add-ons, KeePass already provides plenty of features that put other companies’ free plans to shame. In addition to a password generator that can create keys containing up to 30,000 characters, the software also lets you store all the credentials you want and group them into folders, add expiry dates, and attach files to them. Furthermore, instead of an autofill, KeePass comes with an autotype mechanism, which requires you to input your own keystroke sequence for each website. Although this takes more effort, it ensures KeePass will be able to automatically login to any type of account without a problem.

KeePass Password Generator

KeePass stores all data locally on your computer and everything is secured with AES-256 encryption, ensuring that no one has access to your information even if your device is stolen. Like all of KeePass’s features, you can also improve this password manager’s security through the available add-ons and extensions.


If you have the knowledge and the patience to play around with KeePass’s add-ons, this password manager can do everything without you having to pay a cent. Consequently, it’s the best option for anyone looking for a reliable and comprehensive password manager at zero cost. However, if you prefer a more straightforward and better-looking piece of software, Enpass is the way to go. In the end, both provide security and advanced features not found in other password managers. The ideal way to figure out which one works best for you is by trying them out yourself. Since they’re both completely free to use, you won’t have to spend a dollar to check which one meets your requirements the most.

Best Password Managers of 2021

Editor's Choice 2021
  • Fantastic security
  • Flexible platform
  • Reasonably priced
  • Easy-to-use
  • Simple, straightforward
  • Flawless data import
  • Built-in VPN
  • Advanced iOS/Android app

  • Simple and straightforward client
  • Categorization of stored credentials
  • Biometric authentication
  • Versatile customer service

Get the Best Deals on Password Managers

Subscribe to our monthly newsletter to get the best deals, free trials and discounts on password managers.