Keeper | HackTheBox Writeups
Adding Target to /etc/hosts file
Make sure you add the keeper.htb to /etc/hosts file
sudo vi /etc/hosts
Nmap Scan
nmap -sC -sV -p- keeper.htb
From Nmap scan, we found port 22 and port 80 are open.
Enumeration
When we visit port 80 on the browser, there is a link to visit tickets.keeper.htb/rb to raise a ticket.
On clicking the link, we have an error that it cannot connect to the server so, we should add tickets.keeper.htb to our /etc/hosts file.
When we click on the link, it redirects us to a login page. We don’t have credentials to login, we can try random credentials or search for default credentials for ticket system web login.
When we searched in google for default credentials, we found the username and password. We can use it to login into the web portal.
username:password = root:password
After login, when we navigate to Admin>Users>Select>lnorgaard we can find the user name for Unix login and password. We have a username for Unix so, we can try to take SSH.
username:password = lnorgaard:Welcome2023!
SSH was successful. Got a User flag !!!!
Privilege Escalation
while enumerating the system, We can find a zip file in the Lnorgaard home directory.
unzip RT30000.zip
After unzipping the file, we can find KeePassDumpFull.dmp file and passcodes.kdbx.
To investigate both files, I have downloaded them in my own system using Python server.
I searched on Google, how to open the keepass dump file as the name of the file is keepassdump. Upon searching, I have identified that it is vulnerable to CVE-2023–32784 which can help us to find the master password. I also found the POC for CVE-2023–32784 and used it.
A lot of possible passwords. So, I decided to try it and tried but it did not work. The password is also not clear, so I searched the text in Google hoping to find something.
I found it was the name of the dish of Denmark. As user lnorgaard’ is also from Denmark. So, it makes sense it might be a password and I tried it.
Password: rødgrød med fløde
I used the keepass2 linux tool to open the file. After entering the correct password, we can find PuTTY-User_Key in the notes and when we see the title, it is of the root user. So, we can use it to log in for root user.
puttygen puttykey -O priviate-openssh -o id_rsa
chmod +600 id_rsa
I have saved the Putty-Key in the file name puttykey, then converted it to id_rsa key using the puttygen tool to take SSH using the Private key.
ssh -i id_rsa root@keeper.htb
Logined as root.
Got root flag !!!!!!!!!!!!
