Keeper

Keeper writeup by Thamizhiniyan C S

Overview

Greetings everyone,

In this write-up, we will tackle Keeper from HackTheBox.

Machine link: Keeper

Difficulty Level: Easy

Let's Begin 🙌

Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.

Once connected to the VPN service, click on "Join Machine" to access the machine's IP.

Upon joining the machine, you will be able to view the IP address of the target machine.

---

Reconnaissance

Rustscan

rustscan -a <TARGET_IP> -- -A -T4 -v -Pn

Results

From the results of the scan, we can see that two ports are open:

Ports	Services	Version
22	SSH	OpenSSH 8.9p1
80	HTTP	nginx 1.18.0

---

Information Gathering - Port 80

Next I checked the nginx server running on port 80.

When I visited the website, I got the above link, the link redirected to tickets.keeper.htb.

You can see the above error on redirection. To view this site, we have to add this domain referring the target IP address in /etc/hosts file in our local machine.

Open the /etc/hosts file with your favourite text editor and add the following: 10.10.11.227 tickets.keeper.htb to the hosts file.

Now revisit the website and refresh, you can see the following site:

This is a Request Tracker web-server. On searching about Request Tracker on google, looking out for default credentials, found this:

---

Initial Access

So, I tried the above mentioned credentials root:password, it worked:

After surfing the application for sometime, In the Admin > Users tab, I found another user:

On viewing the details of the user, I found the password.

So we found another user with the following credential: lnorgaard:Welcome2023!

I logged in with the above found credential.

The dashboard was in Danish version, so I used Google Translate to translate the page to English. There was a ticket in queue, which stated “Issue with Keepass client on Windows”. On viewing the details of the ticket, it was mentioned that the crash file is attached as an attachment.

But no attachment was found. After investigating for sometime, I noted the ticket ID and re logged in as the root user.

As root user, I tried to search for the ticket with the ID that I noted.

From the history section of the results, we can devise that the user lnorgaard has downloaded and stored the crash file in his home directory.

So I logged in to the target via SSH using the credential: lnorgaard:Welcome2023!

---

Getting the User Flag

After logging in, I checked the home directory.

---

Escalating Privileges

In the home directory, I found the crash file as well as the user flag.

I started a simple HTTP server using python on the target machine and downloaded the crash file to the local machine to analyse.

Next I extracted the files using unzip.

Two files got extracted from the zip, one is a memory dump file and another one is a keepass database.

On searching about the keepass dump file on google, I found that it is vulnerable to CVE-2023-32784, i.e., there is a possibility that the masterkey for the keepass might be recorded in a crash report file. On searching more I found the following page:

GitHub - matro7sh/keepass-dump-masterkey: Script to retrieve the master password of a keepass database <= 2.53.1GitHub

I downloaded the script from the above mentioned github page using wget.

wget https://raw.githubusercontent.com/CMEPW/keepass-dump-masterkey/main/poc.py

Next I ran the script using the command:

python3 poc.py -d KeePassDumpFull.dmp

From the results of the script, we got a possible list of passwords. Mostly the first 2 characters are differing in the list. So I tried searching on google with the balance two words and found the following:

It seems like it is a Danish Delight. Let’s try rødgrød med fløde as the master key. First to view the contents of a keepass database, you need keepass installed on your system. You can download and install keepass for your respected system from https://keepass.info/download.html

Next to open the database, type the following command: keepass2 passcodes.kdbx

On the pop up screen enter the master key and hit ok.

It worked:

There was two entries. The entry with the title keeper.htb has the contents of a putty key file in the notes section:

Copy this content and save it a putty key file (ppk). You can copy the notes by the following method:

Now copy the contents of the notes and save it in a ppk file.

Now from the putty key that we got, we can generate a SSH Key using puttygen.

Command: puttygen puttykey.ppk -O private-openssh -o idrsa.pem

Next using the generated key file, login via SSH to the target:

Now we got access as root.

---

Getting the Root Flag

And we have successfully found the root flag.

Thank You………..