Close
Menu

Keeper – HackTheBox Writeup

, , , , , , , , , , 0

Keeper Writeup

Machine Name: Keeper
IP: 10.10.11.227
Difficulty: Easy

Summary

Keeper is an easy machine which starts with logging into a Request Tracker dashboard using default credentials and discovering SSH user credentials. A KeePass database file is discovered which is then cracked using the CVE-2023-32784. Although the credentials for root are obtained from the exploit, the password needs to be used along with a key to log into SSH. The key found is a putty key which needed to be converted to OpenSSH key format to log in as root.

Information Gathering

Nmap scan shows that port 22 (SSH) and port 8080 (HTTP) are open. Port 80 is running Nginx 1.18.0 on Ubuntu.

When I visited the webpage on port 80, I found a virtual host called “tickets.keeper.htb” which I added to the /etc/hosts file.

Using Default Credentials to Gain User Shell

I visited “tickets.keeper.htb/rt” and found a login page that discloses that it is running “RT 4.4.4+dfsg-2ubuntu1 (Debian)”.

I googled for the same and found that “rt” is infact “Request Tracker”. I googled the default credentials for it and found them to be “root:password”. Then, I tried these default credentials on the login page and I was successfully logged in.

I checked the Users page under the Admin tab and found two users.

I selected lnorgaard and found the password for the user. Ofcourse, I checked for root as well but didn’t find any passwords there.

I tried to SSH into using the password “Welcome2023!” and got logged in!

Privilege Escalation

As always, I tried sudo -l but lnorgaard cannot run sudo. I checked for the files in the home directory and found that a zip file owned by root existed. I unzipped it to find a KeePass file.

I attempted to analyze the passcodes.kdbx file with strings, and, as expected, it did not reveal any plaintext passwords. I tried to open the file in KeePass software but I was asked for a master key. To access the KeePass database, a password or key file is required.

Cracking KeePass Master Password (CVE-2023-32784)

I looked for KeePass exploits and found “CVE-2023-32784” which requires DotNet to run. I cloned the repository and moved the “KeePassDumpFull.dmp” file in the same directory as the PoC.

git clone https://github.com/vdohney/keepass-password-dumper
cd keepass-password-dumper
cp ../KeePassdumpFull.dmp .
dotnet run KeePassDumpFull.dmp
M}dgrød med fløde

When I use the password from the output, I get an error saying the key is invalid.

I googled the key and found that it is a Danish pudding named “rødgrød med fløde”. I tried this as password and it worked.

When I tried to edit the root password, I was provided with the unhide button to unhide the current password “F4><3K0nd!”.

When I tried this password, the system does not allow it.

Converting PuttyKey to OpenSSH Key

The notes show the putty key of the user. Let’s try to use the key along with the password to login. Since I did not know how to use this key, I asked ChatGPT.

I followed the steps given by ChatGPT.

First, I installed putty and then tried to convert the Putty key into OpenSSH format but it gave me an error stating that the “PuTTY key format too new”.

sudo apt install -y putty
vi private_key.ppk
puttygen private_key.ppk -O private-openssh -o ssh_private_key_root

Turns out, I need a newer version of putty. To fix this issue, I install puttygen GUI on Windows and resolved this. I downloaded the executable of puttygen, loaded the putty key, exported to OpenSSH key from the “Conversions” menu and used it to login with the password.

ssh root@10.10.11.227 -i keeper_root

Finally, I am logged in as root after using the OpenSSH private key for root.

Pwned!

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *