HackTheBox - Keeper
Tools
- netcat
- putty
- keepass-password-dumper
Getting User
Nmap
1 | ┌──(kali㉿kali)-[~/HTB/Keeper] |
1 | ┌──(kali㉿kali)-[~/HTB/Keeper] |
Foothold
Visiting http://10.129.59.247/ theres a hyperlink saying “*To raise an IT support ticket, please visit tickets.keeper.htb/rt/*”
Add vhosts to hosts file
1 | ┌──(kali㉿kali)-[~/HTB/Keeper] |
tickets.keeper.htb/rt/ takes us to a login page of Request Tracker app (version RT 4.4.4+dfsg-2ubuntu1)
I look up rt 4.4.4+dfsg-2ubuntu1 & I find that admin has a default password which is root:password
We were able to login using the defualt credentials.
Going to Admin > Users > Select and selecting lnorgaard user we find the following comment
1 | New user. Initial password set to Welcome2023! |
We are able to use lnorgaard‘s credentials to get foothold
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files] |
Getting Root
Information Gathering
Start a python http server to download RT30000.zip to your machine
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files] |
We find a KeePass dump file and db upon extracting the content of the zip file
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files] |
I found a PoC to dump master password from KeePass’s memory https://github.com/vdohney/keepass-password-dumper (CVE-2023-32784)
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files/keepass-password-dumper] |
The PoC couldn’t find the first two characters.
Upon searching dgrød med fløde
on the web, I find the Rødgrød med fløde, which could be the password.
Installed keepassx
1 | ┌──(kali㉿kali)-[~/Downloads] |
Open the passcodes.kdbx and enter the password rødgrød med fløde
We get it and we find there’s a folder called Network which contains root’s PuTTY RSA key
Privilege Escalation
I’m going to install putty to use the key
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files] |
Copy RSA to a file and use PuTTY to connect to the server
1 | ┌──(kali㉿kali)-[~/HTB/Keeper/files] |
This will open up a putty terminal
1 | root@keeper:~# ls |