Keeper - EASY HTB
- OS: Linux
- Difficulty: Easy
- Author: Talace
Keeper
Welcome on my first HackTheBox write up ! On the “EASY” box name’s KEEPER
SCANNING 👀
Let’s start with a SCANNING.
I’m scanning with a basic nmap -sV to enumerate the services. nmap -sV 10.10.11.227
It gave me this:
1
2
3
4
5
6
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see here an SSH && HTTP web-server. It seems obvious to me: i need to get credentials of a user in the web-server, then log into the ssh and finish with a privesc to gain the root.
ENUMERATION OF THE WEB-SERVER 🤠
No time to waste, let’s try to connect to the website!
Oh i see a redirect link, it might by interesting! The page message:
To raise an IT support ticket, please visit tickets.keeper.htb/rt/
Oops.. the DNS seems to have no IP to connect on. let’s fix that’s [error 404]
nano /etc/hosts
Now put the host of the DNS keeper.htb and his sub-domain tickets:
1
2
# htb [ip of the box]
10.10.x.x keeper.htb tickets.keeper.htb
Youhou! We get access to the web-site, we lunch on a login page. After some research it appear to be a template for a request-tracker. I see this 4.4.4+dfsg-2ubuntu1 it might be the version of it. Let’s search for a default credentials, we never now…
Boom! we get the right way, we pass with root:password, we are into it!
In the request-tracker..
Wow.. we can see a lot of information around here. After some enumeration, one stand from the other, the ADMIN sub-menu. We might take a look at the USERS sub-menu sometimes someone as left a note.
We got another user name’s lnorgaard.
She left a note, so kind from her! The note: New user. Initial password set to Welcome2023!
Connect to SSH 😼
Little-recap! we got user:lnorgaard and a password: Welcome2023! Let’s try to connect via SSH.. It works !
Got the user.txt flag, ONE DOWN !
PRIVESC 🐧
After getting the flag we can see two file that stand out of the other. a KeePassDumpFull.dmp and a passcodes.kdbx
After some research i found out it was a her KeePass database. And a dmp file where we can crack the password database.
CRACKING THE PASSWORD DATABASE:
i found a repo for a keepass password dumper. Here’s how to use it (need to install .NET) :
Clone the repository: git clone https://github.com/vdohney/keepass-password-dumper or download it from GitHub
Enter the project directory in your terminal cd keepass-password-dumper
Lunch it: dotnet run PATH_TO_DUMP
Oh.. what is this ? dgrød med fløde let’s make some research. Oh! We found something, it’s a famous danish food call Rødgrød med fløde
ENTER IN THE DATABASE:
To connect to the database, i use a web-based KeePass client.
We unlock the database with this password : rødgrød med fløde
And find a PuTTy key.
CONVERT PUTTY KEY INTO AN ID_RSA SSH PRIVATE KEY
1
2
3
4
5
6
7
8
#Use puttygen to convert it from ppk to id_rsa
puttygen key.ppk -O private-openssh -o id_rsa
# change permission
chmod 600 id_rsa
# Connect !
ssh -i id_rsa root@keeper.htb
TADAAAM ! We get the root flag :)
cat root.txt
ENJOY ! 😼