Keeper - EASY HTB

• OS: Linux
• Difficulty: Easy
• Author: Talace

Keeper

Welcome on my first HackTheBox write up ! On the “EASY” box name’s KEEPER

SCANNING 👀

Let’s start with a SCANNING.

I’m scanning with a basic nmap -sV to enumerate the services. nmap -sV 10.10.11.227

It gave me this:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 
80/tcp open http nginx 1.18.0 (Ubuntu) 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see here an SSH && HTTP web-server. It seems obvious to me: i need to get credentials of a user in the web-server, then log into the ssh and finish with a privesc to gain the root.

ENUMERATION OF THE WEB-SERVER 🤠

No time to waste, let’s try to connect to the website!

Oh i see a redirect link, it might by interesting! The page message:

To raise an IT support ticket, please visit tickets.keeper.htb/rt/

Oops.. the DNS seems to have no IP to connect on. let’s fix that’s [error 404]

nano /etc/hosts

Now put the host of the DNS keeper.htb and his sub-domain tickets:

# htb [ip of the box]
10.10.x.x keeper.htb tickets.keeper.htb

Youhou! We get access to the web-site, we lunch on a login page. After some research it appear to be a template for a request-tracker. I see this 4.4.4+dfsg-2ubuntu1 it might be the version of it. Let’s search for a default credentials, we never now…

Boom! we get the right way, we pass with root:password, we are into it!

In the request-tracker..

Wow.. we can see a lot of information around here. After some enumeration, one stand from the other, the ADMIN sub-menu. We might take a look at the USERS sub-menu sometimes someone as left a note.

We got another user name’s lnorgaard.

She left a note, so kind from her! The note: New user. Initial password set to Welcome2023!

Connect to SSH 😼

Little-recap! we got user:lnorgaard and a password: Welcome2023! Let’s try to connect via SSH.. It works !

Got the user.txt flag, ONE DOWN !

PRIVESC 🐧

After getting the flag we can see two file that stand out of the other. a KeePassDumpFull.dmp and a passcodes.kdbx

After some research i found out it was a her KeePass database. And a dmp file where we can crack the password database.

CRACKING THE PASSWORD DATABASE:

i found a repo for a keepass password dumper. Here’s how to use it (need to install .NET) :

Clone the repository: git clone https://github.com/vdohney/keepass-password-dumper or download it from GitHub

Enter the project directory in your terminal cd keepass-password-dumper

Lunch it: dotnet run PATH_TO_DUMP

Oh.. what is this ? dgrød med fløde let’s make some research. Oh! We found something, it’s a famous danish food call Rødgrød med fløde

ENTER IN THE DATABASE:

To connect to the database, i use a web-based KeePass client.

We unlock the database with this password : rødgrød med fløde

And find a PuTTy key.

CONVERT PUTTY KEY INTO AN ID_RSA SSH PRIVATE KEY

#Use puttygen to convert it from ppk to id_rsa
puttygen key.ppk -O private-openssh -o id_rsa

# change permission
chmod 600 id_rsa

# Connect ! 
ssh -i id_rsa root@keeper.htb

TADAAAM ! We get the root flag :)

cat root.txt

ENJOY ! 😼