HackTheBox - Keeper

HackTheBox - Keeper

OS: Linux || Difficulty: Easy

·

5 min read

Summary

In this box, we will login into a site through which we will find credentials we can leverage to ssh in. Once there, we will find a KeePass db file. Finding the Master Password will require a special tool and some creativity. After gaining access to the db, we will need to search for an alternative way to elevate with the root credentials through ssh.

Enumeration

As with any HTB machine, we will start the task with a simple nmap scan

nmap -p- -T4 10.10.11.227

We will use -p- for all ports and -T4 for a faster scan.

Nmap scan report for 10.10.11.227
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

The initial nmap scan reveals port 22(ssh) and port 80(http) are open, let's try to dig deeper into these two with a heavier scan .

nmap -A -p 22,80 10.10.11.227

This time we'll use -A for all nmap scripts and -p to specifically target ports 22 and 80.

Nmap scan report for 10.10.11.227
Host is up (0.43s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We don't get much more info back, so It seems we'll have to manually peek into the site.

Browsing the ip address with Firefox reveals some simple text telling us to visit "tickets.keeper.htb" to raise an IT support ticket.

Given this is a HTB machine, our best bet is to open up our /etc/hosts file and point said domain to the machine's IP address. We will also include the subdomain "tickets" just to be extra specific.

Once edited and saved, clicking on the text will redirect us to a login page. While the layout is simple, admin:admin doesn't work.

A quick glance, however, tells us that we are in front of "RT" version "4.4.4". With this information, we can aid ourselves with some googling in order to advance.

The first result seems pretty reasonable, root:password.

Let's give it a try...

...And just like that, we're in!

Foothold

For the next part, after some snooping around, the Admin tab seems to contain a users menu.

Opening it will show 2 users: lnorgaard and root. Clicking on lnorgaard we find it's password "Welcome2023!" resting in the coments section.

Going back to our initial scan, we found port SSH was open. With port 22 open and some possible creds at our disposal, we would be doing ourselves a disservice attempting to log in this way.

And so, our attempt turns for the best and we're inside the machine!

Escalation

The user lnorgaard seems to have mail, according to the notification below.

Within the machine, we can find some messages stored in /var/mail/

cat /var/mail/lnorgaard

The message seems to be talking about a KeePass crash dump. Using ls on lnorgaard's home directory reveals a KeePassDumpFull.dmp file. This could be the file. On the directory, there is also a .kdbx file that will most likely store passwords. However, in order to open these types of files, a master password is required.

For now, let's focus on googling the .dmp file. The first result is a github password dumper, this seems interesting.

https://github.com/vdohney/keepass-password-dumper/

A quick read informs us that KeePass crash dumps may actually store the .kdbx master passwords, meaning we could try and leverage the dump file to gain access to the password database file.

With this in mind, we transfer the dump file to our Kali machine through nc .

We will also transfer the .kdbx file.

In our Kali instance, after git cloning the password dumper tool, we encounter a problem while running it.

Said error is quickly resolved after editing the .csproj file included in the tool folder and changing the "TargetFramework" version to net6.0.

With that fixed, and after running the tool, we supposedly get the password "M}dgrød med fløde". This however will not be the .kdbx file password.

After googling the supposed password we get 1 result. This is pretty specific and the result is actually different to what we looked for, "rødgrød med fløde".

Having a hunch, we try to use this as the Master Password and funnily, it actually works!

When opening the root stored password, we get a cleartext password, but it doesn't work. At the same time in the notes we can see an entry with a "Putty User-Key-File 3: ssh-rsa"

Googling said format sends us to a website that shows us how to generate a functional id_rsa key so we can ssh as root.

https://www.baeldung.com/linux/ssh-key-types-convert-ppk#split-ppk-into-separate-keys-via-puttygen

Within kali, we will need to create a file called pp_id_rsa.ppk and fill it with the contents of the root password entry note. After that using puttygen we will take that file and make it output an id_rsa key.

puttygen pp_id_rsa.ppk -O private-openssh -o id_rsa

Once this is done, all we need to do is ssh in and we will enter as root!

ssh -i id_rsa root@10.10.11.227

As root, both user and root.txt files will be available for us to get and pwn the machine!

Thanks for reading.