Keeper
Today’s write-up explores the Keeper machine from HackTheBox, emphasizing the significance of understanding the interplay of vulnerabilities and the need for creative thinking alongside technical expertise.
The Nmap scan revealed that both port 22 and port 80 are open, suggesting a potential avenue for obtaining SSH credentials to gain access to the user account.
If we load the port 80 on a browser it redirects to another page. Let’s add that in /etc/hosts and we try again.
Once added to the /etc/hosts file, the system displays a login page that requires entering a username and password. Attempt to use the default login credentials, which are “username: root” and “password: password.”
We got int , and now we have to search for clues/hints or anything useful for our next step.
After searching thorough the website a bit, i got to this page under admin/users section. here, we can find inogard as user with his password
and we also got his password:
Gaining User
Let’s login via ssh with the user lnorgaard
ssh lnorgaard@10.10.11.227
Welcome2023!
There are two files one is user.txt where is the the user flag and the other one is RT30000.zip file
Now for the RT3000.zip
Unzip the zip file found earlier and there are two more files named KeePassDumpFull.dmp and passcodes.kdbx. Here, keePassDumpFull as the name suggests is a password dump file, from where we need to retrieve a password, with which we can look at the passwords stored in passcodes.kbdx. I found this and the exploitation from CVE-2023–32784 found at keepass:
And to retirve it, i found a certain github repository to help me out in this:
After Downloading the github files into the local machine and taking it to the keeper machine through wget-python http server combo, i used ran the script and got some password like things:
From the above results, i took out the intelligible part of output and put it on google
dgrød med fløde and google did it’s wonders and found the name:
I remeber seeing how the user likes Danish or is Danish. So this dish named “rødgrød med fløde” might be the master password. After this we do the reverse of previous wget-python server combo, we set up python server in the keeper machine and wget the .kbdx file on our attacker machine.
Now we download keepass application on our device and open the kbdx file in the app. It will load as something like below:
Here, while entering the master password, i made a mistake and entered : “Rødgrød med fløde” .It took me to find, the R needs to be lower case. with master password ebing “rødgrød med fløde”.
Here two users are shown, one is lnorgaard which is not important and the other one is root, just double click on the root user.
Upon selecting the root user, an RSA key will be displayed. Copy the entire content and save it in a file with the .ppk extension, which is a format compatible with PuTTY.
After this, i will use putty gen with keeper.ppk where we saved the above ssh-rsa key file
This will generate private key for ssh connection, and with this, we can login as root and we can read root flag.
Another day, another machine, completed!
